in reply to Re: use Safe ; Any Thwarted Attacks?
in thread use Safe ; Any Thwarted Attacks?

You can't really call ops a bastard cousin of Safe - the latter relies on the former. And if you're not using Safe you'll need to duplicate its provisions for additional safety, which is is to isolate compartments from the main script completely by dissociating their namespace from the real %main::. Just using ops does not provide this - which is in fact the whole point of Safe.

Makeshifts last the longest.

Replies are listed 'Best First'.
Re: Re^2: use Safe ; Any Thwarted Attacks?
by scrottie (Scribe) on Nov 13, 2003 at 17:21 UTC
    Thanks a lot, Aristotle, for attempting to correct any possibly misleading meanings. Safe.pm and ops.pm both use Opcode.pm. Neither Safe.pm nor ops.pm use either other. As I said and as Artistotle echos here, ops.pm doesn't compartmentalize - it drops "permissions" completely. Of course, permissions are access to opcodes.

    This is far afield of the original question, and I'm not here for the chatter. The original question was, does Safe.pm thwart attacks? My answer was simply that I do trust ops.pm to do just that - thwart attacks - and ops.pm is related to Safe.pm, and the original author should consider another direction entirely for what he is trying to do, dispite this validation.

    -scott
[reply]
Re: Re^2: use Safe ; Any Thwarted Attacks?
by BUU (Prior) on Nov 11, 2003 at 08:27 UTC
    Question: Do either of these approaches deal with the BEGIN block bug? Which is where, if I'm not mistaken, the code in the BEGIN block is executed before the safe/ops module is loaded, thus rendering the entire thing pointless? Or is this not a bug any more?

    And while I'm pondering, what about keeping the 'unsafe' code seperate from the main code, then run the main code then as a run-time directive 'require' the unsafe code, probably as something like SAFE{ do foo.pl } or however safe blocks are actually implemented?
[reply]
[d/l]
      BEGIN and use are each run immediately upon sight. Looking at the TinyWiki code I linked from my initial reply, you'll see the "use ops" strategically located - before it are subs defined that I want to provide priviledged fascilities and have input validation built in. Beyond it is code that doesn't require priviledge and things that result in evals, including evals of code in pages. To generalize, put the use ops line before unsane things. If someone can insert a BEGIN block with arbitrary contents into the code, then they could just delete the use ops line, too, couldn't they? Doing use ops then requiring another file, or using another file on a subsequent line is safe. Of course the main code would be seperate from sandboxed code. The priviledged conde contains the sandboxed code - not vice versa. Look no further than the Safe manual page for examples.

      But this is far afield - the original question was whether or not Safe "thwarts" attacks. I'm not even talking about Safe.pm here. I only mentioned ops.pm because my experience is with it and I had a few footnotes to offer on it, but even with the additional safety afforded, I wanted to point out to the original author that it wasn't the correct idiom. The additional safety was too complex to implement, not completely trust-worthy, and there are better ways to do what he wants to do.

      -scott
[reply]

In Section Seekers of Perl Wisdom