CPAN security (Re: PERL scripts (again))

CPAN security (Re: PERL scripts (again))

Post by Nick K » Sun, 09 Jul 2000 04:00:00



[ crossposted from uk.comp.os.linux ]




> > [ want a webpage counter ]
> perl -MCPAN -e shell

[ aside: I'd have thought it a job for a simple script rather than a module,
  and would recommend a visit to Randals's webtechniques ]

I have a problem with CPAN on any *x distro I've encountered.

More precisely, I have a problem with running a root process that installs
software over the 'net, without my inspecting it on the way.  There are
any number of possible attacks - compromising a CPAN site, or compromising
DNS and substituting a fake CPAN site - that could trash the system.
MD5 checksums don't protect against that, because an attacker could
substitute their own (a PGP/GPG-style signature from a trusted CPAN
librarian could fix this).

My own fix for this is to install the whole of Perl as a non-privileged
user.  This is painless, and works fine, and limits the potential damage
any would-be CPAN-trojan can do.  I'd suggest Jason and other distro-
packagers should make this standard.

I'd also like to see Perl itself refuse to run as root without explicitly
forcing it (via some commandline flag).  But that's another story.

--
Nick Kew

Peninsular Penguin - Linux in the SouthWest
http://www.pen-pen.co.uk/

 
 
 

CPAN security (Re: PERL scripts (again))

Post by Tim Hayn » Sun, 09 Jul 2000 04:00:00



> I have a problem with CPAN on any *x distro I've encountered.

> More precisely, I have a problem with running a root process that
> installs software over the 'net, without my inspecting it on the way.
> There are any number of possible attacks - compromising a CPAN site, or
> compromising DNS and substituting a fake CPAN site - that could trash the
> system.  MD5 checksums don't protect against that, because an attacker
> could substitute their own (a PGP/GPG-style signature from a trusted CPAN
> librarian could fix this).

This is true. I've occasionally wondered how long it would take before
someone realised the MD5sums weren't the same as the original source, for
any/all the things one downloads & installs. A bit like the "open-source is
more secure because everyone audits it before installing it" nonsense; we
all know we're lazy twerps (typically)...

Quote:> My own fix for this is to install the whole of Perl as a non-privileged
> user.  This is painless, and works fine, and limits the potential damage
> any would-be CPAN-trojan can do.  I'd suggest Jason and other distro-
> packagers should make this standard.

> I'd also like to see Perl itself refuse to run as root without explicitly
> forcing it (via some commandline flag).  But that's another story.

Good ideas. Creating a perl user? suidperl? All sorts of fun things could
be done there.

FWIW: I used to use Jason's method above for installing modules from CPAN,
but then I got qualms about running the *whole* thing as root in order to
automate the installation. And by the time I'd worked out how to do it in
two phases, I might as well've done it by hand - so that's what I do! (If I
have to, that is. Debian has a few perl CPAN modules as packages as it is,
eg DBI/DBD, Pg interaction...)

~Tim
--
| Geek Code: GCS dpu s-:+ a-- C++++ UBLUAVHSC++++ P+++ L++ E--- W+++(--) N++
| w--- O- M-- V-- PS PGP++ t--- X+(-) b D+ G e++(*) h++(*) r--- y-          
| The sun is melting over the hills,         | http://piglet.is.dreaming.org/


 
 
 

CPAN security (Re: PERL scripts (again))

Post by Abiga » Sun, 09 Jul 2000 04:00:00



MCMXCIII in <URL::">

''
'' > My own fix for this is to install the whole of Perl as a non-privileged
'' > user.  This is painless, and works fine, and limits the potential damage
'' > any would-be CPAN-trojan can do.  I'd suggest Jason and other distro-
'' > packagers should make this standard.

Yes, but CPAN doesn't generally install in the main distribution; things
get typically installed in .../site_perl. You could just make site_perl
owned by some other user, and install modules from CPAN as that other user.

