Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl-Sensitive Sunglasses
 
PerlMonks  

"Don't try this at home"

by ferrency (Deacon)
on Sep 11, 2002 at 18:32 UTC ( #197030=monkdiscuss: print w/ replies, xml ) Need Help??

A monk was recently asking the Chatterbox population how to get their adduser command to work correctly, and provided a code snippet similar to this:

system("adduser $username -c $realname");
In an attempt to provide a blatantly obvious example of why that code should be considered a Bad Thing (tm), I foolishly answered:

$realname = "bob; rm -r /"; system("adduser $username -c $realname");
Luckily, the pandemonium that ensued turned out to be a joke at my expense. But the lessons learned are real:

  1. "Blatantly obvious" isn't, in the chatterbox. The person reading your chats or posts might not understand you're kidding.
  2. If you post code, there's always a chance, no matter how small, that someone will run it. As root. On a production server. At 5pm on a Friday afternoon before a long weekend, when you're manning the pager. So don't post coode that you don't want people to run, even if it's completely obvious that you don't want people to run it (see #1).
  3. Don't run code that you don't understand. This can be a bit tricky when obfuscation is involved.
  4. If you "have" to run code that you don't understand, at least don't run it as root.
Alan

Comment on "Don't try this at home"
Select or Download Code
Missing paralinguistics considered harmful
by jkahn (Friar) on Sep 11, 2002 at 18:54 UTC
    Bravo, ferrency.

    Chat, in general, tends to have very limited additional paralinguistics (tone of voice, facial expression, body posture) and at the risk of belittling other users' intelligence, I generally try to express my opinion with words rather than ironic pose.
    That's actually quite different from the way most of us speak (er, like on the phone or in person), and it's nice to see some discussion around that.

    My jottings during that same discussion include the following notes (consider these perhaps Apocrypha to go with ferrency's Scripture, and note that they are loosely based on decent rules for a school prank):

    1. Thou shalt identify Irony with Emotive Symbols, with "j/k", or with the Emotive Tags <irony></irony>.
    2. When demonstrating how Code can be Abused, thou shalt demonstrate Abuse by Embarrassment, and not Abuse by Destruction.
    3. If Thou be a Scourge to the Newbies, thou shalt bring Confusion and Disarray but bring not Destruction nor Mayhem.
Re: "Don't try this at home"
by samurai (Monk) on Sep 11, 2002 at 18:57 UTC
    ... *goes back and scrubs all CB code from apps*

    Maybe a Surgeon Generals warning? Cutting and pasting code from the ChatBox may be hazardous to your resume.

Re: "Don't try this at home"
by sauoq (Abbot) on Sep 11, 2002 at 20:18 UTC

    This advice dovetails nicely with the point you were trying to make in the chatterbox in the first place. Namely, that the mechanisms by which untrusted code can be introduced to your system are wide and varied and sometimes subtle.

    ++ferrency Thank you for the reminder.

    -sauoq
    "My two cents aren't worth a dime.";
    
Re: "Don't try this at home"
by blakem (Monsignor) on Sep 11, 2002 at 22:12 UTC
    Good points... I have a special user setup for the sole purpose of playing with obfu code. The user has minimal privileges which protects me somewhat against an anonymonk posting malicious code.

    -Blake

Re: "Don't try this at home"
by charnos (Friar) on Sep 12, 2002 at 12:57 UTC
    That makes me curious, did the user (this node?) actually run your code as root on his system?
    Otherwise, ++ferrency, these are excellent observations, useful to both new users and elder monks alike. It always should be remembered that not all are blessed with the sense of humor we monks share. ;)
      Luckily, the user did not actually run my code. But for a while he had everyone in the chatterbox thinking he did. "I tried what you said and now my computer won't boot. What do I do next?"

      There seem to be a lot of questions recently in the Chatterbox about "How can I run adduser to create a unix acount in my CGI script?" Personally, I think that if someone can't figure out how to do this at all, they certainly aren't going to figure out how to do it securely if I just spoon feed them the answer. And any Right Answer other than "Just Don't" is too long to fit in a chatterbox response.

      Alan

Re: "Don't try this at home"
by George_Sherston (Vicar) on Sep 12, 2002 at 14:36 UTC
    This was interesting and useful and confirmed my personal rule, as someone who knows next to nothing about Unix and sysadmining:

    whenever I think I need to use system I should always go to CPAN and find the module that does what I want instead.

    For me it's worth the learning curve and the memory overhead even for just a single usage, to have these questions handled by someone who understands the pitfalls better than I do.

    George Sherston
Re: "Don't try this at home"
by Jeppe (Monk) on Sep 12, 2002 at 17:23 UTC
    How about someone created a new standard harmless app that ridiculed the end user for having run it? It would be a nice, standardized and harmless way of demonstrating to someone the insecurity of their code (at least in some situations).
      while(1){system("printf '\a'")};

      or..

      for(1..10000){print "ha\a"};
Re: "Don't try this at home"
by Anonymous Monk on Sep 17, 2002 at 16:13 UTC

    (apologies for mistakes; I have to leave in a hurry and re-read atm.)

