Document the deprecatedness of suidperl.

p4raw-id: //depot/perl@10102

diff --git a/INSTALL b/INSTALL
index 8deb1a8..373a860 100644 (file)
--- a/INSTALL
+++ b/INSTALL
@@ -1414,6 +1414,26 @@ Study also how other non-UNIX ports have solved problems.
 
 =back
 
+=head1 suidperl
+
+suiperl is an optional component, which is built or installed by default.
+From perlfaq1:
+
+       On some systems, setuid and setgid scripts (scripts written
+        in the C shell, Bourne shell, or Perl, for example, with the
+        set user or group ID permissions enabled) are insecure due to
+        a race condition in the kernel. For those systems, Perl versions
+        5 and 4 attempt to work around this vulnerability with an optional
+        component, a special program named suidperl, also known as sperl.
+        This program attempts to emulate the set-user-ID and set-group-ID
+        features of the kernel.
+
+Because of the buggy history of suidperl, and the difficulty
+of properly security auditing as large and complex piece of
+software as Perl, we cannot recommend using suidperl and the feature
+should be considered deprecated.
+Instead use for example 'sudo': http://www.courtesan.com/sudo/
+
 =head1 make depend
 
 This will look for all the includes.  The output is stored in makefile.

diff --git a/pod/perlfaq1.pod b/pod/perlfaq1.pod
index e9ac168..ad18626 100644 (file)
--- a/pod/perlfaq1.pod
+++ b/pod/perlfaq1.pod
@@ -306,6 +306,10 @@ In August 2000 in all Linux distributions a new security problem was
 found in the optional 'suidperl' (not built or installed by default)
 in all the Perl branches 5.6, 5.005, and 5.004, see
 http://www.cpan.org/src/5.0/sperl-2000-08-05/
+Perl maintenance releases 5.6.1 and 5.8.0 have this security hole closed.
+Most, if not all, Linux distribution have patches for this
+vulnerability available, see http://www.linuxsecurity.com/advisories/ ,
+but the most recommendable way is to upgrade to at least Perl 5.6.1.
 
 =head1 AUTHOR AND COPYRIGHT