Fri Oct 29 10:02:09 2010: Request 62552 was acted upon.
Transaction: Correspondence added by arost
Queue: PAR-Packer
Subject: disabling taint mode (or: passing options from PERLRUN(1))
Broken in: (no value)
Severity: Wishlist
Owner: Nobody
Requestors: bitc...@post2.25u.com
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=62552 >
On Fri Oct 29 09:36:39 2010, RSCHUPP wrote:
> On 2010-10-29 06:47:11, arost wrote:
[...]
> > * and reviewing about 50 KLOC for securing a script on a system
> where everyone has root access anyway doesn't look like a rewarding
> activity.
>
> So don't expect us to the same job for PAR::Packer.
I absolutely don't. I'm willing to take the same risk that I take with
normal "perl -U". The problem is that PAR::pp does not allow me to do
that, since I there is not a way (?) to specify unsafe mode for pp
binaries.
> > * the script is used on systems where every user has root access
>
> Oh boy :( If that's really the case, I suggest you simply
> don't make the binary setuid, but run it under sudo instead.
We do this right now, but it leads to a mess from mixing user and root
permissions/ownerships on all input and output data of the script. I'd
really like to avoid that.
(For background: I see that a "everyone gets root" system is unusual.
The system is used for network tests, and users must be able to perform
changes to hard- and software on a regular basis.)