    Based on the replies so far, this post isn't going to get very many upvotes. But: ferrency's points strike me as sounding good on the surface, but really counter productive and pretty much impossible to actually follow.

    Blatantly obvious isn't, in the chatterbox. The person reading your chats or posts might not understand you're kidding.

    So, what are you saying here? Label all jokes as *** JOKE ***? Don't make any jokes at all? Make sure that all your jokes are clean, healthy, and couldn't possibly cause anyone any damage? (Is that possible?)

    If you post code, there's always a chance, no matter how small, that someone will run it. As root. On a production server. At 5pm on a Friday afternoon before a long weekend, when you're manning the pager.

    Right! Of course there is! In fact, it's probably the reason you've got a pager in the first place - because there's a high likelihood that at some point in the future, someone is going to mess up and break things.

    So don't post coode that you don't want people to run, even if it's completely obvious that you don't want people to run it (see #1).

    What, don't post code that shouldn't be run even as an example? Or as a joke? What about if someone says "what would be a bad way to do this?"? Because even then there's a chance that, say, someone will only catch the last half of the conversation and misinterpret things. Does that mean the conversation shouldn't have happened in the first place?

    Don't run code that you don't understand.

    Does that include modules? Code you're trying to debug? Do you mean just perl, or any language? Should you avoid running code you don't understand when trying to learn perl? What about compiled code?

    This can be a bit tricky when obfuscation is involved.

    From Webster's Revised Unabridged Dictionary (1913) :

    Obfuscate \Ob*fus"cate\, v. t. [imp. & p. p. Obfuscated; p. pr. & vb. n. Obfuscating.] To darken; to obscure; to becloud; hence, to confuse; to bewilder.

    Any code that you don't understand - code that confuses or bewilders you - is obfuscated by definition. I'm sure you meant intentionally obfuscated, but does it make much difference to the beclouded user?

    There is a valid side to your points, though: basically, "be careful". But being careful should mean expecting errors and being prepared for them: setting yourself up in a safe environment where it's OK to break things - in fact, where breaking things is good, because you'll hopefully learn something in the process. Trying to ensure everything you do and say is foolproof, even at the cost of humour and the possibility of learning through trial and error, is the wrong way to go about things.

    Besides, your example wouldn't have worked. rm would have balked at the -c. And even if it had worked, aren't you already breaking your first two rules? :)

      And even if it had worked, aren't you already breaking your first two rules? :)

      The whole point was that I only realized these guidelines (maybe "rule of thumb" sounds too much like an edict to some people) after I was convinced that this person had just deleted their root filesystem.

      Besides, your example wouldn't have worked. rm would have balked at the -c.

      The -c was a switch to the adduser command, not to the rm command, if you reread the original code.

      You're right, my whole post can probably be boiled down to "be careful." I didn't intend to say "never make a joke," I intended to say, "don't make a joke if you Know it may cause irreversible harm to someone." There are lines that can be drawn between acceptable and unacceptable behavior, though they aren't always very clear. I believe I may have crossed the line in this case.

      Alan

        To be honest, I've been watching this thread from the sidelines and wondering what to say. If someone has no clue that rm -rf / means tabula rasa, should they have root on a production server in the first place?

        I understand what you're trying to say, and I respect the intent, but I think your appeal is misguided. I can't help feeling like it's just political correctness in a different context, an attempt to offer a safe and wholesome experience for the whole family. Ultimately, that is an excercise in absurdity.

        Where do you draw the line? Should the rm command print a WARNING: this command may cause loss of data. Are you really sure you want to proceed?[n] ? No amount of disclaimers can ever be a substitute for a healthy dose of common sense.

        Update: I feel I have to add what I just figured out was the reason that this thread irked me - the whole thing erupted out of what amounted to a practical joke on ferrency's expense rather than an actual disaster. So while I can understand the shock, there doesn't seem to be any actual evidence.

        Makeshifts last the longest.

        I stand in complete defense of ferrency who has taken the high road during this whole situation. He could have had a snooze-you-lose attitude toward whom he was trying to help, but he didn't. The guidelines he proposes are as much to protect the person acting as 'mentor' as to protect the person being helped. As a bystander, I remember being glued to the CB with a sense of total awe and sinking disbelief while the (newly enrolled) monk he was helping said, 'umm, now the box won't reboot.' I can only imagine what ferrency was feeling. I would hate to ever be on either end of that situation. That's the wisdom in his guidelines.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: monkdiscuss [id://197030]
Approved by Aristotle
Front-paged by ehdonhon
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (17)
As of 2014-12-18 19:02 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (59 votes), past polls