home *** CD-ROM | disk | FTP | other *** search
- Newsgroups: comp.lang.perl
- Path: sparky!uunet!wupost!darwin.sura.net!convex!convex!tchrist
- From: Tom Christiansen <tchrist@convex.COM>
- Subject: Re: setuid question
- Originator: tchrist@pixel.convex.com
- Sender: usenet@news.eng.convex.com (news access account)
- Message-ID: <1992Dec24.002750.11399@news.eng.convex.com>
- Date: Thu, 24 Dec 1992 00:27:50 GMT
- Reply-To: tchrist@convex.COM (Tom Christiansen)
- References: <1992Dec23.211810.9925@uvaarpa.Virginia.EDU> <1992Dec23.213406.22114@porthos.cc.bellcore.com> <1992Dec23.172428.8929@hemlock.cray.com>
- Nntp-Posting-Host: pixel.convex.com
- Organization: Convex Computer Corporation, Colorado Springs, CO
- X-Disclaimer: This message was written by a user at CONVEX Computer
- Corp. The opinions expressed are those of the user and
- not necessarily those of CONVEX.
- Lines: 17
-
- From the keyboard of roehrich@cray.com (Dean Roehrich):
- :You must go one step beyond this, actually. Taintperl will not execute
- :another process while the PATH environment variable is tainted. By using
- :absolute pathnames you really do not address the problem as far as taintperl
- :is concerned.
-
- That's due to the transitive property of insecurity. While you may well
- call a program with an absolute pathname, you have no assurance that it
- will do the same with any programs which *it* calls. In fact, they
- often do not -- check all the system() and popen() and execlp() calls.
-
- --tom
- --
- Tom Christiansen tchrist@convex.com convex!tchrist
- And don't tell me there isn't one bit of difference between null and space,
- because that's exactly how much difference there is. :-)
- --Larry Wall in <10209@jpl-devvax.JPL.NASA.GOV>
-
