Beefy Boxes and Bandwidth Generously Provided by pair Networks
Think about Loose Coupling
 
PerlMonks  

Re^4: Dangerous diamonds! (races)

by tye (Cardinal)
on May 22, 2003 at 06:31 UTC ( #259992=note: print w/ replies, xml ) Need Help??


in reply to Re: Re^2: Dangerous diamonds! (races)
in thread Dangerous diamonds!

Let me preface this by saying that most of this isn't very important. Most is arguing fine lines and grey areas and so it isn't anything for anyone to get upset about. I wanted to try to clarify a bit. Skip to the last two paragraphs if you are somehow reading this but don't care about minor details. (:

How do you suppose user blackhat will manage to predict

As I said, I don't have a plausible exploit handy. It was a 15-second demonstration of the race condition. Maybe he does something so low-tech as to peek over the cubicle wall.

But I still consider "check what files are there before you use 'perl -ne ... *' as root" to be pretty poor advice. Just don't use 'perl -ne ... *' as root until the problem is fixed (and check that root isn't using any Perl tools that use <> somewhere inside).

I can imagine the poor slob fixing his cron job to check for bad file names before running pgrep (as opposed to filtering out bad file names before feeding the filenames to pgrep or just fixing pgrep).

I never said "Perl is a poor tool". I suppose I could have been more precise and said something awkward like... well, something awkward. If you read "it will be sad day when" and think, "Well, nothing happy will happen the entire day of when that happens"? I consider the feature of executing filenames to be a pathetic feature. But big adjectives don't make for eloquent speech.

I guess you are right. I'm saying "CERT advisory" when I'm thinking of a broader concept that includes things like "SANS security alert".

There is no cause for a panic inducing advisory.

I really think "Don't use 'perl -ne ... *' as root" needs to be announced on several security alert streams. I don't think such needs to induce panic. I think it would be somewhat hard to word it so poorly that it would induce panic. *shrug*

The problem is with two-argument open() not just that perl uses it with <>, -p, and such

2-argument open just doesn't bother me near as much. I like to write open FH, "< $file\0" and have been doing that since Perl 4. That is every bit as safe as 3-argument open (if I am to believe the Perl 4 manuals) or the older sysopen. Sure, you can misuse 2-argument open and, as an interface design it affords such misuse and so isn't a great interface design. But I think <> goes a step beyond affording misuse, it makes it trivial to misuse and dang hard to use safely and the unsafe usage doesn't seem useful to me (as open says, the magic nature can be useful by making it easy for users to tell you to get your input from a command instead of a file).

But none of this is that important.

a slow graceful transition from the current default behavior to something sane. That seems to be the direction things are already going.

I hope so. I don't see that yet.

                - tye


Comment on Re^4: Dangerous diamonds! (races)
Select or Download Code
Re: Re^4: Dangerous diamonds! (races)
by sauoq (Abbot) on May 22, 2003 at 08:12 UTC
    I never said "Perl is a poor tool". I suppose I could have been more precise and said something awkward

    I realized what you intended to say after I responded to it. That's why I added the footnote. You stated it well enough; the confusion was mine. I'm sorry I didn't take the time to reword my response there.

    I consider the feature of executing filenames to be a pathetic feature.

    I do agree. I just don't think that the implications are all that serious in reality. From a theoretical standpoint, it's friggin' terrible. But once you take into account how systems are really used, the impact is minimal because it is so impractical to exploit.

    I don't think such needs to induce panic.

    I guess big nouns don't always make for eloquent speech either. Like I said, I do advocate education. I'd prefer a "using perl -ne as root has some security implications you should be aware of" to an absolutist "don't do it" approach though.

    2-argument open just doesn't bother me near as much.

    Really? Now see, that one bothers me a lot more. And for a very simple reason: it has resulted in many more actual serious security vulnerabilities. In theory, it might be less egregious but in practice it has been improperly used by scads of casual programmers who have unwittingly written innumerable remote exploits. And they continue to do so. That's a problem that won't go away until two-argument open does (or is fixed.)

    -sauoq
    "My two cents aren't worth a dime.";
    
      scads of casual programmers who have unwittingly written innumerable remote exploits

      Very good point.

      Part of why <> upsets me more is that the fix is obvious to me and I'm galled by people claiming that it isn't a problem and can't be fixed. My preference would be to immediately change the default behavior under the theory that it fixes more (by far) existing code than it breaks.

      I also see real usefulness in the magical, 2-argument open. Which makes it harder for me to see how to fix the problems with it. And I try not to get upset over complex problems that I don't see clear, non-trade-off solutions for. There are just way too many of those in the world and I prefer not to spend so much of my time being upset.

      But I can certainly appreciate where you are coming from now. (:

                      - tye

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://259992]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others studying the Monastery: (6)
As of 2014-08-21 05:26 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The best computer themed movie is:











    Results (127 votes), past polls