Re: running cpan as a nobody

2008-09-22 Thread Aristotle Pagaltzis 
* Eric Wilhelm <[EMAIL PROTECTED]> [2008-09-23 07:45]:
> And anyway, having to reinstall something which is
> widely mirrored on the internet sure beats having to
> recover your own files (which, presumably are not.)

Yes, sure. But it might still mean a machine is off the
air for unplanned maintenance all of a sudden.

What I’m saying is that no matter how much you reduce
the surface area for exploits, it’s not a solution;
closing the hole in question is the solution.

Regards,
-- 
Aristotle Pagaltzis //

Re: running cpan as a nobody

2008-09-22 Thread Eric Wilhelm 
# from Aristotle Pagaltzis
# on Monday 22 September 2008 21:53:

>> Don't run them as yourself either then!
>
>I don’t like my module library disappearing *either*.

Yes, but if you set your umask, then the arbitrary code in question is 
on the CPAN and can be taken down from there.  (That's the 'front door' 
to which Schwern was referring and we've all known about it for a long 
time.)

But yes, stowpan should probably have a per-file copy+chown+chmod before 
the stow so that the library isn't writable by the 'stowpan' user.

And anyway, having to reinstall something which is widely mirrored on 
the internet sure beats having to recover your own files (which, 
presumably are not.)

--Eric
-- 
But you can never get 3n from n, ever, and if you think you can, please
email me the stock ticker of your company so I can short it.
--Joel Spolsky
---
http://scratchcomputing.com
---

Re: running cpan as a nobody

2008-09-22 Thread Aristotle Pagaltzis 
* Eric Wilhelm <[EMAIL PROTECTED]> [2008-09-23 06:35]:
> Don't run them as yourself either then!

I don’t like my module library disappearing *either*.

Regards,
-- 
Aristotle Pagaltzis //

Re: running cpan as a nobody

2008-09-22 Thread Eric Wilhelm 
# from Aristotle Pagaltzis
# on Monday 22 September 2008 18:30:

>Note that while running CPAN as non-root is a good idea because
>it reduces the surface area of any exploits, it doesn’t make them
>a non-issue. I would prefer my homedir not to vanish, thank you
>very much.

Don't run them as yourself either then!

  http://scratchcomputing.com/svn/stowpan/trunk

And set your umask.  Thank you very much ;-)

--Eric
-- 
The first rule about Perl is you don't talk about Perl.
---
http://scratchcomputing.com
---