Interesting Perl bug I hit today
Andrew Savige
ajsavige at yahoo.com.au
Thu May 8 02:34:08 CDT 2003
Paul Fenwick wrote:
> I discovered an interesting Perl bug involving setuid today,
> tested under 5.6.1.
<description of bug snipped>
I noticed this in Perl 5.8.0 perldelta:
"After years of trying, suidperl is considered to be too complex to
ever be considered truly secure. The suidperl functionality is likely
to be removed in a future release."
Not being a security expert, I'm confused. All the suidperl security
warnings have scared me off and I have resorted to using the
"C wrapper" technique described near the end of perlsec.
Is there truly a safe alternative to the "C wrapper" technique?
When I have asked this question before, people have told me to go
use sudo, which is OK in-house, but unattractive if you want the
script to run at hundreds of sites (which may not have sudo).
/-\
http://mobile.yahoo.com.au - Yahoo! Mobile
- Check & compose your email via SMS on your Telstra or Vodafone mobile.
More information about the Melbourne-pm
mailing list