Re: CGI Perl Security
not that I know of, but I would suggest turning on tainted mode and passing all external variables through a regex. my $documentRoot = $ENV{"DOCUMENT_ROOT"}; if (defined($documentRoot)) { # untaint documentRoot $documentRoot =~ m#^([\w_./+:-]+)$#; $documentRoot = $1; } or something similar. On Tue, Jul 24, 2001 at 09:41:39AM -0500, Leonard Leblanc wrote: > Hello Everyone, > > I'm not quite sure if this is the right place to be posting this, but I am > using Debian and it is a security related question. > > We are currently developing a new website with perl that consists of using > the HTML::Template module. In the beginning of this script there are > multiple constants defined which point to the template files using the > $ENV{DOCUMENT_ROOT} environment variable. > > Does this present any more/less of a security risk then just hardcoding the > entire path into the script? > > Thanks in advance. > > -- > Leonard Leblanc > Vice President - Technology > www.emergeknowledge.com > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ pgpeB6AVUwNEx.pgp Description: PGP signature
Re: CGI Perl Security
not that I know of, but I would suggest turning on tainted mode and passing all external variables through a regex. my $documentRoot = $ENV{"DOCUMENT_ROOT"}; if (defined($documentRoot)) { # untaint documentRoot $documentRoot =~ m#^([\w_./+:-]+)$#; $documentRoot = $1; } or something similar. On Tue, Jul 24, 2001 at 09:41:39AM -0500, Leonard Leblanc wrote: > Hello Everyone, > > I'm not quite sure if this is the right place to be posting this, but I am > using Debian and it is a security related question. > > We are currently developing a new website with perl that consists of using > the HTML::Template module. In the beginning of this script there are > multiple constants defined which point to the template files using the > $ENV{DOCUMENT_ROOT} environment variable. > > Does this present any more/less of a security risk then just hardcoding the > entire path into the script? > > Thanks in advance. > > -- > Leonard Leblanc > Vice President - Technology > www.emergeknowledge.com > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- Jason Thomas Phone: +61 2 6257 7111 System Administrator - UID 0 Fax:+61 2 6257 7311 tSA Consulting Group Pty. Ltd. Mobile: 0418 29 66 81 1 Hall Street Lyneham ACT 2602 http://www.topic.com.au/ PGP signature
Re: umask for init
Just for further info If you want a whole process in locking up Linux go to www.securityportal.com and Select the Linux tab. In the left hand frame, there should be a section labelled Securing Linux. Follow that to help plug further holes. Dan Hutchinson Dan Christensen <[EMAIL PROTECTED]> wrote: > I read that certain kernel versions don't set the umask for init > correctly (2.4.6 is one of them, I think). Does anyone know if > a Debian system is susceptible to this problem, and if so, which > files may have been created world-writable? > > Thanks, > > Dan > > -- > Dan Christensen > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > ___ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com
Re: umask for init
Just for further info If you want a whole process in locking up Linux go to www.securityportal.com and Select the Linux tab. In the left hand frame, there should be a section labelled Securing Linux. Follow that to help plug further holes. Dan Hutchinson Dan Christensen <[EMAIL PROTECTED]> wrote: > I read that certain kernel versions don't set the umask for init > correctly (2.4.6 is one of them, I think). Does anyone know if > a Debian system is susceptible to this problem, and if so, which > files may have been created world-writable? > > Thanks, > > Dan > > -- > Dan Christensen > [EMAIL PROTECTED] > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > > ___ To get your own FREE ZDNet Onebox - FREE voicemail, email, and fax, all in one place - sign up today at http://www.zdnetonebox.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
Thanks everybody, it's nice to have an active security ml Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia -
CGI Perl Security
Hello Everyone, I'm not quite sure if this is the right place to be posting this, but I am using Debian and it is a security related question. We are currently developing a new website with perl that consists of using the HTML::Template module. In the beginning of this script there are multiple constants defined which point to the template files using the $ENV{DOCUMENT_ROOT} environment variable. Does this present any more/less of a security risk then just hardcoding the entire path into the script? Thanks in advance. -- Leonard Leblanc Vice President - Technology www.emergeknowledge.com
Re: umask for init
Dan Christensen <[EMAIL PROTECTED]> writes: > No need to reboot or restart init, I think. Actually, on second thought, rebooting is probably a good idea, since there are probably lots of processes already running with the wrong umask. Dan
Re: umask for init
Ethan Benson <[EMAIL PROTECTED]> writes: > neh. messing around with what /sbin/init is nasty. better solution > is adding umask 022 to /etc/init.d/rc, using /etc/initscript (im not > totally sure how this works rtfm...) Here is what I put in /etc/initscript, which does the trick according to Nick Name's test in a previous message. # Created by jdc to protect against bad umask settings in the # kernel, e.g. kernel versions 2.4.6 and a few others. # Init uses this to start all processes it wants to start. # See initscript(5). umask 022 eval exec "$4" No need to reboot or restart init, I think. Dan
Re: umask for init
Thanks everybody, it's nice to have an active security ml Vincenzo Ciancia -- Nick Name - [EMAIL PROTECTED] - UIN 94982698 - Vincenzo Ciancia - -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
