[27787] in Perl-Users-Digest

home help back first fref pref prev next nref lref last post

Perl-Users Digest, Issue: 9151 Volume: 10

daemon@ATHENA.MIT.EDU (Perl-Users Digest)
Thu Apr 13 00:05:41 2006

Date: Wed, 12 Apr 2006 21:05:04 -0700 (PDT)
From: Perl-Users Digest <Perl-Users-Request@ruby.OCE.ORST.EDU>
To: Perl-Users@ruby.OCE.ORST.EDU (Perl-Users Digest)

Perl-Users Digest           Wed, 12 Apr 2006     Volume: 10 Number: 9151

Today's topics:
    Re: perl MySQL using DBI - security issue <not@invalid.invalid>
    Re: XS progamming question <nospam-abuse@ilyaz.org>
        Digest Administrivia (Last modified: 6 Apr 01) (Perl-Users-Digest Admin)

----------------------------------------------------------------------

Date: Thu, 13 Apr 2006 10:03:36 +1000
From: Matthew Braid <not@invalid.invalid>
Subject: Re: perl MySQL using DBI - security issue
Message-Id: <e1k4gp$2j64$1@bunyip2.cc.uq.edu.au>

Not sure if it's the best way, but the way I do it is to have that data 
stored in a config file that is owned by a dummy user and only readable 
by that user. I then have a package that reads this data on load into 
my'd variables (so even a subclass can't see them), and internally 
handles the connections. So instead of using the normal DBI connection 
method, you instead do something like:

   $db_handle = LockedDBPackage->connect;

All programs that need the database then have to be setuid that dummy 
user and then use the database package, 'drop' privs and then exit if 
privs can be regained.

Problems then become:

    * Taint mode is automatically on. Yeah sure its more secure, but 
you'd be amazed the number of packages out there that completely bork on 
the weirdest of things when taint is on. Case in point - perl/Tk's 
get[Open|Save]File dialog box will not work, and you can't even 
_display_ tainted text in a textbox. Usually its possible to work around 
this, but in places where it isn't the Taint::Runtime module is 
surprisingly handy (assuming of course you use it judiciously and don't 
just turn off tainting alltogether, which I wouldn't recommend).

    * While the password can't be directly accessed, should a user cause 
the program to core dump they can get at it. You can add SIG traps to 
stop core dumping, but that's assuming your users are just using 
programs and not using libraries for their own programs.

    * Allowing people to use these your DB-based code as libraries now 
requires you (or whoever is in control) to vett the code since 
(hopefully!) your users can't setuid their scripts to the dummy user. 
This is actually probably a good thing, but slows development.

Hope this helped.
MB

John wrote:
> Hi
> 
> When using MySql with Perl and use:DBI you need to supply username, password 
> and database.
> 
> My question is this.
> 
> What is now considered the *best* method to prevent those three variables 
> being accessed by outsiders?
> 
> Running on a Linux server.
> 
> Regards
> John
> 
> 
> 
> 
> 


------------------------------

Date: Wed, 12 Apr 2006 22:50:06 +0000 (UTC)
From:  Ilya Zakharevich <nospam-abuse@ilyaz.org>
Subject: Re: XS progamming question
Message-Id: <e1k06u$13ln$1@agate.berkeley.edu>

[A complimentary Cc of this posting was sent to
Ferry Bolhar
<bol@adv.magwien.gv.at>], who wrote in article <1144828463.499207@proxy.dienste.wien.at>:
> The doc says the "BEGIN blocks are compiled and executed first
> in order of appearance.

BEGIN-blocks are just shortcuts for `sub BEGIN {BLOCK}'; any sub named
BEGIN is executed *immediately* after its compilation (i.e., before
anything else which follows it is compiled).  There is no other
special handling involved.

>  perl -wle "sub aa {print 12} BEGIN{ delete $main::{aa} } aa()"

  [translated to:]

> sub aa {
>  print 12;
> }
> BEGIN {
>  delete $main{aa};
> }
> aa();

%main and %main:: are two absolutely different beast (as we say it in
Russian, Pushkin and Lermontov are two different people).

> What exactly happens when Perl reads a script in, _before_ BEGIN
> blocks are compiled?

As I said, there is no difference in COMPILATION of BEGIN blocks.  The
only difference is in the time of execution.

Perl reads input script line-by-line, and compiles the code it can see
immediately when a complete "statement" can be seen.  When compilation
ends, the compile-tree is executed starting from its entry point.
E.g., if a module contains only subroutines, "package" declarations,
and "1;" at the end, the only thing which is executed is this "1;".

Hope this helps,
Ilya


------------------------------

Date: 6 Apr 2001 21:33:47 GMT (Last modified)
From: Perl-Users-Request@ruby.oce.orst.edu (Perl-Users-Digest Admin) 
Subject: Digest Administrivia (Last modified: 6 Apr 01)
Message-Id: <null>


Administrivia:

#The Perl-Users Digest is a retransmission of the USENET newsgroup
#comp.lang.perl.misc.  For subscription or unsubscription requests, send
#the single line:
#
#	subscribe perl-users
#or:
#	unsubscribe perl-users
#
#to almanac@ruby.oce.orst.edu.  

NOTE: due to the current flood of worm email banging on ruby, the smtp
server on ruby has been shut off until further notice. 

To submit articles to comp.lang.perl.announce, send your article to
clpa@perl.com.

#To request back copies (available for a week or so), send your request
#to almanac@ruby.oce.orst.edu with the command "send perl-users x.y",
#where x is the volume number and y is the issue number.

#For other requests pertaining to the digest, send mail to
#perl-users-request@ruby.oce.orst.edu. Do not waste your time or mine
#sending perl questions to the -request address, I don't have time to
#answer them even if I did know the answer.


------------------------------
End of Perl-Users Digest V10 Issue 9151
***************************************


home help back first fref pref prev next nref lref last post