[27787] in Perl-Users-Digest
Perl-Users Digest, Issue: 9151 Volume: 10
daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Thu Apr 13 00:05:41 2006
Date: Wed, 12 Apr 2006 21:05:04 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)
Perl-Users Digest Wed, 12 Apr 2006 Volume: 10 Number: 9151
Today's topics:
Re: perl MySQL using DBI - security issue <not@invalid.invalid>
Re: XS progamming question <nospam-abuse@ilyaz.org>
Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)
----------------------------------------------------------------------
Date: Thu, 13 Apr 2006 10:03:36 +1000
From: Matthew Braid <not@invalid.invalid>
Subject: Re: perl MySQL using DBI - security issue
Message-Id: <e1k4gp$2j64$1@bunyip2.cc.uq.edu.au>
Not sure if it's the best way, but the way I do it is to have that data
stored in a config file that is owned by a dummy user and only readable
by that user. I then have a package that reads this data on load into
my'd variables (so even a subclass can't see them), and internally
handles the connections. So instead of using the normal DBI connection
method, you instead do something like:
$db_handle = LockedDBPackage->connect;
All programs that need the database then have to be setuid that dummy
user and then use the database package, 'drop' privs and then exit if
privs can be regained.
Problems then become:
* Taint mode is automatically on. Yeah sure its more secure, but
you'd be amazed the number of packages out there that completely bork on
the weirdest of things when taint is on. Case in point - perl/Tk's
get[Open|Save]File dialog box will not work, and you can't even
_display_ tainted text in a textbox. Usually its possible to work around
this, but in places where it isn't the Taint::Runtime module is
surprisingly handy (assuming of course you use it judiciously and don't
just turn off tainting alltogether, which I wouldn't recommend).
* While the password can't be directly accessed, should a user cause
the program to core dump they can get at it. You can add SIG traps to
stop core dumping, but that's assuming your users are just using
programs and not using libraries for their own programs.
* Allowing people to use these your DB-based code as libraries now
requires you (or whoever is in control) to vett the code since
(hopefully!) your users can't setuid their scripts to the dummy user.
This is actually probably a good thing, but slows development.
Hope this helped.
MB
John wrote:
> Hi
>
> When using MySql with Perl and use:DBI you need to supply username, password
> and database.
>
> My question is this.
>
> What is now considered the *best* method to prevent those three variables
> being accessed by outsiders?
>
> Running on a Linux server.
>
> Regards
> John
>
>
>
>
>
------------------------------
Date: Wed, 12 Apr 2006 22:50:06 +0000 (UTC)
From: Ilya Zakharevich <nospam-abuse@ilyaz.org>
Subject: Re: XS progamming question
Message-Id: <e1k06u$13ln$1@agate.berkeley.edu>
[A complimentary Cc of this posting was sent to
Ferry Bolhar
<bol@adv.magwien.gv.at>], who wrote in article <1144828463.499207@proxy.dienste.wien.at>:
> The doc says the "BEGIN blocks are compiled and executed first
> in order of appearance.
BEGIN-blocks are just shortcuts for `sub BEGIN {BLOCK}'; any sub named
BEGIN is executed *immediately* after its compilation (i.e., before
anything else which follows it is compiled). There is no other
special handling involved.
> perl -wle "sub aa {print 12} BEGIN{ delete $main::{aa} } aa()"
[translated to:]
> sub aa {
> print 12;
> }
> BEGIN {
> delete $main{aa};
> }
> aa();
%main and %main:: are two absolutely different beast (as we say it in
Russian, Pushkin and Lermontov are two different people).
> What exactly happens when Perl reads a script in, _before_ BEGIN
> blocks are compiled?
As I said, there is no difference in COMPILATION of BEGIN blocks. The
only difference is in the time of execution.
Perl reads input script line-by-line, and compiles the code it can see
immediately when a complete "statement" can be seen. When compilation
ends, the compile-tree is executed starting from its entry point.
E.g., if a module contains only subroutines, "package" declarations,
and "1;" at the end, the only thing which is executed is this "1;".
Hope this helps,
Ilya
------------------------------
Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin)
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>
Administrivia:
#The Perl-Users Digest is a retransmission of the USENET newsgroup
#comp.lang.perl.misc. For subscription or unsubscription requests, send
#the single line:
#
# subscribe perl-users
#or:
# unsubscribe perl-users
#
#to almanac@ruby.oce.orst.edu.
NOTE: due to the current flood of worm email banging on ruby, the smtp
server on ruby has been shut off until further notice.
To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.
#To request back copies (available for a week or so), send your request
#to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
#where x is the volume number and y is the issue number.
#For other requests pertaining to the digest, send mail to
#perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
#sending perl questions to the -request address, I don't have time to
#answer them even if I did know the answer.
------------------------------
End of Perl-Users Digest V10 Issue 9151
***************************************