Revert "show -E in error message when called with -E"
[p5sagit/p5-mst-13.2.git] / pod / perlsec.pod
CommitLineData
a0d0e21e 1=head1 NAME
2
3perlsec - Perl security
4
5=head1 DESCRIPTION
6
425e5e39 7Perl is designed to make it easy to program securely even when running
8with extra privileges, like setuid or setgid programs. Unlike most
54310121 9command line shells, which are based on multiple substitution passes on
425e5e39 10each line of the script, Perl uses a more conventional evaluation scheme
11with fewer hidden snags. Additionally, because the language has more
54310121 12builtin functionality, it can rely less upon external (and possibly
425e5e39 13untrustworthy) programs to accomplish its purposes.
a0d0e21e 14
425e5e39 15Perl automatically enables a set of special security checks, called I<taint
16mode>, when it detects its program running with differing real and effective
17user or group IDs. The setuid bit in Unix permissions is mode 04000, the
18setgid bit mode 02000; either or both may be set. You can also enable taint
5f05dabc 19mode explicitly by using the B<-T> command line flag. This flag is
425e5e39 20I<strongly> suggested for server programs and any program run on behalf of
fb73857a 21someone else, such as a CGI script. Once taint mode is on, it's on for
22the remainder of your script.
a0d0e21e 23
1e422769 24While in this mode, Perl takes special precautions called I<taint
25checks> to prevent both obvious and subtle traps. Some of these checks
26are reasonably simple, such as verifying that path directories aren't
27writable by others; careful programmers have always used checks like
28these. Other checks, however, are best supported by the language itself,
fb73857a 29and it is these checks especially that contribute to making a set-id Perl
425e5e39 30program more secure than the corresponding C program.
31
fb73857a 32You may not use data derived from outside your program to affect
33something else outside your program--at least, not by accident. All
34command line arguments, environment variables, locale information (see
23634c10 35L<perllocale>), results of certain system calls (C<readdir()>,
36C<readlink()>, the variable of C<shmread()>, the messages returned by
37C<msgrcv()>, the password, gcos and shell fields returned by the
38C<getpwxxx()> calls), and all file input are marked as "tainted".
41d6edb2 39Tainted data may not be used directly or indirectly in any command
40that invokes a sub-shell, nor in any command that modifies files,
b7ee89ce 41directories, or processes, B<with the following exceptions>:
42
43=over 4
44
45=item *
46
b7ee89ce 47Arguments to C<print> and C<syswrite> are B<not> checked for taintedness.
48
7f6513c1 49=item *
50
51Symbolic methods
52
53 $obj->$method(@args);
54
55and symbolic sub references
56
57 &{$foo}(@args);
58 $foo->(@args);
59
60are not checked for taintedness. This requires extra carefulness
61unless you want external data to affect your control flow. Unless
62you carefully limit what these symbolic values are, people are able
63to call functions B<outside> your Perl code, such as POSIX::system,
64in which case they are able to run arbitrary external code.
65
8ea1447c 66=item *
67
68Hash keys are B<never> tainted.
69
b7ee89ce 70=back
71
595bde10 72For efficiency reasons, Perl takes a conservative view of
73whether data is tainted. If an expression contains tainted data,
74any subexpression may be considered tainted, even if the value
75of the subexpression is not itself affected by the tainted data.
ee556d55 76
d929ce6f 77Because taintedness is associated with each scalar value, some
595bde10 78elements of an array or hash can be tainted and others not.
8ea1447c 79The keys of a hash are B<never> tainted.
a0d0e21e 80
a0d0e21e 81For example:
82
425e5e39 83 $arg = shift; # $arg is tainted
84 $hid = $arg, 'bar'; # $hid is also tainted
85 $line = <>; # Tainted
8ebc5c01 86 $line = <STDIN>; # Also tainted
87 open FOO, "/home/me/bar" or die $!;
88 $line = <FOO>; # Still tainted
a0d0e21e 89 $path = $ENV{'PATH'}; # Tainted, but see below
425e5e39 90 $data = 'abc'; # Not tainted
a0d0e21e 91
425e5e39 92 system "echo $arg"; # Insecure
7de90c4d 93 system "/bin/echo", $arg; # Considered insecure
bbd7eb8a 94 # (Perl doesn't know about /bin/echo)
425e5e39 95 system "echo $hid"; # Insecure
96 system "echo $data"; # Insecure until PATH set
a0d0e21e 97
425e5e39 98 $path = $ENV{'PATH'}; # $path now tainted
a0d0e21e 99
54310121 100 $ENV{'PATH'} = '/bin:/usr/bin';
c90c0ff4 101 delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
a0d0e21e 102
425e5e39 103 $path = $ENV{'PATH'}; # $path now NOT tainted
104 system "echo $data"; # Is secure now!
a0d0e21e 105
425e5e39 106 open(FOO, "< $arg"); # OK - read-only file
107 open(FOO, "> $arg"); # Not OK - trying to write
a0d0e21e 108
bbd7eb8a 109 open(FOO,"echo $arg|"); # Not OK
425e5e39 110 open(FOO,"-|")
7de90c4d 111 or exec 'echo', $arg; # Also not OK
a0d0e21e 112
425e5e39 113 $shout = `echo $arg`; # Insecure, $shout now tainted
a0d0e21e 114
425e5e39 115 unlink $data, $arg; # Insecure
116 umask $arg; # Insecure
a0d0e21e 117
bbd7eb8a 118 exec "echo $arg"; # Insecure
7de90c4d 119 exec "echo", $arg; # Insecure
120 exec "sh", '-c', $arg; # Very insecure!
a0d0e21e 121
3a4b19e4 122 @files = <*.c>; # insecure (uses readdir() or similar)
123 @files = glob('*.c'); # insecure (uses readdir() or similar)
7bac28a0 124
3f7d42d8 125 # In Perl releases older than 5.6.0 the <*.c> and glob('*.c') would
126 # have used an external program to do the filename expansion; but in
127 # either case the result is tainted since the list of filenames comes
128 # from outside of the program.
129
ee556d55 130 $bad = ($arg, 23); # $bad will be tainted
131 $arg, `true`; # Insecure (although it isn't really)
132
a0d0e21e 133If you try to do something insecure, you will get a fatal error saying
7de90c4d 134something like "Insecure dependency" or "Insecure $ENV{PATH}".
425e5e39 135
23634c10 136The exception to the principle of "one tainted value taints the whole
137expression" is with the ternary conditional operator C<?:>. Since code
138with a ternary conditional
139
140 $result = $tainted_value ? "Untainted" : "Also untainted";
141
142is effectively
143
144 if ( $tainted_value ) {
145 $result = "Untainted";
146 } else {
147 $result = "Also untainted";
148 }
149
150it doesn't make sense for C<$result> to be tainted.
151
425e5e39 152=head2 Laundering and Detecting Tainted Data
153
3f7d42d8 154To test whether a variable contains tainted data, and whose use would
155thus trigger an "Insecure dependency" message, you can use the
23634c10 156C<tainted()> function of the Scalar::Util module, available in your
3f7d42d8 157nearby CPAN mirror, and included in Perl starting from the release 5.8.0.
595bde10 158Or you may be able to use the following C<is_tainted()> function.
425e5e39 159
160 sub is_tainted {
61890e45 161 return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 };
425e5e39 162 }
163
164This function makes use of the fact that the presence of tainted data
165anywhere within an expression renders the entire expression tainted. It
166would be inefficient for every operator to test every argument for
167taintedness. Instead, the slightly more efficient and conservative
168approach is used that if any tainted value has been accessed within the
169same expression, the whole expression is considered tainted.
170
5f05dabc 171But testing for taintedness gets you only so far. Sometimes you have just
595bde10 172to clear your data's taintedness. Values may be untainted by using them
173as keys in a hash; otherwise the only way to bypass the tainting
54310121 174mechanism is by referencing subpatterns from a regular expression match.
425e5e39 175Perl presumes that if you reference a substring using $1, $2, etc., that
176you knew what you were doing when you wrote the pattern. That means using
177a bit of thought--don't just blindly untaint anything, or you defeat the
a034a98d 178entire mechanism. It's better to verify that the variable has only good
179characters (for certain values of "good") rather than checking whether it
180has any bad characters. That's because it's far too easy to miss bad
181characters that you never thought of.
425e5e39 182
183Here's a test to make sure that the data contains nothing but "word"
184characters (alphabetics, numerics, and underscores), a hyphen, an at sign,
185or a dot.
186
54310121 187 if ($data =~ /^([-\@\w.]+)$/) {
425e5e39 188 $data = $1; # $data now untainted
189 } else {
3a2263fe 190 die "Bad data in '$data'"; # log this somewhere
425e5e39 191 }
192
5f05dabc 193This is fairly secure because C</\w+/> doesn't normally match shell
425e5e39 194metacharacters, nor are dot, dash, or at going to mean something special
195to the shell. Use of C</.+/> would have been insecure in theory because
196it lets everything through, but Perl doesn't check for that. The lesson
197is that when untainting, you must be exceedingly careful with your patterns.
19799a22 198Laundering data using regular expression is the I<only> mechanism for
425e5e39 199untainting dirty data, unless you use the strategy detailed below to fork
200a child of lesser privilege.
201
23634c10 202The example does not untaint C<$data> if C<use locale> is in effect,
a034a98d 203because the characters matched by C<\w> are determined by the locale.
204Perl considers that locale definitions are untrustworthy because they
205contain data from outside the program. If you are writing a
206locale-aware program, and want to launder data with a regular expression
207containing C<\w>, put C<no locale> ahead of the expression in the same
208block. See L<perllocale/SECURITY> for further discussion and examples.
209
3a52c276 210=head2 Switches On the "#!" Line
211
212When you make a script executable, in order to make it usable as a
213command, the system will pass switches to perl from the script's #!
54310121 214line. Perl checks that any command line switches given to a setuid
3a52c276 215(or setgid) script actually match the ones set on the #! line. Some
54310121 216Unix and Unix-like environments impose a one-switch limit on the #!
3a52c276 217line, so you may need to use something like C<-wU> instead of C<-w -U>
54310121 218under such systems. (This issue should arise only in Unix or
219Unix-like environments that support #! and setuid or setgid scripts.)
3a52c276 220
588f7210 221=head2 Taint mode and @INC
222
223When the taint mode (C<-T>) is in effect, the "." directory is removed
224from C<@INC>, and the environment variables C<PERL5LIB> and C<PERLLIB>
225are ignored by Perl. You can still adjust C<@INC> from outside the
226program by using the C<-I> command line option as explained in
227L<perlrun>. The two environment variables are ignored because
228they are obscured, and a user running a program could be unaware that
229they are set, whereas the C<-I> option is clearly visible and
230therefore permitted.
231
232Another way to modify C<@INC> without modifying the program, is to use
233the C<lib> pragma, e.g.:
234
235 perl -Mlib=/foo program
236
237The benefit of using C<-Mlib=/foo> over C<-I/foo>, is that the former
238will automagically remove any duplicated directories, while the later
239will not.
240
6a268663 241Note that if a tainted string is added to C<@INC>, the following
242problem will be reported:
243
244 Insecure dependency in require while running with -T switch
245
425e5e39 246=head2 Cleaning Up Your Path
247
df98f984 248For "Insecure C<$ENV{PATH}>" messages, you need to set C<$ENV{'PATH'}> to
249a known value, and each directory in the path must be absolute and
250non-writable by others than its owner and group. You may be surprised to
251get this message even if the pathname to your executable is fully
252qualified. This is I<not> generated because you didn't supply a full path
253to the program; instead, it's generated because you never set your PATH
254environment variable, or you didn't set it to something that was safe.
255Because Perl can't guarantee that the executable in question isn't itself
256going to turn around and execute some other program that is dependent on
257your PATH, it makes sure you set the PATH.
a0d0e21e 258
a3cb178b 259The PATH isn't the only environment variable which can cause problems.
260Because some shells may use the variables IFS, CDPATH, ENV, and
261BASH_ENV, Perl checks that those are either empty or untainted when
262starting subprocesses. You may wish to add something like this to your
263setid and taint-checking scripts.
264
265 delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer
266
a0d0e21e 267It's also possible to get into trouble with other operations that don't
268care whether they use tainted values. Make judicious use of the file
269tests in dealing with any user-supplied filenames. When possible, do
fb73857a 270opens and such B<after> properly dropping any special user (or group!)
271privileges. Perl doesn't prevent you from opening tainted filenames for reading,
a0d0e21e 272so be careful what you print out. The tainting mechanism is intended to
273prevent stupid mistakes, not to remove the need for thought.
274
23634c10 275Perl does not call the shell to expand wild cards when you pass C<system>
276and C<exec> explicit parameter lists instead of strings with possible shell
277wildcards in them. Unfortunately, the C<open>, C<glob>, and
54310121 278backtick functions provide no such alternate calling convention, so more
279subterfuge will be required.
425e5e39 280
281Perl provides a reasonably safe way to open a file or pipe from a setuid
282or setgid program: just create a child process with reduced privilege who
283does the dirty work for you. First, fork a child using the special
23634c10 284C<open> syntax that connects the parent and child by a pipe. Now the
425e5e39 285child resets its ID set and any other per-process attributes, like
286environment variables, umasks, current working directories, back to the
287originals or known safe values. Then the child process, which no longer
23634c10 288has any special permissions, does the C<open> or other system call.
425e5e39 289Finally, the child passes the data it managed to access back to the
5f05dabc 290parent. Because the file or pipe was opened in the child while running
425e5e39 291under less privilege than the parent, it's not apt to be tricked into
292doing something it shouldn't.
293
23634c10 294Here's a way to do backticks reasonably safely. Notice how the C<exec> is
425e5e39 295not called with a string that the shell could expand. This is by far the
296best way to call something that might be subjected to shell escapes: just
fb73857a 297never call the shell at all.
cb1a09d0 298
a1ce9542 299 use English '-no_match_vars';
e093bcf0 300 die "Can't fork: $!" unless defined($pid = open(KID, "-|"));
301 if ($pid) { # parent
302 while (<KID>) {
303 # do something
304 }
305 close KID;
306 } else {
307 my @temp = ($EUID, $EGID);
308 my $orig_uid = $UID;
309 my $orig_gid = $GID;
310 $EUID = $UID;
311 $EGID = $GID;
312 # Drop privileges
313 $UID = $orig_uid;
314 $GID = $orig_gid;
315 # Make sure privs are really gone
316 ($EUID, $EGID) = @temp;
317 die "Can't drop privileges"
318 unless $UID == $EUID && $GID eq $EGID;
319 $ENV{PATH} = "/bin:/usr/bin"; # Minimal PATH.
320 # Consider sanitizing the environment even more.
321 exec 'myprog', 'arg1', 'arg2'
322 or die "can't exec myprog: $!";
323 }
425e5e39 324
fb73857a 325A similar strategy would work for wildcard expansion via C<glob>, although
326you can use C<readdir> instead.
425e5e39 327
328Taint checking is most useful when although you trust yourself not to have
329written a program to give away the farm, you don't necessarily trust those
330who end up using it not to try to trick it into doing something bad. This
fb73857a 331is the kind of security checking that's useful for set-id programs and
425e5e39 332programs launched on someone else's behalf, like CGI programs.
333
334This is quite different, however, from not even trusting the writer of the
335code not to try to do something evil. That's the kind of trust needed
336when someone hands you a program you've never seen before and says, "Here,
337run this." For that kind of safety, check out the Safe module,
338included standard in the Perl distribution. This module allows the
339programmer to set up special compartments in which all system operations
340are trapped and namespace access is carefully controlled.
