File permission vulnerabilities and Module::Pluggable
Paul LeoNerd Evans
leonerd at leonerd.org.uk
Sun Jan 25 18:13:52 GMT 2009
On Tue, 20 Jan 2009 23:47:09 +0000
Simon Wistow <simon at thegestalt.org> wrote:
> Adam 'Alias' Kennedy has written a blog post about the 2009 CWE/SANS 25
> Most Dangerous Programming Errors
>
> http://use.perl.org/~Alias/journal/38319
As I understand the summary, this is basically saying "It's dangerous to
load code someone else could have edited", and you're suggesting to check
against world-writable and other sorts of files, yes?
What makes Module::Pluggable any more vulnerable to that than, say,
perl's own 'use' and 'require' statements?
If my /usr/share/perl/5.10/strict.pm is world-writable, say, then I'm
already dead way before Module::Pluggable gets to run.
Incidentally, what you're looking for is called TPE; Trusted Path
Execution. The GRSecurity Linux Kernel patch has such an option for
exec() and friends; to restrict what binaries can be executed.
--
Paul "LeoNerd" Evans
leonerd at leonerd.org.uk
ICQ# 4135350 | Registered Linux# 179460
http://www.leonerd.org.uk/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://london.pm.org/pipermail/london.pm/attachments/20090125/3b385dac/signature.pgp
More information about the london.pm
mailing list