Date: Fri, 11 Aug 2000 13:58:24 -0700 From: Peter Wemm <peter@netplex.com.au> To: dima@rdy.com Cc: Christopher Masto <chris@netmonger.net>, "Chris D. Faulhaber" <jedgar@fxp.org>, Warner Losh <imp@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/gnu/usr.bin/perl Makefile Message-ID: <200008112058.NAA92441@netplex.com.au> In-Reply-To: <200008112020.NAA18859@sivka.rdy.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dima Ruban wrote:
> Christopher Masto writes:
> > On Fri, Aug 11, 2000 at 02:29:37PM -0400, Chris D. Faulhaber wrote:
> > > > > Don't build suidperl by default. Make users specifically enable it
s
> > > > > building.
> > > >
> > > > Umm.. isn't that a bit of a radical change? Any reason for it?
> > >
> > > Any reason against it? Given the security hole found under Linux and
> > > potential problems of Yet Another Suid Binary, it seems a good
> > > idea. Also, see the recent discussions on FreeBSD-security.
> >
> > The reason against it is that it's a standard part of Perl, and a very
> > useful one. Without it, those who install from binary, or don't know
> > to set this option, will not be able to run setuid Perl programs.
> > Since Perl has some features specifically designed to aid in writing
> > secure setuid programs, removing suidperl could actually cause a
> > revenge effect and end up resulting in _more_ security holes.
>
> How do you see that resulting in _more_ security holes?
> If /usr/bin/suidperl doesn't exist and some program referes to it, it will
> give you "command not found" (or similar) message.
Because people start writing setuid "#! /bin/suidsh -p" scripts instead.
And that is outright suicidal as it is guaranteed exploitable. It is also
the very reason that suidperl exists.
Cheers,
-Peter
--
Peter Wemm - peter@FreeBSD.org; peter@yahoo-inc.com; peter@netplex.com.au
"All of this is for nothing if we don't go to the stars" - JMS/B5
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008112058.NAA92441>