Re^3: How ti include a file in Perl script

I the has access, it's not easy for him to type "rm -rf /" directly instead of modifying my file? Or he could change any other file to programatically remove every file he wants.
There may be lots of reasons to use Config module instead this, but that it's not one in my opinion.

Comment on Re^3: How ti include a file in Perl script

Replies are listed 'Best First'.
Re^4: How ti include a file in Perl script by TGI (Parson) on Jan 11, 2008 at 16:20 UTC
Depending on how your scripts are run and the permissions on the files involved, your config files may be part of a privilege escalation attack. The risk really comes in where there is a difference in permissions between who can alter the config file, who can run the script, and the user the script executes as. If your script runs as setuid root, you give the system to an attacker. In your case, the risk may be small. But it is a risk that is easily and cheaply avoided by using a library to serialize your configuration data. TGI says moo	[reply]

Replies are listed 'Best First'.

Re^4: How ti include a file in Perl script
by TGI (Parson) on Jan 11, 2008 at 16:20 UTC

Depending on how your scripts are run and the permissions on the files involved, your config files may be part of a privilege escalation attack.

The risk really comes in where there is a difference in permissions between who can alter the config file, who can run the script, and the user the script executes as. If your script runs as setuid root, you give the system to an attacker.

In your case, the risk may be small. But it is a risk that is easily and cheaply avoided by using a library to serialize your configuration data.

TGI says moo

[reply]