Smylers wrote:
>> I have lying around a prototype for the CPAN shell to warn the user
>> when they run it as root and offer to reconfigure itself to only su
>> for the install. That would help plug the hole.
>
> Yeah, that sounds good.
>
> But only for users running CPAN, not anybody who is manually un-tar-ing
> a distribution. I have no data for this, but I suspect those who do
> manual installs in this way are also more likely to do the whole thing
> as root, and less likely to be involved in the Perl community (such as
> knowing much about Cpan) -- and therefore most likely to get hurt by
> this, or to pick up a bad impression of Perl or its community as a
> result.
Since the perl build process is directly analogous to the autoconf build
process...
perl Makefile.PL sh Configure
make make
make test make check
sudo make install sudo make install
...this is not a Perl problem but a general lack of basic security problem.
An admin should know to run as little as possible as root, this is dead basic
security. Anyone who blames Perl for the admin's mistake is just looking for
someone to blame, so there's little bother in trying to convince them otherwise.
We can only keep an ignorant admin from blowing off their foot for so long.
The longer we protect them from their own ignorance the bigger the boom is
likely to be.
It's not Perl's problem, but one can pro-actively educate by adding detection
code to their Makefile.PL and build targets to warn if they're being run as
root and include instructions/points on the proper way to do an installation.
I will not put this code into MakeMaker, its a feature, but you're welcome to
add it to your own modules and consider it for Module::Build.
--
39. Not allowed to ask for the day off due to religious purposes, on the
basis that the world is going to end, more than once.
-- The 213 Things Skippy Is No Longer Allowed To Do In The U.S. Army
http://skippyslist.com/list/
