develooper Front page | perl.perl5.porters | Postings from December 2008

Re: suidperl goes

Thread Previous | Thread Next
From:
Paul Fenwick
Date:
December 23, 2008 16:21
Subject:
Re: suidperl goes
Message ID:
4951808C.5020408@perltraining.com.au
G'day Nicholas / p5p,

Nicholas Clark wrote:

> My impression was that any task you can currently secure with suidperl 
> you could rewrite to secure with sudo.

There are a couple of caveats (you need to have sudo installed, you need to
have access to the sudoers file), but overwhelmingly, yes.  By specifying a
whitelist of commands, sudo also avoids the same setuid script race-conditions.

I assume sudo has the command start with the RUID and EUID set correctly, so
perl can still automatically enable taint mode.  Without taint mode, it's
very easy to escalate privileges with most setuid perl code, but that's
orthogonal to this discussion.

For the places where sudo is not suitable or not available, the C wrapper
works nicely, and has always been recommended over suidperl anyway.

I still have no objections to suidperl going.

Cheerio,

	Paul

-- 
Paul Fenwick <pjf@perltraining.com.au> | http://perltraining.com.au/
Director of Training                   | Ph:  +61 3 9354 6001
Perl Training Australia                | Fax: +61 3 9354 2681

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About