Phoenix.pm: Perl Question :-)

Kevin Buettner kev at primenet.com
Thu Mar 11 13:31:52 CST 1999


On Mar 10,  9:50pm, Peter J Jones wrote:

>     Last night I was about to lay down for the night when it just hit
> me, ya know, like when God just reveals something to you (does that ever
> happen to you?). Let me explain...
> 
>     I am in the middle of a Perl script that uses the allow and deny
> principles that other Unix programs do, like cron. If there is an allow
> file your username must be in it and if there is a deny file your
> username must not be there. After I read and parse the config file I
> "push" allow and deny usernames onto an array. Here is what hit me. What
> would prevent a user from starting the script up with "perl -d script"
> and then "push"ing their username onto the allow array and then typing
> "c"? Now don't get me wrong, this is not a script that runs suid or is
> really a security concern, what concerns me is how would I make
> debugging a Perl script not an option to users so that if need be I
> could write a truly secure Perl script that uses this allow and deny
> principle?
> 
>     I wanted to write you guys and gals to find out what you would do...

I don't know how to stop a perl script from being run in the debugger.

But let's look at it from another angle.  Suppose you wrote your program
in C or C++.  Would it then be secure?  No!  And for the same reasons;
I can still run the program in the debugger... when it comes time to
examine the allow / deny files (or however you have it stored), you
could simply change the program counter to skip these checks.  (Stripping
the symbols makes the problem harder, but not insurmountable.)

If you want set up a perl script which only allows some people to run
it and not others, you might want to create a group with just those
folks in it.  Then do a "chmod o-x,g+x" on it.

Kevin

-- 
Kevin Buettner
kev at primenet.com



More information about the Phoenix-pm mailing list