File permission vulnerabilities and Module::Pluggable

Paul LeoNerd Evans leonerd at
Sun Jan 25 18:13:52 GMT 2009

On Tue, 20 Jan 2009 23:47:09 +0000
Simon Wistow <simon at> wrote:

> Adam 'Alias' Kennedy has written a blog post about the 2009 CWE/SANS 25 
> Most Dangerous Programming Errors

As I understand the summary, this is basically saying "It's dangerous to
load code someone else could have edited", and you're suggesting to check
against world-writable and other sorts of files, yes?

What makes Module::Pluggable any more vulnerable to that than, say,
perl's own 'use' and 'require' statements?

If my /usr/share/perl/5.10/ is world-writable, say, then I'm
already dead way before Module::Pluggable gets to run.

Incidentally, what you're looking for is called TPE; Trusted Path
Execution. The GRSecurity Linux Kernel patch has such an option for
exec() and friends; to restrict what binaries can be executed.

Paul "LeoNerd" Evans

leonerd at
ICQ# 4135350       |  Registered Linux# 179460
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the mailing list