[Melbourne-pm] how to pass a filehandle to an external binary

Paul Fenwick pjf at perltraining.com.au
Sun Feb 13 05:11:00 PST 2005

G'day David,

David Dick wrote:

> anyone know a more secure way / different secure way of interacting with 
> external binaries? or any issues with this approach?


Twiddling the close-on-exec flag and passing the filehandle using the /dev/fd/X 
naming convention is the most straightforward method I've seen on systems that 
support it.  It's the method that I've been recommending in Perl Training 
Australia's "Perl Security" course (http://perltraining.com.au/perlsec.html).

You can also use Perl's built-in fileno() to get the filehandle number, and this 
  also works with temporary anonymous files opened with Perl's 
'open(FH,"+>",undef)' call.

External processes can use files on /dev/fd/X for both reading and writing. 
This means you can call something like a system("/usr/bin/vi /dev/fd/X") to 
allow a user to view and edit a temporary anonymous file.  Just make sure you 
rewind the filehandle when they're done if you want to read back the changes.

The downside to the method you've described is it can't be used on systems 
without /dev/fd conventions, which includes some Unix-flavoured systems.  I know 
that OpenSSH with privilege separation uses some deep magic to pass a PTY to an 
already opened process, but I haven't checked to see how it does so.  That may 
also be system dependent.  See http://niels.xtdnet.nl/papers/privsep.pdf for 
more information.

It's unlikely that OpenSSH-style magic is going to help you unless the process 
on the other end is ready to perform some magic to receive the filehandle.



Paul Fenwick <pjf at perltraining.com.au> | http://perltraining.com.au/
Director of Training                   | Ph:  +61 3 9354 6001
Perl Training Australia                | Fax: +61 3 9354 2681
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
Url : http://mail.pm.org/pipermail/melbourne-pm/attachments/20050214/a80d0c90/signature.bin

More information about the Melbourne-pm mailing list