logix has asked for the wisdom of the Perl Monks concerning the following question:

Would there be anyway to make a module or something, that would be run before the real script/perl code is run?

Im admin at an ISP and i often see user-websites with bad PHP code getting hacked, and often this results in an upload of some perl-written bot to /tmp/ or /dev/shm, which is then executed.

What i would really like to do, is simply check if script-location is /tmp/, dont run the script. (sorta like a "trusted path execution" for perl)

But if there was a way to hook in some perl code to be run before the actual script, one could do a lot of cool stuff, like grepping the file for specific patterns, checking owner of file etc. etc. Could be fun to play with.

Is there any such pre-execution hook?

Replies are listed 'Best First'.
Re: perl pre-execution hook
by ikegami (Patriarch) on Jan 04, 2011 at 19:26 UTC

    My web service provider makes /tmp a no-execute partition.

    You could replace /usr/bin/perl with a shell script that calls the real perl after doing the checks.

    Alternatively, you could set env var PERL5OPT=-MFoo.

    By the way, "et cetera" is abbreviated "etc".

    Update:

[reply]
[d/l]
[select]

      s/ect/etc/g. *typo*.

      No-execute wont make a difference, since what is executed is /usr/bin/perl which then reads a file (script) from /tmp/.

      The wrapper script idea would certainly work. But its really simple to circumvent. I know theres no fool-proof way, but i was kinda hoping for something that would be more, errhh... "Hardcoded".. The problem with the wrapper script is, that to be able to execute a SCRIPT, you need read access to it. Execute-only is not enough. So basically you can just cat the script and see where the real perl is located.

      Still, its the best option so far.

      Now the PERL5OPT might be interresting.. Especially if there is some way to make the env-var read only to PHP.. Ill look into that.

      Isnt there some sort of "autoloading" directory, where i can drop a file, a module, a .so file or somthing and have perl automagically load this on startup?

      Ive already tried making a patch to perl that simply rejects running scripts from /tmp/, but its hacky to have to recompile perl on every server.

[reply]

        No-execute wont make a difference, since what is executed is /usr/bin/perl which then reads a file (script) from /tmp/.

        Depends on if the script itself gets executed (in which case it would help) or on if the script is passed to perl (in which case it won't). 

        $ ls -l /tmp/ikegami/foo
-rwx------ 1 ikegami pg1404028 30 2011-01-04 12:23 /tmp/ikegami/foo*

$ cat /tmp/ikegami/foo
#!/usr/bin/perl
print "bad\n";

$ /tmp/ikegami/foo
-bash: /tmp/ikegami/foo: /usr/bin/perl: bad interpreter: Permission de
+nied

$ /usr/bin/perl /tmp/ikegami/foo
bad

        [download]

        But its really simple to circumvent.

        No, it's not. You seem to have forgotten the threat against you which you wish to defend. The attacker either relies on the web server knowing where to find perl or on him knowing where to find perl.

        Isnt there some sort of "autoloading" directory

        No. Besides, this would at least as easy to circumvent as replacing perl itself.

        Update: Elaborated on first point.

[reply]
[d/l]
[select]
Re: perl pre-execution hook
by Old_Gray_Bear (Bishop) on Jan 04, 2011 at 19:34 UTC
    It sounds like you want wrapper-script named 'perl', sym-linked to /usr/local/bin/perl (and wherever else that you have the Perl executable). The wrapper does the sanity checks on code passed to it in @ARGV[0] and decides whether to do a fork-and-exec or drop the offensive bits on the floor.

    ----
    I Go Back to Sleep, Now.

    OGB

[reply]
Re: perl pre-execution hook
by sharyanto (Initiate) on Jan 05, 2011 at 02:21 UTC
    Btw, there are some measures to protect PHP code too. On our servers, for example, when PHP/CGI scripts are about to be launched, an RBL check is done against the client's IP. I plan to add some PHP script analysis as another check.
[reply]

Back to Seekers of Perl Wisdom