On Tue, 20 Jan 2009 23:47:09 +0000 Simon Wistow <si...@thegestalt.org> wrote:
> Adam 'Alias' Kennedy has written a blog post about the 2009 CWE/SANS 25 > Most Dangerous Programming Errors > > http://use.perl.org/~Alias/journal/38319 As I understand the summary, this is basically saying "It's dangerous to load code someone else could have edited", and you're suggesting to check against world-writable and other sorts of files, yes? What makes Module::Pluggable any more vulnerable to that than, say, perl's own 'use' and 'require' statements? If my /usr/share/perl/5.10/strict.pm is world-writable, say, then I'm already dead way before Module::Pluggable gets to run. Incidentally, what you're looking for is called TPE; Trusted Path Execution. The GRSecurity Linux Kernel patch has such an option for exec() and friends; to restrict what binaries can be executed. -- Paul "LeoNerd" Evans leon...@leonerd.org.uk ICQ# 4135350 | Registered Linux# 179460 http://www.leonerd.org.uk/
signature.asc
Description: PGP signature
