in reply to How to answer "Perl is not secure" objections?

There is some truth in the manager^3's fear: if you are running Perl through mod_perl on apache without any security in mind, the application runs with the privileges of the web server. If that is root, you have a problem.

As far as I remember though, Red Hat locked apache down by changing to some "nobody/nogroup" user after starting. If it is RH Enterprise 4 or later, SELinux might be used to further lock down the server. To such an extent that it might be a pain to get mod_perl running at all.

The bottom line is that mod_perl can be a security hole if the system has bad administration. With good administration (chroot, changing user/group after startup), mod_perl can be perfectly secure. It can never bypass OS security, but it can use the permissions it was granted.

  • Comment on Re: How to answer "Perl is not secure" objections?

Replies are listed 'Best First'.
Re^2: How to answer "Perl is not secure" objections?
by chargrill (Parson) on Sep 06, 2007 at 22:54 UTC

    the application runs with the privileges of the web server. If that is root, you have a problem.

    No, you have two problems - the first of which is solved by firing your system administrator.

    Red Hat locked apache down by changing to some "nobody/nogroup"

    No, apache has done that from (very nearly if not) the start. Various distributions will change the username and/or group, but the net effect is that apache needs to be launched as root to bind to a privileged port (< 1024) and then drops privileges to as unprivileged a user as possible.


    --chargrill 
    s**lil*;  $*=join'',sort split q**;  s;.*;grr; &&s+(.(.)).+$2$1+; $; =
qq-$_-;s,.*,ahc,;$,.=chop for split q,,,reverse;print for($,,$;,$*,$/)

    [download]
[reply]
[d/l]

In Section Seekers of Perl Wisdom