Date: Fri, 11 Aug 2000 17:25:42 -0400 From: Christopher Masto <chris@netmonger.net> To: Peter Wemm <peter@netplex.com.au> Cc: dima@rdy.com, "Chris D. Faulhaber" <jedgar@fxp.org>, Warner Losh <imp@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/gnu/usr.bin/perl Makefile Message-ID: <20000811172534.I12290@netmonger.net> In-Reply-To: <200008112058.NAA92441@netplex.com.au>; from peter@netplex.com.au on Fri, Aug 11, 2000 at 01:58:24PM -0700 References: <200008112020.NAA18859@sivka.rdy.com> <200008112058.NAA92441@netplex.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 11, 2000 at 01:58:24PM -0700, Peter Wemm wrote: > > > Since Perl has some features specifically designed to aid in writing > > > secure setuid programs, removing suidperl could actually cause a > > > revenge effect and end up resulting in _more_ security holes. > > > > How do you see that resulting in _more_ security holes? > > If /usr/bin/suidperl doesn't exist and some program referes to it, it will > > give you "command not found" (or similar) message. > > Because people start writing setuid "#! /bin/suidsh -p" scripts instead. > And that is outright suicidal as it is guaranteed exploitable. It is also > the very reason that suidperl exists. Exactly. I don't want to belabor the point - the suidperl issue has already been more than resolved. But I do want to mention the book from which I stole the phrase "revenge effect": _Why Things Bite Back: Technology and the Revenge of Unintended Consequences_, by Edward Tenner. The cure is sometimes worse than the disease, and this is a good book for those of us mired in technology to read. http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0679747567 -- Christopher Masto Senior Network Monkey NetMonger Communications chris@netmonger.net info@netmonger.net http://www.netmonger.net Free yourself, free your machine, free the daemon -- http://www.freebsd.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000811172534.I12290>