Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl: the Markov chain saw
 
PerlMonks  

Re: setuid - insecure dependancy with backticked cmd?

by thor (Priest)
on Apr 22, 2006 at 20:08 UTC ( #545077=note: print w/ replies, xml ) Need Help??


in reply to setuid - insecure dependancy with backticked cmd?

To quote perldiag:

Insecure dependency in %s
           (F) You tried to do something that the tainting mechanism didnít like.  The tainting mecha‐
           nism is turned on when youíre running setuid or setgid, or when you specify -T to turn it on
           explicitly.  The tainting mechanism labels all data thatís derived directly or indirectly
           from the user, who is considered to be unworthy of your trust.  If any such data is used in a
           "dangerous" operation, you get this error.  See perlsec for more information.
I don't do a lot with tainting, but if memory serves, you have to explicitly set stuff like $ENV{PATH} to make sure that someone didn't sneak a directory in there that has a command in there called "env" that launches nukes or something. perlsec is recommended reading.

thor

The only easy day was yesterday


Comment on Re: setuid - insecure dependancy with backticked cmd?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://545077]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others musing on the Monastery: (18)
As of 2015-07-06 18:37 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (80 votes), past polls