Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Perl Security

by ddarby14 (Initiate)
on Feb 06, 2009 at 01:45 UTC ( #741767=perlquestion: print w/ replies, xml ) Need Help??
ddarby14 has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks - I'm setting up access for a Perl contractor to help out with the work load and concerned about security and what he has access to. Playing the deviant, I plugged an OPEN command to read a root-owned file in a root-owned directory elsewhere on the server and surprised to see that it didn't give me a script error - instead it printed out the file as requested.

Does it make sense that a script running with these permissions, as this apache user should be able to run an OPEN command to read a root-owned file or directory?

Our Apache 2 server has a test domain with setup as:

SuexecUserGroup        xuser xgroup

The script and it's directory both have permissions as 0755, xuser, xgroup.

I appreciate your time and insight to sort this out. Thx!

Comment on Perl Security
Download Code
Re: Perl Security
by jasonk (Parson) on Feb 06, 2009 at 02:17 UTC

    root-owned doesn't mean anything. If the permissions on the file allow it to be read, then it will be read.

    Also, this is an Apache question, or possibly a file permissions question, it isn't even remotely a perl question.


    www.jasonkohles.com
    We're not surrounded, we're in a target-rich environment!
Re: Perl Security
by jethro (Monsignor) on Feb 06, 2009 at 04:04 UTC

    Don't look at the permissions of the script, check the permissions of the file you tried to open. If this file has its read-permission for 'other' (i.e. everyone) set then everyone can read the file.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://741767]
Approved by planetscape
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (2)
As of 2014-07-26 18:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (178 votes), past polls