CGI Perl Security
Hello Everyone, I'm not quite sure if this is the right place to be posting this, but I am using Debian and it is a security related question. We are currently developing a new website with perl that consists of using the HTML::Template module. In the beginning of this script there are multiple constants defined which point to the template files using the $ENV{DOCUMENT_ROOT} environment variable. Does this present any more/less of a security risk then just hardcoding the entire path into the script? Thanks in advance. -- Leonard Leblanc Vice President - Technology www.emergeknowledge.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
Dan Christensen <[EMAIL PROTECTED]> writes: > No need to reboot or restart init, I think. Actually, on second thought, rebooting is probably a good idea, since there are probably lots of processes already running with the wrong umask. Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
Ethan Benson <[EMAIL PROTECTED]> writes: > neh. messing around with what /sbin/init is nasty. better solution > is adding umask 022 to /etc/init.d/rc, using /etc/initscript (im not > totally sure how this works rtfm...) Here is what I put in /etc/initscript, which does the trick according to Nick Name's test in a previous message. # Created by jdc to protect against bad umask settings in the # kernel, e.g. kernel versions 2.4.6 and a few others. # Init uses this to start all processes it wants to start. # See initscript(5). umask 022 eval exec "$4" No need to reboot or restart init, I think. Dan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Out of Office AutoReply: Sea-River
Dear all, I will be on vacation from Monday 16/07/01 and be back on Monday 30/07/01. M. Weynants
Abwesenheitsnotiz: Sea-River
Ich bin zur Zeit nicht im Hause und ab dem 06.08.2001 wieder unter dieser Adresse erreichbar. In dringenden Fällen wenden Sie sich bitte an meine Vertretung Sander Jones, der unter +49 (0) 651 8247 0 erreichbar ist. E-Mail-Adresse: [EMAIL PROTECTED] Thomas Nesges
Out of Office AutoReply: Sea-River
I am currently out of the office from July 24th - July 30th. I will be returning on July 31st. If you need assistance, please contact Paul Frohardt (396-5039) or James Hatmaker (396-7936) . Thanks, - Ryan
Sea-River
Title: Untitled Document Bonjour, vous aimez la pêche et le milieu aquatique ? Hi, you like the fishing and the environment ? Gratuit, chaque semaine en français : La Lettre de Sea-River Gratuit, chaque mois : La Lettre européenne de Sea-River Free, every month : The Sea-River's European Letter
Out of Office AutoReply: Sea-River
Dear all, I will be on vacation from Monday 16/07/01 and be back on Monday 30/07/01. M. Weynants -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Abwesenheitsnotiz: Sea-River
Ich bin zur Zeit nicht im Hause und ab dem 06.08.2001 wieder unter dieser Adresse erreichbar. In dringenden Fällen wenden Sie sich bitte an meine Vertretung Sander Jones, der unter +49 (0) 651 8247 0 erreichbar ist. E-Mail-Adresse: [EMAIL PROTECTED] Thomas Nesges -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Out of Office AutoReply: Sea-River
I am currently out of the office from July 24th - July 30th. I will be returning on July 31st. If you need assistance, please contact Paul Frohardt (396-5039) or James Hatmaker (396-7936) . Thanks, - Ryan -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Sea-River
Title: Untitled Document Bonjour, vous aimez la pêche et le milieu aquatique ? Hi, you like the fishing and the environment ? Gratuit, chaque semaine en français : La Lettre de Sea-River Gratuit, chaque mois : La Lettre européenne de Sea-River Free, every month : The Sea-River's European Letter -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: umask for init
On Tue, Jul 24, 2001 at 02:24:41AM +0200, Nick Name wrote: > More seriously, a quick fix could be, if you can't switch back 2.2.19 or > go forward 2.4.7, to mv /sbin/init /sbin/good_init and put in /sbin/init > a script like this, everything is untested of course: > > #!/bin/sh > umask 022 > exec /sbin/init neh. messing around with what /sbin/init is nasty. better solution is adding umask 022 to /etc/init.d/rc, using /etc/initscript (im not totally sure how this works rtfm...) or patching init to call umask(022); the kernel developers seem to beleive the latter is the correct solution, i tend to agree to that, but i don't agree that the kernel should start processes with a broken umask to begin with. -- Ethan Benson http://www.alaska.net/~erbenson/ pgpGQRIPxC2av.pgp Description: PGP signature
Re: iptables logging
On Mon, 23 Jul 2001 19:27:06 dude wrote: > > > On Mon, 23 Jul 2001, Jeff Coppock wrote: > > > > > > > iptables -A log -j LOG --log-prefix "Rejected: " # be verbose in syslog > > > iptables -A log -j delete # hand over package to "delete" > > > > > > What more information does log prefix add to the log? > Without: Jul 23 22:55:45 aias kernel: IN=eth0 OUT <...> With: Jul 23 22:55:45 aias kernel: Rejected: IN=eth0 OUT <...> ^
Re: umask for init
On Tue, Jul 24, 2001 at 02:24:41AM +0200, Nick Name wrote: > More seriously, a quick fix could be, if you can't switch back 2.2.19 or > go forward 2.4.7, to mv /sbin/init /sbin/good_init and put in /sbin/init > a script like this, everything is untested of course: > > #!/bin/sh > umask 022 > exec /sbin/init neh. messing around with what /sbin/init is nasty. better solution is adding umask 022 to /etc/init.d/rc, using /etc/initscript (im not totally sure how this works rtfm...) or patching init to call umask(022); the kernel developers seem to beleive the latter is the correct solution, i tend to agree to that, but i don't agree that the kernel should start processes with a broken umask to begin with. -- Ethan Benson http://www.alaska.net/~erbenson/ PGP signature