Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 11 Aug 2000 14:41:48 -0400
From:      Christopher Masto <chris@netmonger.net>
To:        "Chris D. Faulhaber" <jedgar@fxp.org>
Cc:        Warner Losh <imp@FreeBSD.ORG>, cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject:   Re: cvs commit: src/gnu/usr.bin/perl Makefile
Message-ID:  <20000811144136.A12290@netmonger.net>
In-Reply-To: <Pine.BSF.4.21.0008111426270.98390-100000@pawn.primelocation.net>; from jedgar@fxp.org on Fri, Aug 11, 2000 at 02:29:37PM -0400
References:  <20000811141800.A14610@netmonger.net> <Pine.BSF.4.21.0008111426270.98390-100000@pawn.primelocation.net>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Aug 11, 2000 at 02:29:37PM -0400, Chris D. Faulhaber wrote:
> > >   Don't build suidperl by default.  Make users specifically enable its
> > >   building.
> > 
> > Umm.. isn't that a bit of a radical change?  Any reason for it?
> 
> Any reason against it?  Given the security hole found under Linux and
> potential problems of Yet Another Suid Binary, it seems a good
> idea.  Also, see the recent discussions on FreeBSD-security.

The reason against it is that it's a standard part of Perl, and a very
useful one.  Without it, those who install from binary, or don't know
to set this option, will not be able to run setuid Perl programs.
Since Perl has some features specifically designed to aid in writing
secure setuid programs, removing suidperl could actually cause a
revenge effect and end up resulting in _more_ security holes.

This was a strange interaction bug in a program which is very well
inspected, has a good security reputation, was fixed very quickly, and
didn't even apply to FreeBSD.  It seems a big of an overreaction to
disable suidperl because of it.

As Warner said on freebsd-security, if you're paranoid, you can just
delete suidperl yourself.

If this change is not backed out, I think it is important to at least
come up with an easy way to get suidperl without building from source.
We should not force this limitation on casual users.
-- 
Christopher Masto         Senior Network Monkey      NetMonger Communications
chris@netmonger.net        info@netmonger.net        http://www.netmonger.net

Free yourself, free your machine, free the daemon -- http://www.freebsd.org/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000811144136.A12290>