Perl security
0 views
Skip to first unread message
elsiddik
Dec 16, 2007, 6:32:55 AM12/16/07
to unix
Perl is designed to make it easy to program securely even when running
with extra privileges, like setuid or setgid programs. Unlike most
command line shells, which are based on multiple substitution passes
on each line of the script, Perl uses a more conventional evaluation
scheme with fewer hidden snags. Additionally, because the language has
more builtin functionality, it can rely less upon external (and
possibly untrustworthy) programs to accomplish its purposes.
Perl automatically enables a set of special security checks, called
taint mode, when it detects its program running with differing real
and effective user or group IDs. The setuid bit in Unix permissions is
mode 04000, the setgid bit mode 02000; either or both may be set. You
can also enable taint mode explicitly by using the -T command line
flag. This flag is strongly suggested for server programs and any
program run on behalf of someone else, such as a CGI script. Once
taint mode is on, it's on for the remainder of your script.
While in this mode, Perl takes special precautions called taint checks
to prevent both obvious and subtle traps. Some of these checks are
reasonably simple, such as verifying that path directories aren't
writable by others; careful programmers have always used checks like
these. Other checks, however, are best supported by the language
itself, and it is these checks especially that contribute to making a
set-id Perl program more secure than the corresponding C program.
more on >> http://perldoc.perl.org/perlsec.html
zaher el siddik
http://www.unixshells.nl/
http://elsiddik.blogspot.com/
with extra privileges, like setuid or setgid programs. Unlike most
command line shells, which are based on multiple substitution passes
on each line of the script, Perl uses a more conventional evaluation
scheme with fewer hidden snags. Additionally, because the language has
more builtin functionality, it can rely less upon external (and
possibly untrustworthy) programs to accomplish its purposes.
Perl automatically enables a set of special security checks, called
taint mode, when it detects its program running with differing real
and effective user or group IDs. The setuid bit in Unix permissions is
mode 04000, the setgid bit mode 02000; either or both may be set. You
can also enable taint mode explicitly by using the -T command line
flag. This flag is strongly suggested for server programs and any
program run on behalf of someone else, such as a CGI script. Once
taint mode is on, it's on for the remainder of your script.
While in this mode, Perl takes special precautions called taint checks
to prevent both obvious and subtle traps. Some of these checks are
reasonably simple, such as verifying that path directories aren't
writable by others; careful programmers have always used checks like
these. Other checks, however, are best supported by the language
itself, and it is these checks especially that contribute to making a
set-id Perl program more secure than the corresponding C program.
more on >> http://perldoc.perl.org/perlsec.html
zaher el siddik
http://www.unixshells.nl/
http://elsiddik.blogspot.com/
Reply all
Reply to author
Forward
0 new messages