Path: utzoo!news-server.csri.toronto.edu!cs.utexas.edu!sun-barr!newstop!texsun!csccat!camdev!mmuegel From: mmuegel@camdev.comm.mot.com (Michael S. Muegel) Newsgroups: comp.lang.perl Subject: Re: setuid problems when using suidscript Message-ID: <396@camdev.comm.mot.com?> Date: 7 Mar 91 17:00:15 GMT References: <395@camdev.comm.mot.com?> <11684@jpl-devvax.JPL.NASA.GOV> Organization: Cellular Infrastructure Group, Motorola, Inc., Fort Worth, Texas Lines: 31 In article <11684@jpl-devvax.JPL.NASA.GOV> lwall@jpl-devvax.JPL.NASA.GOV (Larry Wall) writes: >In article <395@camdev.comm.mot.com?> mmuegel@mot.com (Michael S. Muegel) writes: >: Can anyone explain this? Basically I DO NOT want to use taintperl so >: I thought that by using a C wrapper I could get around this. > >You DO SO want to use taintperl. ESPECIALLY on a script running setuid root. > >Not using taintperl on setuid scripts is silly, considering that taintperl >rarely gets in your way except when it's saving your bacon. When taintperl >tells you there's an insecure dependency, you'd better take it seriously. You are surely right! The reason I wanted to bypass taintperl was that I did not know how to untaint data. You see, I had done a zillion checks on user input (I am writing a script that is totally interactve) and I felt taintperl was getting in my way. After reading p. 254, "Untainting a Variable," I was finally clued in on how the taint check process works. Now that I copy my user input to a NEW variable AFTER checking it all is peachy :-). -Mike -- +-----------------------------------------------------------------------------+ | Mike Muegel | Internet: mmuegel@mot.com | | Software Tools Group | UUCP: uunet!motcid!muegel | | Fort Worth Research & Development Center | Voice: (817) 232-6129 | | Cellular Infrastructure Group | Fax: (817) 232-6081 | | Radio Telephone and Systems Group | Mail: 5555 North Beach St. | | Motorola, Inc. | Fort Worth, TX 76137 | +-----------------------------------------------------------------------------+