From owner-cvs-all  Fri Aug 11 14:26:11 2000
Delivered-To: cvs-all@freebsd.org
Received: from lion-around.at.yiff.net (lion-around.at.yiff.net [209.54.21.199])
	by hub.freebsd.org (Postfix) with ESMTP
	id A525D37B52C; Fri, 11 Aug 2000 14:26:06 -0700 (PDT)
	(envelope-from chris@netmonger.net)
Received: (from chris@localhost)
	by lion-around.at.yiff.net (8.9.3/8.9.3) id RAA40187;
	Fri, 11 Aug 2000 17:25:42 -0400 (EDT)
	(envelope-from chris@netmonger.net)
X-Authentication-Warning: lion-around.at.yiff.net: chris set sender to chris@netmonger.net using -f
Date: Fri, 11 Aug 2000 17:25:42 -0400
From: Christopher Masto <chris@netmonger.net>
To: Peter Wemm <peter@netplex.com.au>
Cc: dima@rdy.com, "Chris D. Faulhaber" <jedgar@fxp.org>,
	Warner Losh <imp@FreeBSD.org>, cvs-committers@FreeBSD.org,
	cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/gnu/usr.bin/perl Makefile
Message-ID: <20000811172534.I12290@netmonger.net>
References: <200008112020.NAA18859@sivka.rdy.com> <200008112058.NAA92441@netplex.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.4i
In-Reply-To: <200008112058.NAA92441@netplex.com.au>; from peter@netplex.com.au on Fri, Aug 11, 2000 at 01:58:24PM -0700
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, Aug 11, 2000 at 01:58:24PM -0700, Peter Wemm wrote:
> > > Since Perl has some features specifically designed to aid in writing
> > > secure setuid programs, removing suidperl could actually cause a
> > > revenge effect and end up resulting in _more_ security holes.
> > 
> > How do you see that resulting in _more_ security holes?
> > If /usr/bin/suidperl doesn't exist and some program referes to it, it will
> > give you "command not found" (or similar) message.
> 
> Because people start writing setuid "#! /bin/suidsh -p" scripts instead.
> And that is outright suicidal as it is guaranteed exploitable.  It is also
> the very reason that suidperl exists.

Exactly.  I don't want to belabor the point - the suidperl issue has
already been more than resolved.  But I do want to mention the book
from which I stole the phrase "revenge effect": _Why Things Bite Back:
Technology and the Revenge of Unintended Consequences_, by
Edward Tenner.  The cure is sometimes worse than the disease, and
this is a good book for those of us mired in technology to read.

http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=0679747567
-- 
Christopher Masto         Senior Network Monkey      NetMonger Communications
chris@netmonger.net        info@netmonger.net        http://www.netmonger.net

Free yourself, free your machine, free the daemon -- http://www.freebsd.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message