I've been reading BUGTRAQ and RISKS for too many years now to treat what you say lightly. Your speech mimics those who didn't respect the responsibility of security enough, and who now have let credit card numbers leak, and other important documents.

And let's make this personal... it would be just my luck that you'd go on to write some e-commerce site that I ended up using, and except for the correction I'm trying to get you here, you wrote some leaky crap that revealed personal information about me to whomever wanted to come along.

So, I must continue until you've shown signs of "getting it". Both for humanity, and for me personally. I'm still troubled by many of these statements in your last post. You are not showing signs of "getting it".

I'm whipping it out so that 10 people who I know very well can use the code behind an SSL apache password protected website.

And here's the scary one for me... what if someone copies your code without understanding the operating limits, and ends up putting that on a site without this first level of protection. Code always lives longer than it should. Witness Matt Wright's stuff, or even my own ill-fated chat2.pl.

You may think it's no big deal. And as long as you think it's no big deal, I'm here to insist that it is.

-- Randal L. Schwartz, Perl hacker

Let me put it this way.

If your process is truly secure because it is jailed and it is behind an SSL apache password protected site, then you should be able to convince your administrators that allowing you to avoid taint checking is OK. That is a site administrator decision.

If the administrators will not allow you to turn it off, they probably have reasons. They know your setup better than I do, and probably better than you do as well. What reasons you ask? Well they may be aware of security issues which you are not. For instance the chroot jail may be breakable by standard cracking tools. Perhaps you are connecting to a database that needs to be protected. Now you trust your users. But perhaps they do not trust users of the site to use good passwords. Or they may be afraid that users are coming from compromised machines.

Depending what you are doing these concerns may be real and valid.

Here is what I know.

Taint checking is a matter of your site's policy. It would be unethical for Randal, or me, to tell you how to violate that site policy.

I am trying to help you. I really am. I am trying to help you with what I see as the most important problem that you have. IMHO that problem is that you do not seem to understand that your corporate security policy has a reason for existing. It is not your place to decide for your company that you don't need to follow policy. It is not my place to tell you how to open your company up to attacks that they know about and are trying to prevent.

Now your company may have a bunch of fascist morons dictating security. If so then that is an internal problem. Complain. But don't ask others to help you get into trouble.