|
Home > Archive > Debian Developers > August 2007 > suid-perl going away?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
suid-perl going away?
|
|
| Marc Haber 2007-08-23, 1:30 pm |
| Hi,
from the package description of perl-suid:
| Usage of this program is now strongly deprecated upstream and support
| (along with this package) will probably be removed in 5.10.
What is the current recommended way to run PERL scripts suid?
Please note that I do not want to use sudo on the system in question.
After reading perldoc perlsec, I think that Linux has been pulling the
"hand over the open FD to the interpreter" stunt for years, so that it
is not really vulnerable to the race condition that is commonly stated
as the reason for not allowing suid scripts. So, I expect running perl
scripts suid to be safe on Linux.
Why is perl-suid going away, and how am I supposed to replace its
functionality?
Greetings
Marc
--=20
-------------------------------------- !! No courtesy copies, please !! =
-----
Marc Haber | " Questions are the | Mailadresse im =
Header
Mannheim, Germany | Beginning of Wisdom " | =
http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 =
72739834
| |
| Joey Hess 2007-08-23, 1:30 pm |
| Marc Haber wrote:
> What is the current recommended way to run PERL scripts suid?
Ever since that warning was added to perl-suid, many years ago, I've
been writing my own suid wrappers for PERL scripts in C.
> Why is perl-suid going away, and how am I supposed to replace its
> functionality?
Well, it has a history of security holes, many of which can be
attributed to it trying to be a general purpose suid wrapper to a
language with a fairly complex external interface.
Nice thing about writing a special-purpose wrapper instead is it's much
easier to verify that it's secure. Of course the downside is that only
people capable of writing secure C code need apply..
--
see shy jo
| |
| Marc Haber 2007-08-23, 7:22 pm |
| On Thu, 23 Aug 2007 13:26:10 -0400, Joey Hess <joeyh@debian.org>
wrote:
>Of course the downside is that only
>people capable of writing secure C code need apply..
Yes. I am not one of these. Which is why I chose a script language.
I find the idea of removing an existing and working tool quite
disturbing.
Greetings
Marc
--=20
-------------------------------------- !! No courtesy copies, please !! =
-----
Marc Haber | " Questions are the | Mailadresse im =
Header
Mannheim, Germany | Beginning of Wisdom " | =
http://www.zugschlus.de/
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 =
72739834
|
|
|
|
|