Re: use Safe ; Any Thwarted Attacks?

I don't know if anyone has attacked me - attackers are pretty lazy and stupid these days, with so many targets, such easy pickings, and such apathy towards the Web in general - but I trust it in production. Though I could be sealing my fate here. Oh well. I also backup, compartmentalize, and run bounds checking patches.

Actually, I don't use Safe.pm - I use it's bastard cousin, ops.pm:

http://perldesignpatterns.com/?self

use ops qw(:default entereval sort exit rand ftsize ftfile caller stat
+);
[download]

The Internet community at large is allowed to write code to extend TinyWiki. It is useful to understand the way these modules work - for that, read the Opcode manual page. A bitmask is maintained and disallowed ops aren't compiled. Any code compiled before the "use ops" line can do anything it wants, but any code compiled after it - including in evals - cannot compile down to anything that uses any opcode deemed unsafe. This industrial strength approach avoids a lot (most?) of the problems with Safe - but then your module would be dropping permissions permenantly so that unsafe things don't appear in config files. On one hand, drop as much priviledge as early as possible. On the other, don't invite disaster - like me. Use YAML or XML or SGML or ... something.

I hope this amuses and/or helps.
-scott

Comment on Re: use Safe ; Any Thwarted Attacks? Download Code

Replies are listed 'Best First'.
Re^2: use Safe ; Any Thwarted Attacks? by Aristotle (Chancellor) on Nov 11, 2003 at 06:37 UTC
You can't really call ops a bastard cousin of Safe - the latter relies on the former. And if you're not using Safe you'll need to duplicate its provisions for additional safety, which is is to isolate compartments from the main script completely by dissociating their namespace from the real `%main::`. Just using ops does not provide this - which is in fact the whole point of Safe. Makeshifts last the longest.	[reply]
Re: Re^2: use Safe ; Any Thwarted Attacks? by BUU (Prior) on Nov 11, 2003 at 08:27 UTC
Question: Do either of these approaches deal with the BEGIN block bug? Which is where, if I'm not mistaken, the code in the BEGIN block is executed before the safe/ops module is loaded, thus rendering the entire thing pointless? Or is this not a bug any more? And while I'm pondering, what about keeping the 'unsafe' code seperate from the main code, then run the main code then as a run-time directive 'require' the unsafe code, probably as something like `SAFE{ do foo.pl }` or however safe blocks are actually implemented?	[reply] [d/l]
Re: Re: Re^2: use Safe ; Any Thwarted Attacks? by scrottie (Scribe) on Nov 13, 2003 at 17:21 UTC
BEGIN and use are each run immediately upon sight. Looking at the TinyWiki code I linked from my initial reply, you'll see the "use ops" strategically located - before it are subs defined that I want to provide priviledged fascilities and have input validation built in. Beyond it is code that doesn't require priviledge and things that result in evals, including evals of code in pages. To generalize, put the use ops line before unsane things. If someone can insert a BEGIN block with arbitrary contents into the code, then they could just delete the use ops line, too, couldn't they? Doing use ops then requiring another file, or using another file on a subsequent line is safe. Of course the main code would be seperate from sandboxed code. The priviledged conde contains the sandboxed code - not vice versa. Look no further than the Safe manual page for examples. But this is far afield - the original question was whether or not Safe "thwarts" attacks. I'm not even talking about Safe.pm here. I only mentioned ops.pm because my experience is with it and I had a few footnotes to offer on it, but even with the additional safety afforded, I wanted to point out to the original author that it wasn't the correct idiom. The additional safety was too complex to implement, not completely trust-worthy, and there are better ways to do what he wants to do. -scott	[reply]
Re: Re^2: use Safe ; Any Thwarted Attacks? by scrottie (Scribe) on Nov 13, 2003 at 17:21 UTC
Thanks a lot, Aristotle, for attempting to correct any possibly misleading meanings. Safe.pm and ops.pm both use Opcode.pm. Neither Safe.pm nor ops.pm use either other. As I said and as Artistotle echos here, ops.pm doesn't compartmentalize - it drops "permissions" completely. Of course, permissions are access to opcodes. This is far afield of the original question, and I'm not here for the chatter. The original question was, does Safe.pm thwart attacks? My answer was simply that I do trust ops.pm to do just that - thwart attacks - and ops.pm is related to Safe.pm, and the original author should consider another direction entirely for what he is trying to do, dispite this validation. -scott	[reply]