in reply to Doubt in perl taint

As others have pointed out, taint checking isn't confined to the code - the checking involves things like the run-time environment and when I say environment, I mean things like permissions on directories &/or files that your script accesses, having potentially unsafe directories on your path etc.

By way of explanation, there used to be a security hole on Solaris whereby /usr/bin was installed with permissions of 777 such that running a perl script (using -T) in which access was made to a binary e.g. ls, in the directory, then the script failed taint checking becuase the whole world & his uncle could potentially overwrite the accessed binary.

A subsequent security patch modified the permissions to 755 - at which point perls' taint checking found no problem with the use of the binary (tho' may have found problems elsewhere in the code;-).

For the case I have in mind, the system had both /usr/bin/ls & /bin/ls - where the permissions on /bin were 755 - changing the call from `ls` to `/bin/ls` provided an interim fix.

HTH ,

A user level that continues to overstate my experience :-))

Replies are listed 'Best First'.
Re^2: Doubt in perl taint
by ikegami (Patriarch) on Dec 13, 2008 at 16:20 UTC

    the checking involves things like the run-time environment and when I say environment, I mean things like permissions on directories &/or files that your script accesses, having potentially unsafe directories on your path etc.

    perl does none of those things. Tainting doesn't cause Perl to check anything but the taint flag on Perl values.

    then the script failed taint checking becuase the whole world & his uncle could potentially overwrite the accessed binary.

    Not at all. 

    $ cat child
#!/usr/bin/perl
print("child\n");
$ ls -l child
-rwxrwxrwx 1 ikegami group 34 2008-12-13 08:15 child
$ perl -T -e'%ENV=(); system("./child") and die("error: $?")'
child

    [download]

    Now, the system won't let me run a world-writable setuid program, but that has nothing to do with Perl. 

    $ chmod a+s child
$ perl -T -e'%ENV=(); system("./child") and die("error: $?")'
Setuid/gid script is writable by world.
error: 6400 at -e line 1.

    [download]
[reply]
[d/l]
[select]
      ikegami, I was giving the poster the benefit of observations made and indeed, documented on a Solaris 6/ActiveState perl 5.004 (they wouldn't consider getting more up to date due to the security accreditation process) project.

      Setting the setuid bit is, at best, a high risk strategy. Solaris has considered setuid scripts a security risk (and thus not honoured the setuid bit on a script) for an awfully long time - since @ least Solaris 6 QU 0898 - or earlier.

      A user level that continues to overstate my experience :-))
[reply]
        You went way beyond making observations. You falsely claimed the actions were a result of using tainting. You falsely claimed the actions were performed by Perl. Not only is it done by the setuid which you didn't even mention, ls isn't even setuid!
[reply]
[d/l]

In Section Seekers of Perl Wisdom