Re: [Boston.pm] Perl Curses clarification

Fri, 02 Jun 2006 13:38:16 -0700 

   From: Ted Zlatanov <[EMAIL PROTECTED]>
   Date: Fri, 02 Jun 2006 14:41:48 -0400

   On  2 Jun 2006, [EMAIL PROTECTED] wrote:

   > > The Unix login process can be subverted by sudo (not to mention that
   > > $USER can be set to anything, as others pointed out).  You should
   > > always request a password if security is a concern.  Don't trust the
   > > UID or environment . . .
   >
   > I don't understand.  The environment is certainly untrustworthy, but how
   > (in the absence of an OS bug) would an attacker change the effective UID
   > without login credentials?

   There are many more ways to attack a system from the inside than from
   the outside.  For example, you know the exact OS version, library
   versions, file locations, etc.

True, but we are given that all users have shell access, with all of the
security problems that entails.

   If an attacker has sudo, forget it, effective UID can be anything.

Also true, but by definition, you can't do anything about an attacker
who can get a root shell.  It's certainly not a problem that a puny
little Perl script can fix.

   > But what are you going to do with that password?  Compare it to some
   > database and then die if it fails?  That is sound for CGI, but not for a
   > perl script that is run from the shell.  What if an attacker edits the
   > script and changes the "die" to "warn"?

   Of course, if the user can edit the script, he can do anything with
   it, but I would hope the script is not setuid root (or accessible via
   sudo).  If that's not the case, the user can only make the script do
   the things he could do from the command line anyway.

Yes, and that is exactly as it should be.  You can't prevent them from
doing less, and if you try to allow more (e.g. via sperl), you may
accidentally permit more than you intended.

   > But this turns out to be academic in this case.  

   Well, it's an interesting discussion even if it's not directly useful
   to the OP.  I hope someone else finds it useful.

I hope so too.

                                        -- Bob
 
_______________________________________________
Boston-pm mailing list
[email protected]
http://mail.pm.org/mailman/listinfo/boston-pm

Reply via email to