Re: question on having . as LOAD_PATH (ruby)

To: debian-python@lists.debian.org, debian-perl@lists.debian.org
Cc: debian-security@lists.debian.org
Subject: Re: question on having . as LOAD_PATH (ruby)
From: Junichi Uekawa <dancer@netfort.gr.jp>
Date: Sat, 07 Jan 2006 23:01:10 +0900
Message-id: <[🔎] 87psn4t9w9.dancerj%dancer@netfort.gr.jp>
In-reply-to: <87u0cgtdg7.dancerj%dancer@netfort.gr.jp>
References: <87zmm9l7to.dancerj%dancer@netfort.gr.jp> <20060106152918.GA30615@www.lobefin.net> <87u0cgtdg7.dancerj%dancer@netfort.gr.jp>

Hi perl and pyhton people,

Sorry for the crosspost; contrary to what's said in perl-policy and
python-policy, '.' seems to be included in module search-path.  I find
it uneasy considering we have quite a few tools running as root. Is
this intentional or unintentional?

regards,
	junichi



The following is a full posting I made to debian-security@lists.debian.org:

At Sat, 07 Jan 2006 21:44:24 +0900,
Junichi Uekawa wrote:
> 
> Hi,
> 
> > > Hi,
> > > 
> > > I am wondering what the security implications of having a LOAD_PATH
> > > that includes '.' is.
> > 
> > Gerenally speaking, having . in any path is a bad idea.  You are correct
> > to feel uneasy about it.  Can . not be prepended to the path
> > specifically if desired (as in the shell PATH=.:$PATH)?  If it can, I
> > would suggest a bug filed for removal of . in path, with a README entry
> > detailing how to readd it if you want it.
> 
> Somebody in @jp pointed out to me that perl and python are not much 
> better in this respect, since perl and python do have '.' in their 
> load paths; of course, if @INC is handled properly, it wouldn't be a threat.
> 
> 
> Example of a perl session:
> $ perl -e 'print "@INC\n"'
> /etc/perl /usr/local/lib/perl/5.8.7 /usr/local/share/perl/5.8.7 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8 /usr/local/lib/site_perl .
> 
> 
> 
> [12:50:30]dancer64:tmp> cat a.pl
> #!/usr/bin/perl -w
> 
> BEGIN {
>         eval qq {
>         use XXXX ;
>         };
>         if ($@)
>         {
>                  print STDERR "feature XXXX not available\n" ;
>         }
> }
> [12:50:34]dancer64:tmp> ./a.pl
> feature XXXX not available
> 
> If I have:
> [21:42:25]dancer64:tmp> cat XXXX.pm
> print "r00t!!\n";
> 1;
> [21:42:29]dancer64:tmp> ./a.pl
> r00t!!
> 
> 
> 
> I haven't been able to verify I can exploit it with python, since it seems to be changing behavior when it's not executed as ./XXX:
> 
> [12:39:00]dancer64:tmp> apt-listchanges
> Usage: apt-listchanges [options] {--apt | filename.deb ...}
> [12:39:33]dancer64:tmp> /usr/bin/apt-listchanges
> Usage: apt-listchanges [options] {--apt | filename.deb ...}
> [12:39:08]dancer64:tmp> cp /usr/bin/apt-listchanges .
> [12:39:08]dancer64:tmp> ./apt-listchanges
> hello r00t
> 
> hello r00t
> 
> Traceback (most recent call last):
>   File "./apt-listchanges", line 218, in ?
>     main()
>   File "./apt-listchanges", line 44, in main
>     config = apt_listchanges.Config()
> AttributeError: 'module' object has no attribute 'Config'
> 
> 
> [12:39:10]dancer64:tmp> cat apt_listchanges.py
> print "hello r00t\n"
> 
> [12:39:23]dancer64:tmp> cat apt_pkg.py
> print "hello r00t\n"
> 
> 
> regards,
> 	junichi
> 
> -- 
> dancer@{debian.org,netfort.gr.jp}   Debian Project
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

Follow-Ups:
- Re: question on having . as LOAD_PATH (ruby)
  - From: Florian Weimer <fw@deneb.enyo.de>

Prev by Date: Re: Packages to upload
Next by Date: Re: question on having . as LOAD_PATH (ruby)
Previous by thread: Inst perl-modules (5.8.7-10 Debian:testing) []
Next by thread: Re: question on having . as LOAD_PATH (ruby)
Index(es):
- Date
- Thread