I didn't either go "way beyond making observations", nor "falsely claim the actions were a result of using tainting"
Your claim that "taint checking isn't confined to the code - the checking involves things like [...] permissions on directories" is false. Which also means you couldn't have observed it.
Remove tainting - perl ran the script
Can't be. Tainting doesn't check permissions.
$ cat > child #!/usr/bin/perl print("child\n"); $ chmod a=rwx,u+s child $ ls -l child -rwsrwxrwx 1 ikegami group 34 2008-12-13 10:39 child $ perl -T -e'%ENV=(); system("./child") and die("error: $?")' Setuid/gid script is writable by world. error: 6400 at -e line 1. $ perl -e'%ENV=(); system("./child") and die("error: $?")' Setuid/gid script is writable by world. error: 6400 at -e line 1.
With and without tainting, Perl successfully executed the world-writable child ($? != -1).
The setuid thing is a red herring, since, in our case, the binary was merely an e-mail client called indirectly from a CGI script.
I've already shown that executing world-writable files is not prevented by tainting. If it's not setuid, it's something else. But not tainting.
$ cat > child #!/usr/bin/perl print("child\n"); $ chmod a=rwx,a-s child $ ls -l child -rwxrwxrwx 1 ikegami group 34 2008-12-13 10:39 child $ perl -T -e'%ENV=(); system("./child") and die("error: $?")' child
Even with tainting, Perl successfully executed the world-writable child ($? != -1) and it ran without error ($? == 0).
In reply to Re^6: Doubt in perl taint
by ikegami
in thread Doubt in perl taint
by lakshmananindia
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |