Smylers wrote: >> I have lying around a prototype for the CPAN shell to warn the user >> when they run it as root and offer to reconfigure itself to only su >> for the install. That would help plug the hole. > > Yeah, that sounds good. > > But only for users running CPAN, not anybody who is manually un-tar-ing > a distribution. I have no data for this, but I suspect those who do > manual installs in this way are also more likely to do the whole thing > as root, and less likely to be involved in the Perl community (such as > knowing much about Cpan) -- and therefore most likely to get hurt by > this, or to pick up a bad impression of Perl or its community as a > result.
Since the perl build process is directly analogous to the autoconf build process... perl Makefile.PL sh Configure make make make test make check sudo make install sudo make install ...this is not a Perl problem but a general lack of basic security problem. An admin should know to run as little as possible as root, this is dead basic security. Anyone who blames Perl for the admin's mistake is just looking for someone to blame, so there's little bother in trying to convince them otherwise. We can only keep an ignorant admin from blowing off their foot for so long. The longer we protect them from their own ignorance the bigger the boom is likely to be. It's not Perl's problem, but one can pro-actively educate by adding detection code to their Makefile.PL and build targets to warn if they're being run as root and include instructions/points on the proper way to do an installation. I will not put this code into MakeMaker, its a feature, but you're welcome to add it to your own modules and consider it for Module::Build. -- 39. Not allowed to ask for the day off due to religious purposes, on the basis that the world is going to end, more than once. -- The 213 Things Skippy Is No Longer Allowed To Do In The U.S. Army http://skippyslist.com/list/