Interesting Perl bug I hit today

Andrew Savige ajsavige at yahoo.com.au
Thu May 8 02:34:08 CDT 2003


Paul Fenwick wrote:
> 	I discovered an interesting Perl bug involving setuid today,
> tested under 5.6.1.
<description of bug snipped>

I noticed this in Perl 5.8.0 perldelta:

"After years of trying, suidperl is considered to be too complex to
ever be considered truly secure. The suidperl functionality is likely
to be removed in a future release."

Not being a security expert, I'm confused. All the suidperl security
warnings have scared me off and I have resorted to using the
"C wrapper" technique described near the end of perlsec.

Is there truly a safe alternative to the "C wrapper" technique?
When I have asked this question before, people have told me to go
use sudo, which is OK in-house, but unattractive if you want the
script to run at hundreds of sites (which may not have sudo).

/-\


http://mobile.yahoo.com.au - Yahoo! Mobile
- Check & compose your email via SMS on your Telstra or Vodafone mobile.



More information about the Melbourne-pm mailing list