Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer
 
PerlMonks  

RE: Re: How do I execute as root?

by Kurious (Novice)
on Nov 14, 2000 at 01:06 UTC ( #41430=note: print w/replies, xml ) Need Help??


in reply to Re: How do I execute as root?
in thread How do I execute as root?

Thank you for your quick reply. However, I'm new to Perl and Unix for that matter. Please elaborate or point me in the right direction for "taint-checking" and what type of sanity checking to do on the $USER variable.

Just,
Kurious

Replies are listed 'Best First'.
RE: RE: Re: How do I execute as root?
by Fastolfe (Vicar) on Nov 14, 2000 at 01:09 UTC
    Check out perlsec, which explains it all. Basically, since you'll be running this as root (with information that is supplied by the user), you need to be certain $USER doesn't contain any evil or harmful characters. If you let the user specify a username of, like, "../../bin", you'd be creating directories and things in very bad places. A simple sanity check should suffice:
    ($USER) = $cgi->param('user') =~ /(\w+)/;
    This would only permit normal alphanumeric characters into $USER, and un-taint it in the process. With taint-checking enabled (-T), Perl will die before letting you use arbitrary user-supplied (or potentially unsafe) information in any critical system calls (like chdir, unlink, open, etc.). Update: Other posts below advocate using a separate script to perform the actual updates as root, and I agree with them 100%. It's infinitely more secure if you keep the user from interacting directly with a setuid script at all. A buffer (in the form of semaphore files or a socket connection) is a better solution to your problem.
RE: RE: Re: How do I execute as root?
by arturo (Vicar) on Nov 14, 2000 at 01:11 UTC

    The main perl documentation on taint checking is IIRC in perlrun {my $update = "d'oh ... no it isn't. Fastolfe's right ... but there is some info on -T in this page" }.

    Our own Ovid is currently writing a CGI scripting tutorial, which has some info on security. Try also searching on "taint mode" and "CGI security" and the like on this site to see the fossilized ... err, collected wisdom monks have offered so far.

    Happy coding!

    Philosophy can be made out of anything. Or less -- Jerry A. Fodor

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://41430]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others rifling through the Monastery: (3)
As of 2021-09-16 23:03 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?