comment on

Q1) If I'm gonna scp this to some place on my server, such that this script were to be run daily, what should that place be, and what permissions should I give the directory it is in and the file itself? / Q4) Where's a good place to put something like this and with what permissions? (No visitors to the site need access, except myself through ssh.)

I believe these two questions are asking the same thing. The location needs to be outside the directory that your web server has access to, in order to prevent a bad actor from accessing your script using that vector, so you could put it into your ~/bin directory if this is a personal website. You could put it into the /opt directory tree for a less user-dependent location (so, /opt/foobar/bin for example).

Q2) How do I securely run this script daily?

I would use crontab. I have a corporate client with about twenty cron jobs running mostly during the day, one every minute, a couple every ten minutes, some every hour, some just daily, and one weekly. In addition, you can define environment variables inside the crontab configuration to define how the scripts behave.

Q3) Could a person be alright with

if ($RealBin =~ m!/home/*+/$website/(dev|test|prod)!) {

, or would that take all the teeth out of the check?

I'm not sure the '*+' is doing what you want. You may want to test that regexp against some actual paths and confirm that it's doing what you want. A replacement could be '[^/]+' which would then check that the RealBin directory was a user's home directory. (Of course, installing to the /opt directory as I've suggested in A1 would require a change to this rule.)

However, I'm not exactly what this script is meant to do -- just check that the environment is clean? How is the output being used? Are you just logging on a looking at the output? Is there going to be a cron job that E-Mails this to you? Are you going to look at the results on a web page? Will the script stop if it's installed in a bad location?

Q5) if 4.conf had been maliciously and successfully corrupted, what kind of characters would be here instead?

Well, corruption is when a file is overwritten with junk characters. If it's a configuration file, the odds are that a corrupted file will fail to compile, so that may not be an issue. A corrupted file might have any values in it -- perhaps outside the usual 0x20 to 0x7f values.

If someone maliciously changes the configuration, they're probably going to leave it so that it still compiles, but does something that helps them (or hurts you). Unless a bad actor has broken into your web provider's entire system, or stolen your credentials, it's unlikely you need to worry about someone altering your configuration file.

Hope that helps you.

Alex / talexb / Toronto

Thanks PJ. We owe you so much. Groklaw -- RIP -- 2003 to 2013.

In reply to Re: creating a secure environment for perl scripts to run by talexb
in thread creating a secure environment for perl scripts to run by Aldebaran

Are you posting in the right place? Check out Where do I post X? to know for sure.
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big> <blockquote> <br /> <dd> <dl> <dt> <em> <font> <h1> <h2> <h3> <h4> <h5> <h6> <hr /> <i> <li> <nbsp> <ol> <p> <small> <strike> <strong> <sub> <sup> <table> <td> <th> <tr> <tt> <u> <ul>
Snippets of code should be wrapped in <code> tags not <pre> tags. In fact, <pre> tags should generally be avoided. If they must be used, extreme care should be taken to ensure that their contents do not have long lines (<70 chars), in order to prevent horizontal scrolling (and possible janitor intervention).
Want more info? How to link or How to display code and escape characters are good places to start.


Perl-Sensitive Sunglasses
	PerlMonks