Beefy Boxes and Bandwidth Generously Provided by pair Networks
Syntactic Confectionery Delight
 
PerlMonks  

Re: How to answer "Perl is not secure" objections?

by Joost (Canon)
on Sep 06, 2007 at 18:29 UTC ( #637498=note: print w/ replies, xml ) Need Help??


in reply to How to answer "Perl is not secure" objections?

'Perl has bindings into OS calls that bypass OS security'.

The only way I can read that is as "our OS is insecure".

Either there are legitimate bindings in the OS to bypass normal security for good reasons, and those hooks have the usual protection (i.e. you need to be root / of a specific group to call them), or there are hooks in the OS that just break security and it doesn't matter what language you're using - you could probably break them using a shell script.


Comment on Re: How to answer "Perl is not secure" objections?
Re^2: How to answer "Perl is not secure" objections?
by grinder (Bishop) on Sep 07, 2007 at 07:19 UTC
    'Perl has bindings into OS calls that bypass OS security'.
    The only way I can read that is as "our OS is insecure".

    Quite. For instance, I wrote BSD::Sysctl, a module to allow you to manipulate FreeBSD sysctl kernel variables. If you're an ordinary user, you can only read the values. If you try to set a value... nothing happens (apart from an error condition returned by the kernel system call).

    You have to have superuser privileges in order to change a variable. So if you're already root, everything becomes insecure!.

    I'm sure if someone figured out how to set sysctl variables as an ordinary user in Perl, that the technique used would be completely language-independent (that is, the result of an exposed flaw in the OS).

    • another intruder with the mooring in the heart of the Perl

Re^2: How to answer "Perl is not secure" objections?
by Cop on Oct 17, 2007 at 02:24 UTC

    You didn't understand the sentence you quoted, not at all, and your own first sentence has absolutely no logic.

    You assumed that OS is one thing, which is a bad assumption. Then you reasoned: if it is not secure to call A, then A is not secure.

    The fact is that OS is not one thing, it is many things - many layers. It is insecure to call layer B if you bypass layer A that was supposed to provide security.

    read my oppinion that I just provided as reply to one of tilly's post... really people should learn some philosophy and logic.

      You didn't understand the sentence you quoted, not at all, and your own first sentence has absolutely no logic.
      I disagree.
      You assumed that OS is one thing, which is a bad assumption. Then you reasoned: if it is not secure to call A, then A is not secure.
      I still do, and here's why: From the point of view of an application programming language, the OS is - more or less - a black box that provides services.

      The quote was 'Perl has bindings into OS calls that bypass OS security'.

      Now, there are calls in every OS that bypass 'normal' security protocols, but it's up to the OS to make sure that the application calling those hooks have the appropriate permissions to do so. For instance, a user on unix can create a file/tree that no other user can read or modify. The exception is, that processes running as root can. That is not 'bypassing security', that's providing exceptions to the normal protocol for system administration purposes.

      If there was a way for a normal user to modify another user's files (again, given restricted rwx permissions) that would be 'bypassing security'. It would also be bug in the OS and not any kind of problem with the programming language that exploits the bug.

      The fact is that OS is not one thing, it is many things - many layers. It is insecure to call layer B if you bypass layer A that was supposed to provide security.
      Again, if the OS is supposed to provide that security under certain conditions, it should make sure that that security is provided under those conditions. The OS should not blindly trust a program without elevated permissions to do the right thing, it should enforce its policies.

      read my oppinion that I just provided as reply to one of tilly's post...
      I would if I could find it.
      really people should learn some philosophy and logic.
      I have. If you want to convince me of your opinion, please explain your standpoint, because just asserting that I'm wrong and undereducated isn't going to convince me - and it's rude.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://637498]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others perusing the Monastery: (11)
As of 2014-07-11 04:02 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    When choosing user names for websites, I prefer to use:








    Results (218 votes), past polls