develooper Front page | perl.perl5.porters | Postings from January 2016

Re: Fwd: Re: Secure perl build

Thread Previous
From:
Lasse Makholm
Date:
January 11, 2016 20:53
Subject:
Re: Fwd: Re: Secure perl build
Message ID:
CAB7pA087MfUSNstDoze894-4mG6GpHpoLKUSmBg-c4Rdre4vHw@mail.gmail.com
On 11 January 2016 at 19:36, Craig A. Berry <craig.a.berry@gmail.com> wrote:
>
>
> On Sun, Jan 10, 2016 at 9:14 AM, T.N.C.Parthasarathy <tncps@hotmail.com>
> wrote:
>>
>> Hi,
>>
>> Happy New Year!
>>
>> Could anybody throw some light on my query?
>>
>
> "without any file system access" doesn't sound plausible to me.  Perl relies
> on loading scripts and libraries (even pragmas) from the file system. You
> could theoretically make a highly customized fork that didn't, but I doubt
> it would be very useful.

Further, pretty much everything (including libc) in Unix-based
operating systems relies on some amount filesystem access (e.g.
opening /dev/null). File system access is pretty fundamental to the
way Unix works. If you're looking ways of running perl securely,
you're much better off looking at more generic ways of containing
processes, such as chroot, LXC or full-blown virtual machines.

This seems like a decent primer on containers:
http://compositecode.com/2013/11/18/linux-containers-windows-containers-lxc-freebsd-jails-vserver/

I would trust any of the generic, battle-tested containment solutions
over a custom build of Perl any day.

/L

>
> Disabling certain extensions at configuration time is covered in the INSTALL
> document at the top level of the source repository.  See:
>
> <http://perl5.git.perl.org/perl.git/blob/HEAD:/INSTALL#l1004>
>
>>>
>>> On Saturday 17 October 2015 11:34 AM, T.N.C.Parthasarathy wrote:
>>>
>>> Larry,
>>>
>>> Greetings.
>>>
>>>
>>> I am looking for a secure perl build on Linux i.e. especially  without
>>> any file system access. I have searched the web and come across many
>>> articles on secure perl programming, CGI, mod perl etc. But I could not find
>>> any information on building perl with some modules disabled eg. through
>>> configure utility.
>>>
>>> I would really appreciate any pointers in this direction.
>>>
>>> Thanks and best regards,
>>> Partha
>>> Hyderabad, India.
>>>
>>>
>>>
>>
>>
>
Thread Previous

nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About