Re^2: Doubt in perl taint

the checking involves things like the run-time environment and when I say environment, I mean things like permissions on directories &/or files that your script accesses, having potentially unsafe directories on your path etc.

perl does none of those things. Tainting doesn't cause Perl to check anything but the taint flag on Perl values.

then the script failed taint checking becuase the whole world & his uncle could potentially overwrite the accessed binary.

Not at all.

$ cat child
#!/usr/bin/perl
print("child\n");
$ ls -l child
-rwxrwxrwx 1 ikegami group 34 2008-12-13 08:15 child
$ perl -T -e'%ENV=(); system("./child") and die("error: $?")'
child
[download]

Now, the system won't let me run a world-writable setuid program, but that has nothing to do with Perl.

$ chmod a+s child
$ perl -T -e'%ENV=(); system("./child") and die("error: $?")'
Setuid/gid script is writable by world.
error: 6400 at -e line 1.
[download]

Comment on Re^2: Doubt in perl taint Select or Download Code

Replies are listed 'Best First'.
Re^3: Doubt in perl taint by Bloodnok (Vicar) on Dec 13, 2008 at 17:26 UTC
ikegami, I was giving the poster the benefit of observations made and indeed, documented on a Solaris 6/ActiveState perl 5.004 (they wouldn't consider getting more up to date due to the security accreditation process) project. Setting the setuid bit is, at best, a high risk strategy. Solaris has considered setuid scripts a security risk (and thus not honoured the setuid bit on a script) for an awfully long time - since @ least Solaris 6 QU 0898 - or earlier. A user level that continues to overstate my experience :-))	[reply]
Re^4: Doubt in perl taint by ikegami (Patriarch) on Dec 13, 2008 at 17:31 UTC
You went way beyond making observations. You falsely claimed the actions were a result of using tainting. You falsely claimed the actions were performed by Perl. Not only is it done by the setuid which you didn't even mention, `ls` isn't even setuid!	[reply] [d/l]
Re^5: Doubt in perl taint by Bloodnok (Vicar) on Dec 13, 2008 at 18:21 UTC
No, ikegami, I believe I didn't either go "way beyond making observations", nor "falsely claim the actions were a result of using tainting" - all I did was to attempt to help the poster by giving the benefit of my industrial experience. In this case, the, admittedly not entirely exhaustive (project time pressures prevailed on us) investigations into problems we were experiencing revolved around the following... Remove tainting - perl ran the script Change the permissions on the called binarys' containing directory - perl ran the script Copy the called binary from the 'open' directory to a more 'restrictive' directory and change to call to an absolute, from a relative, call - once again, perl ran the script Ergo, we concluded, tainting must be checking permissions of the containing directory. The `setuid` thing is a red herring, since, in our case, the binary was merely an e-mail client called indirectly from a CGI script. A user level that continues to overstate my experience :-))	[reply] [d/l]
Re^6: Doubt in perl taint by ikegami (Patriarch) on Dec 13, 2008 at 18:43 UTC
Re^7: Doubt in perl taint by Bloodnok (Vicar) on Dec 13, 2008 at 22:42 UTC
Some notes below your chosen depth have not been shown here