(assuming you're running the firewall on a unix-like system)
you could create a group 'perluser' or something, and chgrp(1) the perl
binary (and other associated sharp pointy things) to the perluser group,
and chmod(1) 750 (or even 050) on the binary. add users that need to
use perl to the perluser group.
of course, you have to decide what kind of security measures should be
wrapped around the users in the 'perluser' group - if any of them (or
root) are compromised, it is all for nothing. even a stripped down perl
isn't good, as a simple
firewall% perl -e 'while(1) { fork() }'
will kill off the firewall reasonably quickly. but if you remove all
unnecessary perl modules, you can limit the amount of remote damage an
intruder can do (nothing remote, if you remove IO::Socket), but you will
need to review the code that you want to run for which modules it
requires.
hope these pointers help :)
---
Joel Michael
System Administrator
Diggy Internet Services
90 Petrie Terrace
Brisbane Qld 4000
Australia
Ph: +61 7 3367 3555
Fax: +61 7 3367 3544
Mob: 0401 039 462
----- Original Message -----
From: Kempter, Lynda L. <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, March 14, 2000 1:40 PM
Subject: Perl on firewall
>
> To perl, or not to perl; that is the question. Literally.
>
> A request has been made to install perl on the firewall. (It
> would run some system audit routines, bring it in line with the
> rest of the internal unix systems.) Given the choice, I'd rather
> not. Why give the hackers yet another tool to use when they
> break into the firewall? I wouldn't put a C compiler on the system
> for the same reason. The argument for installing perl is that it's
> much more "secure" than something like C, and no more insecure
> than shell scripts.
>
> I'd be most grateful for opinions, pro and con, from the list.
>
> Cheers,
> Lyn
>
> <*> [EMAIL PROTECTED]
> "Expect me when you see me."
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
