--- Perrin Harkins <[EMAIL PROTECTED]> wrote:
On Wed, 2005-05-11 at 07:57 -0700, Igor Chudov wrote:
Can you be a little more specific? Are you talking about damage such as abuse of resources, or are
you
talking about gaining unauthorized privileges?
Possibly both. The thing is, no one uses Safe. Since no one uses it,
you can't count on it to be thoroughly debugged. Much more discussion
on it is here:
http://perlmonks.org/index.pl?node_id=430804
Thanks Perrin. The ability of tutors to define perl scripts is valuable, so I will dig more in this direction, being mindful of Safe.pm vulnerabilities. The main vulnerabilities of Safe that I have seen mentioned personally, are related to use of bless and tie, and therefore I disabled those opcodes. I appreciate your input and I will treat safe.pm with great caution.
What's sure is that you want to run your server in a jail/chroot environment if you plan to run untrusted code. google for more information on this topic. There is some information on this topic in the "Practical mod_perl" book:
http://www.google.ca/search?as_q=jail&num=10&hl=en&btnG=Google+Search&as_epq=&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=modperlbook.org&safe=off
-- __________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:[EMAIL PROTECTED] http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com