how to make passwd.pl secure? 
Author Message
 how to make passwd.pl secure?

Me again with this chunk from the passwd.pl available from CPAN
under scripts/nutshell/ch6/.  

[...]

open(BADPATS,$BADPATS);             # $BADPATS defined above as a flat
                                    # file in a nonwritable dir (/usr/dict)
while (<BADPATS>) {
    ($badpat,$maybe) = split(/[\n\t]+/);
    ($response = $maybe) =~ s/'/\\'/ if $maybe;
    $foo .= "return '$response' if /$badpat/;\n";

Quote:
}

close BADPATS;
$foo .= 'return 0;}';
eval $foo;              # Note: this defines sub badpats
[...]

Okay, so here's a subroutine being refined at runtime.  Here are my
questions:

1) Why is it necessary to do this?  Why not just push the words in the
   $BADPATS file into the same array with /usr/dict/words for checking?
   [see script for that one]

2) If it is necessay, how can I do this and make it secure enough for
   setuid?  

Thanks for your help and patience.

-fil
___________________________________________________________________________
Fil Krohnengold    |  UNIX Systems Admin, Interdepartmental Laboratories




Thu, 24 Feb 2000 03:00:00 GMT  
 how to make passwd.pl secure?


Quote:
> Subject: how to make passwd.pl secure?
> Me again with this chunk from the passwd.pl available from CPAN
> under scripts/nutshell/ch6/.  
> eval $foo;              # Note: this defines sub badpats
> Okay, so here's a subroutine being refined at runtime.  Here are my
> questions:

> 1) Why is it necessary to do this?  Why not just push the words in the
>    $BADPATS file into the same array with /usr/dict/words for checking?

The regexps need to be compiled; it's more efficient to compile each one
once rather than every time through the loop.

Quote:
> 2) If it is necessay, how can I do this and make it secure enough for
>    setuid?

You need taint checking, and that's hare to retrofit. Think of it as a
house built out of radioactive bricks: It's best to rebuild the whole
thing. The only real way to make a script like that secure is to,
essentially, rewrite the whole thing with 'use strict', -T and -w. A lot
of work, of course, but worth it for security.

The other day, I posted a way to use a sub to compile a regexp; you could
use that method to make the above eval unnecessary (while using a safer
one instead).

Good luck!

--
Tom Phoenix           http://www.teleport.com/~rootbeer/

Randal Schwartz Case:  http://www.rahul.net/jeffrey/ovs/
              Ask me about Perl trainings!



Fri, 25 Feb 2000 03:00:00 GMT  
 
 [ 2 post ] 

 Relevant Pages 

1. Q: Making secure dependencies in setuid programs?

2. Making my subroutine more secure and efficient?

3. anyone got a pl for secure html page??

4. passwd.pl

5. Comm.pl and passwd

6. chat2.pl and passwd AIX problem

7. passwd.pl?

8. chat2.pl from perl/lib, passwd ???

9. edit /etc/passwd with pl

10. Making executables from .pl files?

11. Has anyone ever made Comm.pl work?

12. Making a PL file and/or distributing a program

 

 
Powered by phpBB® Forum Software