On Thu, Jul 2, 2009 at 5:26 PM, Russ Allbery<r...@debian.org> wrote: > Jonathan Yu <jonathan.i...@gmail.com> writes: > >> How to fix them? Write Perl scripts, and turn on taint checking -- >> that fixes the four issues above, because it makes the script exit if >> any of them look dangerous. Env::Sanctify::Auto is a Perl module that >> automatically cleans up the paths. >> >> My advice: >> 1. Write scripts that might be run as root (or setuid root) using Perl >> 2. Turn on taint checking >> 3. Consider using Env::Sanctify::Auto (shameless plug) > > I would really prefer that people not start writing maintainer scripts > in Perl as a matter of course. Perl is harder to analyze for programs > like lintian than shell scripts (which are already hard enough).
I agree that all too often many build systems are sort of centered around Perl, and that can be a bad thing, in terms of maintainability. On the other hand I don't think Perl is always unmaintainable -- it depends on the programmer. I suppose though that shell scripts are simpler and thus present less of a cognitive load for programmers, so that might be why it's perceived to be more maintainable/easier to analyze. On the other hand, you're going to run into security issues due to the aforementioned variables, in any language that doesn't provide a check (like Perl's taint mode). Perhaps it could be established in Policy as a best practice to set those environment variables at the beginning of execution, and carry them throughout. Or to use a simple Perl or Shell script wrapper which would clear all those variables before exec'ing to the desired command. Security versus convenience is a common debate, and it's no different here. Another option might be to break from POSIX/etc policy (I'm not sure where these variables are defined) and patch our command like 'cd' to simply ignore 'CDPATH' etc. But I suppose this would then require patches in all the various shells available for Debian to go against something standardized for so long. It's a contentious issue. I wish everyone all the best trying to figure it out, it's scary stuff indeed. Cheers, Jonathan -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org