It's that time of year when I get to sit at a keyboard and script out what I'm thinking about, how I might pull off getting the data I want from api's, for example, but doing so from server space I own as opposed to me here on my laptop. We have had to be very aware of smoke in Idaho, and I consider all the gui steps I had to do to fire up a browser, go to an url, change to CO, resize, take a screenshot, all things that could be mechanized. Then I run a script and send comments, translations, and images to the server in a sample html page.
I have been plotting this task for a while now, intending to do much as bod did with threads like Debugging a module that's failing under taint mode. I have tried to imitate the architecture and write a script that would be aware of perlsec. I'd like to see how many of these issues I can check off, and how I need to organize the filesystems in the cloud to be secure. So far, in view of the security risks that I'm still trying to understand, I don't have a single perl script on my site yet. So I'd like to get on the proverbial scoreboard.
Let's get started with a little output and some source:
$ perl -T 4.dt.pl tiny path is /home/hogan/merrillpjensen.com/prod/lib/1.env.txt real bin is /home/hogan/merrillpjensen.com/prod $
#!/usr/bin/env perl use v5.030; use warnings; use Data::Dumper; use FindBin qw($RealBin); use Path::Tiny; my ($prefix,$website,$environment,$basedir); BEGIN { # truncate envelope $ENV{PATH} = '/bin:/usr/bin'; delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer $prefix = "/home/hogan"; #needs to toggle with #$prefix = "/home/fred"; # $website = 'merrillpjensen.com'; use FindBin qw($RealBin); if ($RealBin =~ m!$prefix/$website/(dev|test|prod)!) { $environment = $1; # This is now untainted! $basedir = "$prefix/$website/$environment"; } else {die "Bad environment '$1'"; } } #my $tt = Template->new({INCLUDE_PATH => "$basedir/templates"}); # now I have Path::Tiny my $file_name="1.env.txt"; my $tiny_path=path($basedir, ,'lib',$file_name)->touchpath; say "tiny path is $tiny_path"; my $d = Data::Dumper->new( [ \%ENV ], ['*ENV'] )->Sortkeys(1)->Useqq( +1)->Dump(); my $return = $tiny_path->spew( $d); say "real bin is $RealBin";
Q1) If I'm gonna scp this to some place on my server, such that this script were to be run daily, what should that place be, and what permissions should I give the directory it is in and the file itself?
This is my OS:
fred@fourth:/var/www/html/perlmonks$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 20.04.3 LTS Release: 20.04 Codename: focal fred@fourth:/var/www/html/perlmonks$
This is the filesystem:
fred@fourth:/$ ls bin dev home lib32 libx32 media opt root sbin srv tmp + var boot etc lib lib64 lost+found mnt proc run snap sys usr fred@fourth:/$
Q2) How do I securely run this script daily?
I really struggled to find a regex that had some teeth in it without having to hard-code a path in the BEGIN section. I'm not clear what values I'm trying to exclude, that is what form an attacker might take. Would 'he' not begin with /home? On my laptop, I'm hogan, and on my server, I'm fred, so I don't see a way around having to toggle two lines like this:
$prefix = "/home/hogan"; #needs to toggle with #$prefix = "/home/fred"; #
Q3) Could a person be alright with
if ($RealBin =~ m!/home/*+/$website/(dev|test|prod)!) {, or would that take all the teeth out of the check?
I frequently use Log::Log4Perl as many of the data I look at need to be columnized to get the sense of them. I haven't completely understood Re^3: Log4Shell and Log::Log4perl, and would like to look at a concrete example:
$ cat 4.conf ###################################################################### +######### # Log::Log4perl Conf + # ###################################################################### +######### log4perl.rootLogger = INFO, LOG1, SCREEN log4perl.appender.SCREEN = Log::Log4perl::Appender::Screen log4perl.appender.SCREEN.stderr = 0 log4perl.appender.SCREEN.layout = Log::Log4perl::Layout::PatternLayou +t log4perl.appender.SCREEN.layout.ConversionPattern = %m %n log4perl.appender.LOG1 = Log::Log4perl::Appender::File log4perl.appender.LOG1.filename = /home/hogan/Documents/hogan/logs/4. +log4perl.txt log4perl.appender.LOG1.mode = append log4perl.appender.LOG1.layout = Log::Log4perl::Layout::PatternLayou +t log4perl.appender.LOG1.layout.ConversionPattern = %d %p %m %n $
Q4) Where's a good place to put something like this and with what permissions? (No visitors to the site need access, except myself through ssh.)
Q5) if 4.conf had been maliciously and successfully corrupted, what kind of characters would be here instead?
Thanks for your comment, and Merry Solstice++++
In reply to creating a secure environment for perl scripts to run by Aldebaran
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |