3 perlsec - Perl security
7 Perl is designed to make it easy to write secure setuid and setgid
8 scripts. Unlike shells, which are based on multiple substitution
9 passes on each line of the script, Perl uses a more conventional
10 evaluation scheme with fewer hidden "gotchas". Additionally, since the
11 language has more built-in functionality, it has to rely less upon
12 external (and possibly untrustworthy) programs to accomplish its
15 Beyond the obvious problems that stem from giving special privileges to
16 such flexible systems as scripts, on many operating systems, setuid
17 scripts are inherently insecure right from the start. This is because
18 that between the time that the kernel opens up the file to see what to
19 run, and when the now setuid interpreter it ran turns around and reopens
20 the file so it can interpret it, things may have changed, especially if
21 you have symbolic links on your system.
23 Fortunately, sometimes this kernel "feature" can be disabled.
24 Unfortunately, there are two ways to disable it. The system can simply
25 outlaw scripts with the setuid bit set, which doesn't help much.
26 Alternately, it can simply ignore the setuid bit on scripts. If the
27 latter is true, Perl can emulate the setuid and setgid mechanism when it
28 notices the otherwise useless setuid/gid bits on Perl scripts. It does
29 this via a special executable called B<suidperl> that is automatically
30 invoked for you if it's needed.
32 If, however, the kernel setuid script feature isn't disabled, Perl will
33 complain loudly that your setuid script is insecure. You'll need to
34 either disable the kernel setuid script feature, or put a C wrapper around
35 the script. See the program B<wrapsuid> in the F<eg> directory of your
36 Perl distribution for how to go about doing this.
38 There are some systems on which setuid scripts are free of this inherent
39 security bug. For example, recent releases of Solaris are like this. On
40 such systems, when the kernel passes the name of the setuid script to open
41 to the interpreter, rather than using a pathname subject to mettling, it
42 instead passes /dev/fd/3. This is a special file already opened on the
43 script, so that there can be no race condition for evil scripts to
44 exploit. On these systems, Perl should be compiled with
45 C<-DSETUID_SCRIPTS_ARE_SECURE_NOW>. The B<Configure> program that builds
46 Perl tries to figure this out for itself.
48 When Perl is executing a setuid script, it takes special precautions to
49 prevent you from falling into any obvious traps. (In some ways, a Perl
50 script is more secure than the corresponding C program.) Any command line
51 argument, environment variable, or input is marked as "tainted", and may
52 not be used, directly or indirectly, in any command that invokes a
53 subshell, or in any command that modifies files, directories, or
54 processes. Any variable that is set within an expression that has
55 previously referenced a tainted value also becomes tainted (even if it is
56 logically impossible for the tainted value to influence the variable).
59 $foo = shift; # $foo is tainted
60 $bar = $foo,'bar'; # $bar is also tainted
62 $path = $ENV{'PATH'}; # Tainted, but see below
63 $abc = 'abc'; # Not tainted
65 system "echo $foo"; # Insecure
66 system "/bin/echo", $foo; # Secure (doesn't use sh)
67 system "echo $bar"; # Insecure
68 system "echo $abc"; # Insecure until PATH set
70 $ENV{'PATH'} = '/bin:/usr/bin';
71 $ENV{'IFS'} = '' if $ENV{'IFS'} ne '';
73 $path = $ENV{'PATH'}; # Not tainted
74 system "echo $abc"; # Is secure now!
76 open(FOO,"$foo"); # OK
77 open(FOO,">$foo"); # Not OK
79 open(FOO,"echo $foo|"); # Not OK, but...
80 open(FOO,"-|") || exec 'echo', $foo; # OK
82 $zzz = `echo $foo`; # Insecure, zzz tainted
84 unlink $abc,$foo; # Insecure
85 umask $foo; # Insecure
87 exec "echo $foo"; # Insecure
88 exec "echo", $foo; # Secure (doesn't use sh)
89 exec "sh", '-c', $foo; # Considered secure, alas
91 The taintedness is associated with each scalar value, so some elements
92 of an array can be tainted, and others not.
94 If you try to do something insecure, you will get a fatal error saying
95 something like "Insecure dependency" or "Insecure PATH". Note that you
96 can still write an insecure system call or exec, but only by explicitly
97 doing something like the last example above. You can also bypass the
98 tainting mechanism by referencing subpatterns--Perl presumes that if
99 you reference a substring using $1, $2, etc, you knew what you were
100 doing when you wrote the pattern:
102 $ARGV[0] =~ /^-P(\w+)$/;
103 $printer = $1; # Not tainted
105 This is fairly secure since C<\w+> doesn't match shell metacharacters.
106 Use of C</.+/> would have been insecure, but Perl doesn't check for that,
107 so you must be careful with your patterns. This is the I<ONLY> mechanism
108 for untainting user supplied filenames if you want to do file operations
109 on them (unless you make C<$E<gt>> equal to C<$E<lt>> ).
111 For "Insecure $ENV{PATH}" messages, you need to set C<$ENV{'PATH'}> to a known
112 value, and each directory in the path must be non-writable by the world.
113 A frequently voiced gripe is that you can get this message even
114 if the pathname to an executable is fully qualified. But Perl can't
115 know that the executable in question isn't going to execute some other
116 program depending on the PATH.
118 It's also possible to get into trouble with other operations that don't
119 care whether they use tainted values. Make judicious use of the file
120 tests in dealing with any user-supplied filenames. When possible, do
121 opens and such after setting C<$E<gt> = $E<lt>>. (Remember group IDs,
122 too!) Perl doesn't prevent you from opening tainted filenames for reading,
123 so be careful what you print out. The tainting mechanism is intended to
124 prevent stupid mistakes, not to remove the need for thought.
projects / p5sagit/p5-mst-13.2.git / blob