in reply to script-security / custom nagios-check

I'm not a security expert, but you seem to do a pretty thorough job on checking the values that are passed in. As in "This is allowed, anything else is not", as opposed to "This is not allowed, anything else is", the latter of which is far too common in argument/variable cleaning code.

Also, check out the -T perl command-line option. (Taint checking).

Arjen

Replies are listed 'Best First'.
Re: Re: script-security / custom nagios-check
by Tomte (Priest) on Jan 30, 2003 at 11:50 UTC

    Yes, I thought while doing that one :-)
    but I can't be as rigid as I wanted to with the regexp checking the command remotely executed, my main concern is if there's a weakness due to that.

    As for -T | -t : I had a look on that and thought it wouldn't make a difference in this case, am I plain wrong with this assumption?

    regards,
    tomte

[reply]
      -T helps you in security in that it marks any data coming from 'the outside' as tainted untill you explicitly untaint it with a regexp.
      #!/bin/perl -wT
use strict;

my $taintedVar = $ARGV[0];
if ($taintedVar =~ m/^([0-9]+)$/)
{
  my $UNtaintedVar = $1;
}

      [download]
      A not-so-smart programmer could use (.*) as a regexp and then the data $1 would be untainted but insecure.
[reply]
[d/l]

        I read the perldoc that far ;-)
        and decided I don't need -T, as I'm checking all input with a regexp not as general as (.*). I had used -T, but really found no difference, so I left it out, as there must be some impact on runtime.

        So unless taint-checks do check more than I know, I think I don't need it here.

        Edit: Don't get me wrong.
        Please convince me that I need -t or anything else I might have missed.
        I'm doing a lot of stuff in perl, but I'm mostly paid to do java.

        regards,
        tomte

[reply]

In Section Seekers of Perl Wisdom