On 10/26/02 1:25 PM, Trey Harris wrote:
Did you test this code snippet it? It won't work. You can't use a
numeric comparison to test for stringwise equality. (Sorry to be
nitpicky, but it matters here.)
No problem. After I pasted the Perl code in my message, it was Perl
code that I copied to the clipboard and did not copy the latest code
revision I was working on that time.
I don't mind nitpicky, because errors do not run/work in Perl.
One of the cardinal rules of defensive programming, at least in the
Unix world, is that you shouldn't check if you can do something--you
should just try to do it. If it fails, *then* you check to see why.
Many, many potential security problems can be avoided that way.
I know that you all do not see this side of the computer, lucky for you
all, but I was working on the Perl code for a while. Since I am not
fluent in Perl yet, I thought I would ask the mailing list.
Now, if you want to do the check as a nicety to the user, just for
the sake of giving an error message, that's fine--though you should
do something more like
unless ($> == 0 || $< == 0) { die "You must be root" }
The use of $< and $> both will take care of the case where you're run
under sudo. The superuser on Unix is *always* UID 0, regardless of
the username given to it.
Thanks for the above, this helped me. I remember reading about this
comparison in one of my Perl books.
Now, even if you *do* do this check, you still must not assume that
you have or do not have any particular authority at any point later
on in the program. Every time you attempt to do something that
requires root authority, prepare for it to fail, check for errors,
and respond appropriately. Otherwise it may be possible to use your
program in nefarious ways.
Trey
