ghenry has asked for the wisdom of the Perl Monks concerning the following question:

Update: I just wanted to add why I thought of this question:

I was reading Is Open Source Good for Security?, because I am writing a wee paragraph for a website on why the site secure, and found the perl section of Secure Programming for Linux and Unix HOWTO, which mentions Safe.

Dear Master Monks,

How safe is Safe and which of you Saints use it and where?

Would you use it for filesystem things etc.?

Thanks,
Gavin.

Walking the road to enlightenment... I found a penguin and a camel on the way.....
Fancy a yourname@perl.me.uk? Just ask!!!

Replies are listed 'Best First'.
Re: Safe Code?
by tilly (Archbishop) on May 24, 2005 at 00:48 UTC
    My understanding is that Safe is not very safe. And it is restrictive enough to keep virtually any interesting code from running. Therefore I would not recommend running it.

    On the bigger question of open source and security, Open and Closed Systems are Equivalent seems to be a good approximation of reality. While open source software is likely to be of better quality than closed source, it is also easier to analyze for security holes. Those two effects seem to offset each other pretty well, with a wide variance by project.

    For more background, Economics and Security has a lot of interesting material on why people wind up accepting insecurity.

[reply]
      My understanding is that Safe is not very safe. And it is restrictive enough to keep virtually any interesting code from running. Therefore I would not recommend running it.
      Ya know, I've heard a lot of people repeat this, but I have yet to see any actual demonstration of breaking a Safe container. Not that I'm saying it can't be done, merely that I've yet to see people prove their repeated statements of "oh it's not very safe". I'm also not trying to single you out specifically, obviously, you just happened to have repeated it most recently.

      So, does *anyone* have any evidence that the current Safe "isn't very safe"?
[reply]
        So, does *anyone* have any evidence that the current Safe "isn't very safe"?

        Yup. The continual number of exploits and fixes made in the library. Even if there are no currently known exploits the history of the module makes me deeply suspicious that it can be relied upon as the primary mechanism for securing code.

[reply]
Re: Safe Code?
by chb (Deacon) on May 24, 2005 at 06:31 UTC
[reply]
Re: Safe Code?
by rinceWind (Monsignor) on May 24, 2005 at 09:30 UTC

    Looking at the text you are referring to, the perl section mentions taint mode, which in my humble opinion is much more useful and important than safe containers. I've never had need to use a safe container - I'm also quite sparing with eval string.

    Would you use it for filesystem things etc.?

    I would use taint mode and untainting through a regex for these kind of operations. See Ovid's CGI course for a discussion of the security implications and an explanation of how to do this.

    In terms of whether you should publish your source - this depends on your level of paranoia, and the fact that the white hats tend to out number the black hats, so you are more likely to get feedback about security holes before your application gets compromised. But, beware also the advice given in this thread.

    --
    I'm Not Just Another Perl Hacker

[reply]
Re: Safe Code?
by displeaser (Hermit) on May 24, 2005 at 07:36 UTC
    Hi,

    I kindof agree with BUU here. From a security perspective there is a constant out pouring of exploits and potential hacks but the reality is that a lot of them are effectivly useless unless you are sitting down at the box, i.e. instead of running the exploit you could easily go "format c: /q". Don't get me wrong, I'm constantly looking at the exploits and the security workarounds & patches as we look after some financials, but I still think there is a lot of FUD out there(Fear, Uncertainty, Doubt).

    I would think that while the author of Safe considers it unsafe (sounds weird really:-) it may be better then not using it at all.

    Saying that I've never used it in production code, but then again I have never needed to with the programs I write.

    just my 2 cents.

    Displeaser
[reply]
      I would think that while the author of Safe considers it unsafe (sounds weird really:-) it may be better then not using it at all.

      I'm not so sure. The promise of Safe.pm was that it would provide safe compartments for code to be evaluated in. The history of Safe.pm means that I'm very skeptical that this is true.

      So if somebody uses Safe.pm and thinks "fantastic - all my security problems with remote code are solved" then I think they're probably going to be surprised at some point. A better solution would be a design that avoids running potentially insecure code at all.

[reply]

Back to Seekers of Perl Wisdom