in reply to Executable bit sloppiness in modules

Why would commands “hidden” in other files be any more of an issue than the fact that you run a Makefile.PL and then a Makefile with shell commands in it on install anyway?

To be sure, untidy tarballs annoy me as well, but they have no effect on security here.

Makeshifts last the longest.

  • Comment on Re: Executable bit sloppiness in modules

Replies are listed 'Best First'.
Re^2: Executable bit sloppiness in modules
by zentara (Cardinal) on Dec 21, 2004 at 13:46 UTC
    Well you are right of course, BUT I was thinking along the lines of "sneaking in an innocent looking file" which could be executed later as part of a hidden attack. Say the module installs a file, marked executable, and innocently named like "thanks.txt". Well I didn't bother to read it ( or may have done an automatic CPAN install". Now "someone knows" that /usr/lib/Perl5..../somedir/thanks.txt" is just sitting there waiting for a another script in the "attack-plan"( which possibly needs root priviledges to run).

    Sure, the same thing could be done in other ways, but this is such an "obvious hole", that can be so easily prevented, that I thought I would bring it up.

    I'm not really a human, but I play one on earth. flash japh
[reply]
      I don't get it. If someone has access to execute "thanks.txt", they'll already have access to run every command in it separately, so the file itself is buying them absolutely nothing. Unless it's somehow being installed suid (which would be a huge problem) or ending up in someone else's path.
[reply]
        You are probably right,...but somehow it just bothers me and I will continue to examine modules before I install them, and adjust file permissions to be correct for the file type. I guess I'm a bit too paranoid. :-)
        I'm not really a human, but I play one on earth. flash japh
[reply]

In Section Meditations