Re: suid-perl

To: debian-devel@lists.debian.org
Subject: Re: suid-perl
From: Chip Salzenberg <chip@perlsupport.com>
Date: Sun, 31 Jan 1999 17:46:11 -0500
Message-id: <[🔎] 19990131174610.D16021@perlsupport.com>
In-reply-to: <[🔎] 19990131172423.B5391@frederick.itri.loyola.edu>; from Michael Stone on Sun, Jan 31, 1999 at 05:24:23PM -0500
References: <E1068wg-00016a-00@gatekeeper.bcwhite.ml.org> <[🔎] 19990131004847.A31842@justice.loyola.edu> <[🔎] 19990131140716.C2824@cs.leidenuniv.nl> <[🔎] 19990131101750.A4506@frederick.itri.loyola.edu> <[🔎] 19990131170519.A16021@perlsupport.com> <[🔎] 19990131172423.B5391@frederick.itri.loyola.edu>

According to Michael Stone:
> Quoting Chip Salzenberg (chip@perlsupport.com):
> > According to Michael Stone:
> > > Quoting Wichert Akkerman (wakkerma@cs.leidenuniv.nl):
> > > > What perl-suid should do is check the mountoptions for the filesystem on
> > > > which the script resides and abort if that was mounted with nosuid.
> > > > Should be quite simple actually..
> > > 
> > > But that's still not general enough. For example, you just missed the
> > > case of noexec... The solution should be done at a higher level, IMHO...
> > 
> > Every OS has a different set of mount options that may or may not be
> > relevant to setuid security.  I don't see what 'higher level' would be
> > useful.
> 
> Well, maybe I'm not clear on what you/wichert would do instead. How are
> you going to check this? 

The code exists to check the mount options relevant to an open file.
It's just a Small Matter of Programming to integrate that into the
Perl source code, and disable emultation of setuid scripts when the
'nosuid' mount option is set.

And as for 'noexec', well, it's not relevant to Perl anyway.  (All you
have to do is run "perl scriptname" instead of just "./scriptname".)
Or do you suggest that every single language compiler/interpreter must
check mount options?  Should Java .class files be unusable if they're
on a 'noexec' filesystem?  I don't _think_ so.
-- 
Chip Salzenberg      - a.k.a. -      <chip@perlsupport.com>
      "When do you work?"   "Whenever I'm not busy."

Reply to:

Follow-Ups:
- Re: suid-perl
  - From: Jules Bean <jmlb2@hermes.cam.ac.uk>

References:
- Re: List of bugs that *must* be fixed before releasing Slink
  - From: Michael Stone <mstone@cs.loyola.edu>
- Re: List of bugs that *must* be fixed before releasing Slink
  - From: Wichert Akkerman <wakkerma@cs.leidenuniv.nl>
- Re: List of bugs that *must* be fixed before releasing Slink
  - From: Michael Stone <mstone@itri.loyola.edu>
- Re: suid-perl
  - From: Chip Salzenberg <chip@perlsupport.com>
- Re: suid-perl
  - From: Michael Stone <mstone@itri.loyola.edu>

Prev by Date: Re: suid-perl
Next by Date: Re: Call for mascot! :-)
Previous by thread: Re: suid-perl
Next by thread: Re: suid-perl
Index(es):
- Date
- Thread