341
342=head2 Security Bugs
343
344Beyond the obvious problems that stem from giving special privileges to
fb73857a 345systems as flexible as scripts, on many versions of Unix, set-id scripts
425e5e39 346are inherently insecure right from the start. The problem is a race
347condition in the kernel. Between the time the kernel opens the file to
fb73857a 348see which interpreter to run and when the (now-set-id) interpreter turns
425e5e39 349around and reopens the file to interpret it, the file in question may have
350changed, especially if you have symbolic links on your system.
351
352Fortunately, sometimes this kernel "feature" can be disabled.
353Unfortunately, there are two ways to disable it. The system can simply
fb73857a 354outlaw scripts with any set-id bit set, which doesn't help much.
355Alternately, it can simply ignore the set-id bits on scripts. If the
425e5e39 356latter is true, Perl can emulate the setuid and setgid mechanism when it
357notices the otherwise useless setuid/gid bits on Perl scripts. It does
23634c10 358this via a special executable called F<suidperl> that is automatically
54310121 359invoked for you if it's needed.
425e5e39 360
fb73857a 361However, if the kernel set-id script feature isn't disabled, Perl will
362complain loudly that your set-id script is insecure. You'll need to
363either disable the kernel set-id script feature, or put a C wrapper around
425e5e39 364the script. A C wrapper is just a compiled program that does nothing
365except call your Perl program. Compiled programs are not subject to the
fb73857a 366kernel bug that plagues set-id scripts. Here's a simple wrapper, written
425e5e39 367in C:
368
369 #define REAL_PATH "/path/to/script"
54310121 370 main(ac, av)
425e5e39 371 char **av;
372 {
373 execv(REAL_PATH, av);
54310121 374 }
cb1a09d0 375
54310121 376Compile this wrapper into a binary executable and then make I<it> rather
377than your script setuid or setgid.
425e5e39 378
425e5e39 379In recent years, vendors have begun to supply systems free of this
380inherent security bug. On such systems, when the kernel passes the name
fb73857a 381of the set-id script to open to the interpreter, rather than using a
425e5e39 382pathname subject to meddling, it instead passes I</dev/fd/3>. This is a
383special file already opened on the script, so that there can be no race
384condition for evil scripts to exploit. On these systems, Perl should be
23634c10 385compiled with C<-DSETUID_SCRIPTS_ARE_SECURE_NOW>. The F<Configure>
425e5e39 386program that builds Perl tries to figure this out for itself, so you
387should never have to specify this yourself. Most modern releases of
388SysVr4 and BSD 4.4 use this approach to avoid the kernel race condition.
389
23634c10 390Prior to release 5.6.1 of Perl, bugs in the code of F<suidperl> could
0325b4c4 391introduce a security hole.
68dc0745 392
393=head2 Protecting Your Programs
394
395There are a number of ways to hide the source to your Perl programs,
396with varying levels of "security".
397
398First of all, however, you I<can't> take away read permission, because
399the source code has to be readable in order to be compiled and
400interpreted. (That doesn't mean that a CGI script's source is
401readable by people on the web, though.) So you have to leave the
5a964f20 402permissions at the socially friendly 0755 level. This lets
403people on your local system only see your source.
68dc0745 404
5a964f20 405Some people mistakenly regard this as a security problem. If your program does
68dc0745 406insecure things, and relies on people not knowing how to exploit those
407insecurities, it is not secure. It is often possible for someone to
408determine the insecure things and exploit them without viewing the
409source. Security through obscurity, the name for hiding your bugs
410instead of fixing them, is little security indeed.
411
83df6a1d 412You can try using encryption via source filters (Filter::* from CPAN,
413or Filter::Util::Call and Filter::Simple since Perl 5.8).
414But crackers might be able to decrypt it. You can try using the byte
415code compiler and interpreter described below, but crackers might be
416able to de-compile it. You can try using the native-code compiler
68dc0745 417described below, but crackers might be able to disassemble it. These
418pose varying degrees of difficulty to people wanting to get at your
419code, but none can definitively conceal it (this is true of every
420language, not just Perl).
