Date: Fri, 11 Aug 2000 12:57:52 -0600 From: Warner Losh <imp@village.org> To: Christopher Masto <chris@netmonger.net> Cc: "Chris D. Faulhaber" <jedgar@fxp.org>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG Subject: Re: cvs commit: src/gnu/usr.bin/perl Makefile Message-ID: <200008111857.MAA36439@harmony.village.org> In-Reply-To: Your message of "Fri, 11 Aug 2000 14:41:48 EDT." <20000811144136.A12290@netmonger.net> References: <20000811144136.A12290@netmonger.net> <20000811141800.A14610@netmonger.net> <Pine.BSF.4.21.0008111426270.98390-100000@pawn.primelocation.net>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <20000811144136.A12290@netmonger.net> Christopher Masto writes: : The reason against it is that it's a standard part of Perl, and a very : useful one. Without it, those who install from binary, or don't know : to set this option, will not be able to run setuid Perl programs. Good. I want people to have to explicitly do something before setuid scripts of any kind will work on their system. : Since Perl has some features specifically designed to aid in writing : secure setuid programs, removing suidperl could actually cause a : revenge effect and end up resulting in _more_ security holes. They can build it from sources. : This was a strange interaction bug in a program which is very well : inspected, has a good security reputation, was fixed very quickly, and : didn't even apply to FreeBSD. It seems a big of an overreaction to : disable suidperl because of it. No. There's nothing in the base system that requires it. It is a huge piece of software. Sure, the fix came quickly and didn't impact us this time, but what other bugs are there in this huge piece of code that will bite us in the future? This bug existed despite the multiple reviews of perl. : As Warner said on freebsd-security, if you're paranoid, you can just : delete suidperl yourself. Right. And I also am the one that made the change too :-) : If this change is not backed out, I think it is important to at least : come up with an easy way to get suidperl without building from source. : We should not force this limitation on casual users. Causual users won't have setuid perl scripts. I agree that we might want to have a package/port that will do this to make it easier for people that want it to add it to their system. However, I don't have the time to do that and I really don't think there's a large demand for it. If others want to send it to me, I'd commit it. Side note: is there a way to create a port that builds part of the /usr/src tree in a different than default way? Warner To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008111857.MAA36439>