From: Garry T. Williams Date: Mon, 4 Sep 2000 11:32:38 +0000 (-0400) Subject: [ID 20000904.004] perlsec Manual Page Incorrect Doing "Safe Backticks" X-Git-Url: http://git.shadowcat.co.uk/gitweb/gitweb.cgi?a=commitdiff_plain;h=e093bcf0cf7ac8078690b5226007992e026a34d0;p=p5sagit%2Fp5-mst-13.2.git [ID 20000904.004] perlsec Manual Page Incorrect Doing "Safe Backticks" Message-Id: <200009041532.e84FWcl12106@ifr.inside.zvolve.net> p4raw-id: //depot/perl@7520 --- diff --git a/pod/perlsec.pod b/pod/perlsec.pod index 16b439c..3870c2e 100644 --- a/pod/perlsec.pod +++ b/pod/perlsec.pod @@ -230,25 +230,31 @@ not called with a string that the shell could expand. This is by far the best way to call something that might be subjected to shell escapes: just never call the shell at all. - use English; - die "Can't fork: $!" unless defined $pid = open(KID, "-|"); - if ($pid) { # parent - while () { - # do something - } - close KID; - } else { - my @temp = ($EUID, $EGID); - $EUID = $UID; - $EGID = $GID; # initgroups() also called! - # Make sure privs are really gone - ($EUID, $EGID) = @temp; - die "Can't drop privileges" - unless $UID == $EUID && $GID eq $EGID; - $ENV{PATH} = "/bin:/usr/bin"; - exec 'myprog', 'arg1', 'arg2' - or die "can't exec myprog: $!"; - } + use English; + die "Can't fork: $!" unless defined($pid = open(KID, "-|")); + if ($pid) { # parent + while () { + # do something + } + close KID; + } else { + my @temp = ($EUID, $EGID); + my $orig_uid = $UID; + my $orig_gid = $GID; + $EUID = $UID; + $EGID = $GID; + # Drop privileges + $UID = $orig_uid; + $GID = $orig_gid; + # Make sure privs are really gone + ($EUID, $EGID) = @temp; + die "Can't drop privileges" + unless $UID == $EUID && $GID eq $EGID; + $ENV{PATH} = "/bin:/usr/bin"; # Minimal PATH. + # Consider sanitizing the environment even more. + exec 'myprog', 'arg1', 'arg2' + or die "can't exec myprog: $!"; + } A similar strategy would work for wildcard expansion via C, although you can use C instead.