There are a few weirdos out there who get a kick out of obliterating other folks' data. Sometimes exceedingly bright people commit the most idiotic acts. Chances are that you'll not get hit, but a few precautionary steps will not hurt. If you are a system administrator for a large institution or university, your job is especially hard. The greater the number of users on your system, the more likely you are to find someone attempting to break into your system.
Please check the references at the end of this chapter for books with more information about keeping your site secure. More problems exist with C programs, daemons, and so on with buffer overruns. Some reported problems even include harmful results such as wiping a disk clean when you download a PostScript file. The offending commands were part of a buffer overrun in his PostScript viewer. I will get off the soapbox now. Setuid Scripts A setuid script runs at the level of the owner, not the calling program. In other words, if a script has its suid bit set, it runs as root, even if it is being called by a non-root program.
In almost all cases, setuid scripts are bad news, a big security hole, and potentially dangerous for your system. Most administrators write setuid scripts when they want to grant limited access to secure files or devices. In most cases, these scripts are not necessary, and in my humble opinion, should be written as compiled programs. Calling scripts from within programs running as root is a very big security hole in any system. For example, let's say a program running as root calls a Perl script called diskme.
When the program running as root executes diskme. If the diskme. When the original root program calls diskme. One common way to avoid problems like this one is to use absolute pathnames instead of relative pathnames. Using relative pathnames opens your setuid script to unsafe links to rogue files. An absolute path defines a complete path to the executable program. Thus, it uses a path relative to its current location. It would be easy to move the privileged program that calls the test. Now the privileged program will call my version of test.
Another route to take for security reasons is to minimize the time required to be root. Just because your script has to access some portions of some data as root does not mean that the entire application has to run as root. Just make a small, difficult-to-alter Perl script that runs as root and leave the rest in an unprivileged script.
Let me reiterate once more: setuid scripts are insecure. Regardless of how many precautions you take, having a Perl script that may be influenced by its environment is asking for trouble. If you can avoid writing setuid scripts, do so.
Perl inherently has more features than most shells such as Bourne, Korn, or Bash. Network, file system manipulation and binary file access features built into Perl have to be mimicked through the use of other external programs in shell scripts. When the setuid shell calls these external programs, they are opened to potential problems because external programs can be replaced with less secure imitations.
Perl does not use such external programs because the features required by Perl are built into itself.
Perl | Security Issues in CGI
This would lead you to think that Perl scripts are more secure than shell scripts. On the contrary, Perl is not as secure as you think it is. Read on. First of all, use the use strict; statement whenever possible in your Perl scripts. Using the strict pragma forces Perl to do strict type checking, prevents strings from becoming variables, and points out any dangling variables. Using strict forces you to use the my keyword when declaring local variables. This, in turn, limits the scope of declared variables from being destroyed accidentally by other subroutines in the system. Even without strict type checking, the Perl interpreter is more efficient and security conscious than a shell.
Shell script lines are parsed more times per line than are lines of code in a Perl script. Perl code can be further tightened to check for potential problems or funny use of references by enabling the -w switch at the command line for the Perl interpreter. The -w switch turns on warnings. Perl also supports the use of and recognizes "tainted" variables. In Perl, any command-line argument, environment variable, or input explicitly marked as tainted will not be used in subshells.
Tainted variables cannot be used in any commands that modify the file and dir-ectory structure on the client on which the application happens to be running. In fact, if a new value is derived from a tainted value, the new value is also marked as tainted. This way tainted variables cannot create a non-tainted variable.
Once a bad egg, always a bad egg! No mercy here. Also, the "taintedness" of a variable is applied on a Perl scalar basis.
Arrays and hashes can contain both tainted and untainted variables at one time. Perl checks for improper use of tainted variables if the -T flag is set. So when in doubt, run with the -T option. Your header comment line will then look like this:! If you answer even one yes to any of the following questions, the variable is most likely tainted: Was this variable passed in from the command line?
Was this variable set to a value passed in from the command line? Is this value read directly from the command line or a file handle?
Is this value read directly from an environment variable? Is this variable set from a variable whose value was read directly from the command line or a file handle? Has the PATH been set to a known value before this value was set? Was an external program used in determining the value of this variable? Was there any system call to unlink , umask , or overwrite files?
Was there any complete command between single quotes? As you begin to use Perl scripts, you can see how variables can be tainted and how system files can be corrupted by using potentially dangerous variable paths. Of course, testing and being a little on the paranoid side does help in flushing out security holes.
Ask yourself this question when testing scripts for security violations: If I were a hacker, is there any way I can use this script to break into my system? Some Tips on Making Scripts Secure The first thing to do when making a Perl script secure is to set the effective user and group id s to the same as the real user and group id s of the process. The IFS field is set to a null value to prevent any misuse of inter-field characters. Another thing to do is to explicitly create your own strings rather than use strings expanded by the shell.
If you are making a call to exec , pass each argument explicitly, not as a complete string that could have been tainted by the caller's shell program.
Preventing Cross-site Scripting Attacks
For example, avoid the use of a statement like this: exec 'myprog arglist'; Instead, use statements like this one: exec 'myprog', 'arg1', 'arg2', 'arg3'; This prevents someone from sending more than one argument to a program. The seemingly safe line to get man pages via HTML pages can be exploited, too. Check to see whether the filename has.. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content.
Perl before 5. In Perl through 5. Heap-based buffer overflow in the pack function in Perl before 5. An issue was discovered in Perl 5. Matching a crafted locale dependent regular expression can cause a heap-based buffer over-read and potentially information disclosure. A crafted regular expression can cause a heap-based buffer overflow, with control over the bytes written. Perl might allow context-dependent attackers to bypass the taint protection mechanism in a child process via duplicate environment variables in envp.
PL in Perl 5. The canonpath function in the File::Spec module in PathTools before 3. The Dumper method in Data::Dumper before 2.