On Fri, 24 May 2002 18:38:42 BST, Glynn Clements said: > I don't know about other Unices, but Linux deliberately doesn't > support setuid scripts (a wise move, IMHO). Perl attempts to > re-introduce the problem via the setuid "suidperl" binary, but many > sysadmins will disable that (again, a wise move, IMHO). Sorry, that was bad nomenclature on my part. When I say "CGI script" I really mean "CGI program". I guess I'm just old school and they've always been "CGI scripts" to me, even though I've never written a shell script for CGI. I write almost all my CGI in Perl and indeed the setuid Perl scripts are run by suidperl. This gives me the "taint" feature whereby I must untaint any user input -- a good feature, but certainly no cure-all. You can always untaint anything by just matching it to the regexp "/^.*$/". For a client, I developed an Untaint library that has regexps for checking phone numbers, file names (only allowing alphanumerics and decimals), file paths (checking that all directories in the path exist and are readable), 7-bit clean, and other special cases -- even the "match anything" test (I call that method Untaint::StillNotSafe). Note that if you use suEXEC to invoke a setuid Perl script, you will lose the tainted-data feature. Another reason I don't like suEXEC. I'd prefer the script bombs if I try to use untested external data. -- -- Lee E. Brotzman E-mail: lebat_private -- Allied Technology Group Phone : 814-861-5028
This archive was generated by hypermail 2b30 : Mon May 27 2002 - 15:45:23 PDT