421
422If you're concerned about people profiting from your code, then the
3462340b 423bottom line is that nothing but a restrictive license will give you
68dc0745 424legal security. License your software and pepper it with threatening
425statements like "This is unpublished proprietary software of XYZ Corp.
426Your access to it does not give you permission to use it blah blah
3462340b 427blah." You should see a lawyer to be sure your license's wording will
68dc0745 428stand up in court.
5a964f20 429
0d7c09bb 430=head2 Unicode
431
432Unicode is a new and complex technology and one may easily overlook
433certain security pitfalls. See L<perluniintro> for an overview and
434L<perlunicode> for details, and L<perlunicode/"Security Implications
435of Unicode"> for security implications in particular.
436
504f80c1 437=head2 Algorithmic Complexity Attacks
438
439Certain internal algorithms used in the implementation of Perl can
440be attacked by choosing the input carefully to consume large amounts
441of either time or space or both. This can lead into the so-called
442I<Denial of Service> (DoS) attacks.
443
444=over 4
445
446=item *
447
448Hash Function - the algorithm used to "order" hash elements has been
449changed several times during the development of Perl, mainly to be
450reasonably fast. In Perl 5.8.1 also the security aspect was taken
451into account.
452
453In Perls before 5.8.1 one could rather easily generate data that as
454hash keys would cause Perl to consume large amounts of time because
4546b9e6 455internal structure of hashes would badly degenerate. In Perl 5.8.1
456the hash function is randomly perturbed by a pseudorandom seed which
457makes generating such naughty hash keys harder.
458See L<perlrun/PERL_HASH_SEED> for more information.
459
22883ac5 460In Perl 5.8.1 the random perturbation was done by default, but as of
4615.8.2 it is only used on individual hashes if the internals detect the
462insertion of pathological data. If one wants for some reason emulate the
463old behaviour (and expose oneself to DoS attacks) one can set the
464environment variable PERL_HASH_SEED to zero to disable the protection
465(or any other integer to force a known perturbation, rather than random).
466One possible reason for wanting to emulate the old behaviour is that in the
467new behaviour consecutive runs of Perl will order hash keys differently,
468which may confuse some applications (like Data::Dumper: the outputs of two
469different runs are no longer identical).
504f80c1 470
7b3f7037 471B<Perl has never guaranteed any ordering of the hash keys>, and the
472ordering has already changed several times during the lifetime of
473Perl 5. Also, the ordering of hash keys has always been, and
474continues to be, affected by the insertion order.
475
476Also note that while the order of the hash elements might be
477randomised, this "pseudoordering" should B<not> be used for
478applications like shuffling a list randomly (use List::Util::shuffle()
479for that, see L<List::Util>, a standard core module since Perl 5.8.0;
480or the CPAN module Algorithm::Numerical::Shuffle), or for generating
481permutations (use e.g. the CPAN modules Algorithm::Permute or
482Algorithm::FastPermute), or for any cryptographic applications.
483
504f80c1 484=item *
485
5a4e8ea7 486Regular expressions - Perl's regular expression engine is so called NFA
487(Non-deterministic Finite Automaton), which among other things means that
488it can rather easily consume large amounts of both time and space if the
504f80c1 489regular expression may match in several ways. Careful crafting of the
490regular expressions can help but quite often there really isn't much
491one can do (the book "Mastering Regular Expressions" is required
492reading, see L<perlfaq2>). Running out of space manifests itself by
493Perl running out of memory.
494
495=item *
496
497Sorting - the quicksort algorithm used in Perls before 5.8.0 to
498implement the sort() function is very easy to trick into misbehaving
3462340b 499so that it consumes a lot of time. Starting from Perl 5.8.0 a different
500sorting algorithm, mergesort, is used by default. Mergesort cannot
501misbehave on any input.
504f80c1 502
503=back
504
505See L<http://www.cs.rice.edu/~scrosby/hash/> for more information,
3462340b 506and any computer science textbook on algorithmic complexity.
504f80c1 507
5a964f20 508=head1 SEE ALSO
509
510L<perlrun> for its description of cleaning up environment variables.