'' FWIW: I used to use Jason's method above for installing modules from CPAN,
'' but then I got qualms about running the *whole* thing as root in order to
'' automate the installation. And by the time I'd worked out how to do it in
'' two phases, I might as well've done it by hand - so that's what I do! (If I
'' have to, that is. Debian has a few perl CPAN modules as packages as it is,
'' eg DBI/DBD, Pg interaction...)

Yet another way is to build everything automatically as some non-root
user, and when it's all build, inspect and run 'make install' by hand.

Of course, the entire point of CPAN.pm is to do everything automatically.
If you don't want to fetch/build/install automatically, the simplest
thing to do is to not do it. The existance of CPAN.pm certainly does
not prevent you from doing it the good old way of ftp, tar -x, perl
Makefile.PL, make, make test, make install.

I never install perl as root. I tend to use a user "camel" for that.

Abigail
--
perl -we 'print split /(?=(.*))/s => "Just another Perl Hacker\n";'

 
 
 

CPAN security (Re: PERL scripts (again))

Post by Nick K » Sun, 09 Jul 2000 04:00:00




Quote:

>  You could just make site_perl
> owned by some other user, and install modules from CPAN as that other user.

Indeed you could.  Perhaps the paranoid approach would be to define two
non-privileged users for perl-core and perl-extra.

Quote:> Yet another way is to build everything automatically as some non-root
> user, and when it's all build, inspect and run 'make install' by hand.

I do that for _every_ package - excepting only those that come from an
installation CD or that I wrote myself.  Where possible, I also install
non-root - and that includes my own software too ;-)

Quote:

> I never install perl as root. I tend to use a user "camel" for that.

So we have agreement on installing non-root.

My quibble is that this _isn't_ the installation default with any *x
I've encountered.  Maybe the likes of bastille-linux or openbsd do this?

--
Nick Kew

Site Valet - the essential service for anyone with a Website.
Now available at <URL:http://valet.webthing.com/>

 
 
 

CPAN security (Re: PERL scripts (again))

Post by Nick K » Sun, 09 Jul 2000 04:00:00




Quote:

>    A bit like the "open-source is
> more secure because everyone audits it before installing it" nonsense; we
> all know we're lazy twerps (typically)...

We have give-and-take there.  I scrutinise some programs with more care
than others, and if I encounter something I'm unhappy about I'll either
work it out in full or post " ... what's this about ... " on some
appropriate newsgroup.  And the key to open-source security is that
I know thousands of others will do the same.

A corollary to this is that a hugely popular program, such as Perl,
will get more scrutiny than some specialized application, and can
therefore be somewhat more trusted.  But that still doesn't mean giving
it more privileges than it needs.

Of course, a similar argument applies to many other packages.
The extreme case is qmail, with its seven different UIDs and two GIDs!

--
Nick Kew

Peninsular Penguin - Linux in the SouthWest.
http://www.pen-pen.co.uk/>

 
 
 

1. Execute a sh script under perl and sh: sh script; perl script?

I can execute the following perl scripts under either shell or Perl
====

        if 0;
[perl scripts ...]
====
i.e.
sh script
perl script

How do I execute a sh script under either shell or Perl
simililar to what shown above?

Thanks.
--
Michael Wang

http://www.mindspring.com/~mwang    

2. vanilla sendmail

3. need help with perl cpan install on solaris

4. Etherpower 10/100

5. Perl 5.8.0 on RH8 and CPAN

6. Book suggestions

7. Perl on Solaris 9 using CPAN to install additional modules

8. Kernel 2.0 and any distribution

9. Perl CPAN module TermReadKey

10. NYC LOCAL: Perl Seminar 15 October 2002: CPAN, YAPC, and Elementary Matching Algorithms

11. FreeBSD, perl, CPAN

12. Perl/CPAN connections and iptables

13. Perl script "ftpput" question (yes it's ME again) :)