Re: question on having . as LOAD_PATH (ruby)

To: Junichi Uekawa <dancer@netfort.gr.jp>
Cc: debian-python@lists.debian.org, debian-perl@lists.debian.org, debian-security@lists.debian.org
Subject: Re: question on having . as LOAD_PATH (ruby)
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 07 Jan 2006 16:04:13 +0100
Message-id: <[🔎] 87r77kf5aq.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 87psn4t9w9.dancerj%dancer@netfort.gr.jp> (Junichi Uekawa's message of "Sat, 07 Jan 2006 23:01:10 +0900")
References: <87zmm9l7to.dancerj%dancer@netfort.gr.jp> <20060106152918.GA30615@www.lobefin.net> <87u0cgtdg7.dancerj%dancer@netfort.gr.jp> <[🔎] 87psn4t9w9.dancerj%dancer@netfort.gr.jp>

* Junichi Uekawa:

> Hi perl and pyhton people,
>
> Sorry for the crosspost; contrary to what's said in perl-policy and
> python-policy, '.' seems to be included in module search-path.  I find
> it uneasy considering we have quite a few tools running as root. Is
> this intentional or unintentional?

One more data point: when running with taint checks enabled, perl
drops "." from the library path.  So it seems it's not directly
exploitable with suidperl (unless suidperl invokes further perl
scripts without changing the current directory).

I consider this a security bug, but fixing it (by removing the current
directory from the load path) requires *extensive* testing and will
likely break existing installations. 8-(

Reply to:

References:
- Re: question on having . as LOAD_PATH (ruby)
  - From: Junichi Uekawa <dancer@netfort.gr.jp>

Prev by Date: Re: question on having . as LOAD_PATH (ruby)
Next by Date: Re: question on having . as LOAD_PATH (ruby)
Previous by thread: Re: question on having . as LOAD_PATH (ruby)
Next by thread: Re: question on having . as LOAD_PATH (ruby)
Index(es):
- Date
- Thread