Re: Secure deployment of binary perl modules
by guliver (Friar) on Mar 19, 2007 at 12:49 UTC
|
| [reply] [d/l] |
|
$ perl -e 'BEGIN{ @INC=(); unshift @INC, ".", "/home/user/perl/lib"} u
+se File::Find'
Can't locate File/Find.pm in @INC (@INC contains: . /home/user/perl/li
+b) at -e line 1.
BEGIN failed--compilation aborted at -e line 1.
In the typical case, you just want to BEGIN{ unshift @INC, ... }, or use lib ... to
prepend additional search paths to the system paths that @INC
already consists of...
| [reply] [d/l] [select] |
|
You're right.
I've posted in a hurry :D.
| [reply] |
Re: Secure deployment of binary perl modules
by Moron (Curate) on Mar 19, 2007 at 13:05 UTC
|
Binary deployment can be achieved using pp.
(Update: I spotted a hidden but reasonable assumption that deployment takes place in chain from some other environment where compilers and interpreters are freely allowed).
But it is worth pointing out that for these purposes, the perl executable is not a compiler but a scripting interpreter. Assuming there is no webserver running, if it were me, I'd demand that they be consistent about it, i.e. remove /bin/ksh and /bin/sh (the erm "predecessors" of Perl :)) or they allow /usr/bin/perl - there is then zero difference from a security point of view between one scripting language and another.
Of course, they can't remove ksh and sh because that would break the system so badly it would descend into a coma never to return or reboot, requiring reinstallation of the operating system.
If the system is indeed connected to the internet, a more reasonable and far more competent security precaution would be nevertheless to restrict the execute permission of /usr/bin/perl to 750, chown it to the group where applications run and to run the webserver in a separate group.
The real incompetence is usually running webservers as root and it is ridiculous to blame Perl for the security consequences of that - i.e. it is like rearranging the deckchairs on the Titanic.
| [reply] |
|
| [reply] |
|
My sense of the original post, though it was unclear, was that the OP wanted a way to install pre-compiled modules for use with an existing perl interpreter.
In any case the PAR tools should do the trick. The OP can use PAR to create application bundles and run straight from the PAR, or he can use PAR-Dist to install them. If a general purpose perl interpreter is forbidden, as you said, he can use pp to bundle an interpreter.
| [reply] |
Re: Secure deployment of binary perl modules
by blue_cowdawg (Monsignor) on Mar 19, 2007 at 14:46 UTC
|
Due to security policy it is not possible to have compilers on our platforms in the live environment.
I've solved this issue a couple of different ways on
a number of different platforms. Let me talk about two
of those:
One environment I worked in I created a Solaris pkg file
of a standardized Perl distrobution that I engineered.
We took a development machine, put together a tree under
a directory called /usr/local/software/perl-{VERSION}
and installed all the CPAN modules we felt we needed to
standardize on there. Once that was done we used the
normal Sun packaging tools along with some cleanup
scripts to do things like link the Perl executable
into /usr/bin/perl the library tree to the right place,
etc.
In one other environment
("a major financial compnay")
AFS was the standard way of
"distributing", for a lack of better word for
it, software packages. Again, development and test machines
were employed to put the dietributions together and put
them on the AFS cells. In that environment we had many
platforms to support so some automounter tricks were
used to make sure that the right version of the
Perl trees were mounted on the machines accordingly.
AFS was laid out to accomodate the architecture differences
between the platforms and the automounter maps for them
configured accordingly.
Peter L. