Amiga Magazin: Amiga-CD 1996 July

home *** CD-ROM | disk | FTP | other *** search

/ Amiga Magazin: Amiga-CD 1996 July / AMIGA_1996_7.BIN / ausgabe_7_96 / pd-programmierung / perl5_002bin.lha / man / catp / perlsec.0 < prev next >

Wrap

Text File | 1996-03-02 | 15KB | 265 lines

PERLSEC(1) User Contributed Perl Documentation PERLSEC(1) NNNNAAAAMMMMEEEE perlsec - Perl security DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN Perl is designed to make it easy to write secure setuid and setgid scripts. Unlike shells, which are based on multiple substitution passes on each line of the script, Perl uses a more conventional evaluation scheme with fewer hidden "gotchas". Additionally, since the language has more built-in functionality, it has to rely less upon external (and possibly untrustworthy) programs to accomplish its purposes. Beyond the obvious problems that stem from giving special privileges to such flexible systems as scripts, on many operating systems, setuid scripts are inherently insecure right from the start. This is because that between the time that the kernel opens up the file to see what to run, and when the now setuid interpreter it ran turns around and reopens the file so it can interpret it, things may have changed, especially if you have symbolic links on your system. Fortunately, sometimes this kernel "feature" can be disabled. Unfortunately, there are two ways to disable it. The system can simply outlaw scripts with the setuid bit set, which doesn't help much. Alternately, it can simply ignore the setuid bit on scripts. If the latter is true, Perl can emulate the setuid and setgid mechanism when it notices the otherwise useless setuid/gid bits on Perl scripts. It does this via a special executable called ssssuuuuiiiiddddppppeeeerrrrllll that is automatically invoked for you if it's needed. If, however, the kernel setuid script feature isn't disabled, Perl will complain loudly that your setuid script is insecure. You'll need to either disable the kernel setuid script feature, or put a C wrapper around the script. See the program wwwwrrrraaaappppssssuuuuiiiidddd in the _e_g directory of your Perl distribution for how to go about doing this. There are some systems on which setuid scripts are free of this inherent security bug. For example, recent releases of Solaris are like this. On such systems, when the kernel passes the name of the setuid script to open to the interpreter, rather than using a pathname subject to mettling, it instead passes /dev/fd/3. This is a special file already opened on the script, so that there can be no race condition for evil scripts to exploit. On these systems, Perl should be compiled with ----DDDDSSSSEEEETTTTUUUUIIIIDDDD____SSSSCCCCRRRRIIIIPPPPTTTTSSSS____AAAARRRREEEE____SSSSEEEECCCCUUUURRRREEEE____NNNNOOOOWWWW. The CCCCoooonnnnffffiiiigggguuuurrrreeee program that builds Perl tries to figure this out for itself. When executing a setuid script, or when you have turned on 23/Jan/96 perl 5.002 with 1 PERLSEC(1) User Contributed Perl Documentation PERLSEC(1) taint checking explicitly using the ----TTTT flag, Perl takes special precautions to prevent you from falling into any obvious traps. (In some ways, a Perl script is more secure than the corresponding C program.) Any command line argument, environment variable, or input is marked as "tainted", and may not be used, directly or indirectly, in any command that invokes a subshell, or in any command that modifies files, directories, or processes. Any variable that is set within an expression that has previously referenced a tainted value also becomes tainted (even if it is logically impossible for the tainted value to influence the variable). For example: $$$$ffffoooooooo ==== sssshhhhiiiifffftttt;;;; #### $$$$ffffoooooooo iiiissss ttttaaaaiiiinnnntttteeeedddd $$$$bbbbaaaarrrr ==== $$$$ffffoooooooo,,,,''''bbbbaaaarrrr'''';;;; #### $$$$bbbbaaaarrrr iiiissss aaaallllssssoooo ttttaaaaiiiinnnntttteeeedddd $$$$xxxxxxxxxxxx ==== <<<<>>>>;;;; #### TTTTaaaaiiiinnnntttteeeedddd $$$$ppppaaaatttthhhh ==== $$$$EEEENNNNVVVV{{{{''''PPPPAAAATTTTHHHH''''}}}};;;; #### TTTTaaaaiiiinnnntttteeeedddd,,,, bbbbuuuutttt sssseeeeeeee bbbbeeeelllloooowwww $$$$aaaabbbbcccc ==== ''''aaaabbbbcccc'''';;;; #### NNNNooootttt ttttaaaaiiiinnnntttteeeedddd ssssyyyysssstttteeeemmmm """"eeeecccchhhhoooo $$$$ffffoooooooo"""";;;; #### IIIInnnnsssseeeeccccuuuurrrreeee ssssyyyysssstttteeeemmmm """"////bbbbiiiinnnn////eeeecccchhhhoooo"""",,,, $$$$ffffoooooooo;;;; #### SSSSeeeeccccuuuurrrreeee ((((ddddooooeeeessssnnnn''''tttt uuuusssseeee sssshhhh)))) ssssyyyysssstttteeeemmmm """"eeeecccchhhhoooo $$$$bbbbaaaarrrr"""";;;; #### IIIInnnnsssseeeeccccuuuurrrreeee ssssyyyysssstttteeeemmmm """"eeeecccchhhhoooo $$$$aaaabbbbcccc"""";;;; #### IIIInnnnsssseeeeccccuuuurrrreeee uuuunnnnttttiiiillll PPPPAAAATTTTHHHH sssseeeetttt $$$$EEEENNNNVVVV{{{{''''PPPPAAAATTTTHHHH''''}}}} ==== ''''////bbbbiiiinnnn::::////uuuussssrrrr////bbbbiiiinnnn'''';;;; $$$$EEEENNNNVVVV{{{{''''IIIIFFFFSSSS''''}}}} ==== '''''''' iiiiffff $$$$EEEENNNNVVVV{{{{''''IIIIFFFFSSSS''''}}}} nnnneeee '''''''';;;; $$$$ppppaaaatttthhhh ==== $$$$EEEENNNNVVVV{{{{''''PPPPAAAATTTTHHHH''''}}}};;;; #### NNNNooootttt ttttaaaaiiiinnnntttteeeedddd ssssyyyysssstttteeeemmmm """"eeeecccchhhhoooo $$$$aaaabbbbcccc"""";;;; #### IIIIssss sssseeeeccccuuuurrrreeee nnnnoooowwww!!!! ooooppppeeeennnn((((FFFFOOOOOOOO,,,,""""$$$$ffffoooooooo""""))));;;; #### OOOOKKKK ooooppppeeeennnn((((FFFFOOOOOOOO,,,,"""">>>>$$$$ffffoooooooo""""))));;;; #### NNNNooootttt OOOOKKKK ooooppppeeeennnn((((FFFFOOOOOOOO,,,,""""eeeecccchhhhoooo $$$$ffffoooooooo||||""""))));;;; #### NNNNooootttt OOOOKKKK,,,, bbbbuuuutttt............ ooooppppeeeennnn((((FFFFOOOOOOOO,,,,""""----||||"""")))) |||||||| eeeexxxxeeeecccc ''''eeeecccchhhhoooo'''',,,, $$$$ffffoooooooo;;;; #### OOOOKKKK $$$$zzzzzzzzzzzz ==== ````eeeecccchhhhoooo $$$$ffffoooooooo````;;;; #### IIIInnnnsssseeeeccccuuuurrrreeee,,,, zzzzzzzzzzzz ttttaaaaiiiinnnntttteeeedddd uuuunnnnlllliiiinnnnkkkk $$$$aaaabbbbcccc,,,,$$$$ffffoooooooo;;;; #### IIIInnnnsssseeeeccccuuuurrrreeee uuuummmmaaaasssskkkk $$$$ffffoooooooo;;;; #### IIIInnnnsssseeeeccccuuuurrrreeee eeeexxxxeeeecccc """"eeeecccchhhhoooo $$$$ffffoooooooo"""";;;; #### IIIInnnnsssseeeeccccuuuurrrreeee eeeexxxxeeeecccc """"eeeecccchhhhoooo"""",,,, $$$$ffffoooooooo;;;; #### SSSSeeeeccccuuuurrrreeee ((((ddddooooeeeessssnnnn''''tttt uuuusssseeee sssshhhh)))) eeeexxxxeeeecccc """"sssshhhh"""",,,, ''''----cccc'''',,,, $$$$ffffoooooooo;;;; #### CCCCoooonnnnssssiiiiddddeeeerrrreeeedddd sssseeeeccccuuuurrrreeee,,,, aaaallllaaaassss The taintedness is associated with each scalar value, so some elements of an array can be tainted, and others not. If you try to do something insecure, you will get a fatal error saying something like "Insecure dependency" or "Insecure PATH". Note that you can still write an insecure system call or exec, but only by explicitly doing something like the last example above. You can also bypass the tainting mechanism by referencing 23/Jan/96 perl 5.002 with 2 PERLSEC(1) User Contributed Perl Documentation PERLSEC(1) subpatterns--Perl presumes that if you reference a substring using $$$$1111, $$$$2222, etc, you knew what you were doing when you wrote the pattern: $$$$AAAARRRRGGGGVVVV[[[[0000]]]] ====~~~~ ////^^^^----PPPP((((\\\\wwww++++))))$$$$////;;;; $$$$pppprrrriiiinnnntttteeeerrrr ==== $$$$1111;;;; #### NNNNooootttt ttttaaaaiiiinnnntttteeeedddd This is fairly secure since \\\\wwww++++ doesn't match shell metacharacters. Use of ////....++++//// would have been insecure, but Perl doesn't check for that, so you must be careful with your patterns. This is the _O_N_L_Y mechanism for untainting user supplied filenames if you want to do file operations on them (unless you make $$$$>>>> equal to $$$$<<<< ). For "Insecure $$$$EEEENNNNVVVV{PATH}" messages, you need to set $$$$EEEENNNNVVVV{{{{''''PPPPAAAATTTTHHHH''''}}}} to a known value, and each directory in the path must be non-writable by the world. A frequently voiced gripe is that you can get this message even if the pathname to an executable is fully qualified. But Perl can't know that the executable in question isn't going to execute some other program depending on the PATH. It's also possible to get into trouble with other operations that don't care whether they use tainted values. Make judicious use of the file tests in dealing with any user-supplied filenames. When possible, do opens and such after setting $$$$>>>> ==== $$$$<<<<. (Remember group IDs, too!) Perl doesn't prevent you from opening tainted filenames for reading, so be careful what you print out. The tainting mechanism is intended to prevent stupid mistakes, not to remove the need for thought. This gives us a reasonably safe way to open a file or pipe: just reset the id set to the original IDs. Here's a way to do backticks reasonably safely. Notice how the _e_x_e_c_(_) is not called with a string that the shell could expand. By the time we get to the _e_x_e_c_(_), tainting is turned off, however, so be careful what you call and what you pass it. ddddiiiieeee uuuunnnnlllleeeessssssss ddddeeeeffffiiiinnnneeeedddd $$$$ppppiiiidddd ==== ooooppppeeeennnn((((KKKKIIIIDDDD,,,, """"----||||""""))));;;; iiiiffff (((($$$$ppppiiiidddd)))) {{{{ #### ppppaaaarrrreeeennnntttt wwwwhhhhiiiilllleeee ((((<<<<KKKKIIIIDDDD>>>>)))) {{{{ #### ddddoooo ssssoooommmmeeeetttthhhhiiiinnnngggg }}}} cccclllloooosssseeee KKKKIIIIDDDD;;;; }}}} eeeellllsssseeee {{{{ $$$$>>>> ==== $$$$<<<<;;;; $$$$)))) ==== $$$$((((;;;; #### BBBBUUUUGGGG:::: iiiinnnniiiittttggggrrrroooouuuuppppssss(((()))) nnnnooootttt ccccaaaalllllllleeeedddd eeeexxxxeeeecccc ''''pppprrrrooooggggrrrraaaammmm'''',,,, ''''aaaarrrrgggg1111'''',,,, ''''aaaarrrrgggg2222'''';;;; ddddiiiieeee """"ccccaaaannnn''''tttt eeeexxxxeeeecccc pppprrrrooooggggrrrraaaammmm:::: $$$$!!!!"""";;;; }}}} For those even more concerned about safety, see the _S_a_f_e 23/Jan/96 perl 5.002 with 3 PERLSEC(1) User Contributed Perl Documentation PERLSEC(1) and _S_a_f_e _C_G_I modules at a CPAN site near you. See the _p_e_r_l_m_o_d manpage for a list of CPAN sites. 23/Jan/96 perl 5.002 with 4