Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT)

G'day David,

David Landgren wrote:

>> Now let's imagine it's running setuid, and taint-mode is not 
>> automatically
>> enabled.  I can own your machine with:
>>
>>     PERL5LIB=/home/h4x0r/p5lib ./hello.pl
>>
>> The contents of /home/h4x0r/p5lib/strict.pm is left as an exercise for 
>> the
>> reader.
> 
> PERL5LIB is ignored when tainting is active.

My point exactly.  If we don't *always* enable taint-mode when a program is 
running setuid, then I can own your system using PERL5LIB.  Hence, disabling 
taint-mode for setuid programs is not an option.

Cheerio,

	Paul

-- 
Paul Fenwick <pjf@perltraining.com.au> | http://perltraining.com.au/
Director of Training                   | Ph:  +61 3 9354 6001
Perl Training Australia                | Fax: +61 3 9354 2681

• Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Bram
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Fenwick
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Nicholas Clark
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Fenwick
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Rafael Garcia-Suarez
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Nicholas Clark
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Nicholas Clark
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Fenwick
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Nicholas Clark
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Fenwick
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by David Landgren
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Fenwick
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Rick Delaney
• Re: Taint (PL_tainting, SvTAINTED_on, SvTAINTED_off, SvTAINT) by Paul Szabo