I was monitoring the group mail for a while a year or two ago, and kept intending to go to meetings since some of them were in Newton, where I used to work, but I never got around to it.
Now I work in Sudbury and the meetings are in Boston, so getting to them would be even harder. Nevertheless, I could try again. I haven't seen any meetings announced yet (or even much traffic on this mail list) since I signed up to start receiving it again a few days ago. Is the group less active than it was previously, what with the dot com implosion? ----- Original Message ----- From: "Paul Lussier" <[EMAIL PROTECTED]> To: "Mark Aisenberg" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Tuesday, October 09, 2001 4:03 PM Subject: Re: [Boston.pm] Safe execution of 1 perl prog from another? > > In a message dated: Tue, 09 Oct 2001 15:34:20 EDT > "Mark Aisenberg" said: > > >Generally speaking, opening a powerful (root) program > >to the internet via CGI is dangerous. > > I understand that. However, this is not meant to be done via the > internet at large, rather it's a syadmin tool meant to be used > locally in a (relatively speaking) secure environment. The web > server in question should never be connected to or reachable from > the internet in any way, shape, or form. > > >For info on CGI security, see: > >http://www.panix.com/~comdog/CGI_MetaFAQ.html > >http://www.w3.org/Security/Faq/wwwsf4.html > >and other sources you can find with Google. > > Ah, good, thanks for the references! > > >If you're not an experienced CGI programmer, you might > >reconsider what you are doing and instead use remote > >control software to continue to run your command line > >program, but remotely. > > I wouldn't consider myself an expert CGI programmer. I've written a > few CGI based widgets, but nothing which ever required any amount of > security. > > I personally have no problem running the command line program. As > for remote control software, all I need is ssh :) > > The reason for the CGI wrapper is so others who don't want to have to > remember all the various options (and there are a lot) the command > line tool can use don't have to. Instead, they can use a form-based > input which runs the command with the appropriate command line > options. > > >* web server breaches (IIS or Apache, e.g.) > >* tainted user input > >* people pretending to be authorized users > >* info leakage from valid use to the outside world, where > > it is picked up and used by bad guys > > In theory, (and I understand this all hinges on the assumption that > the code I write is used as I intend it to be :) this CGI will never, > ever be accessible to or from the internet. The server is intended > to be internal to a LAN, and accessed only by a small group of Unix > sysadmins. So, again, in theory, any maliciousness would have to > come from the inside. So, in that way, I'm hoping to mitigate the > amount of damage that can be done. > > > >I've been writing CGI programs for 3 or 4 years now, and > >typically the amount of code required for security and user > >interface exceeds that of the core program function. I've > >written custom modules for my own use to handle things > >like session management (using whatever combination of > >partial ip address, cookie data, and session ids I stick > >in URLs and propagate from page to page), so I know > >that the person using a form is the person who just logged in. > >You have to plan to spend a few weeks learning and > >implementing security code before you should feel reasonably > >safe. > > I'm willing to do that, since this code is completely my own, and > eventually will be GPL'ed (once I'm confident enough that it's worthy > of release into the wild :) So, time isn't really an issue, and I'm > quite interested in learning more about secure programming methodes. > > >Again, remote control software? AT&T has a free one > >at http://www.uk.research.att.com/vnc/start.html > > No, I don't really think VNC would solve the problem. SSH is already > available, everyone has a Linux box and knows how to use SSH, they're > just lazy and don't want to remember a bunch of command line options :) > > >If you're still interested, maybe we could discuss it at a > >technical meeting of some sort (I've been planning to start > >attending for a couple of years now...) > > That would be great! The last meeting I attended was before the > group was officially the Boston Perl Mongers, Mike Stok still lived > in the area, and a bunch of us got together at the Commonwealth > Brewery (I think it's now Boston Beer and Fish?) for drinks. > > The only other person I remember being there was Lincoln Stein. > > So yeah, I'd be up for attending a meeting :) > -- > > Seeya, > Paul > ---- > > God Bless America! > > ...we don't need to be perfect to be the best around, > and we never stop trying to be better. > Tom Clancy, The Bear and The Dragon > > >
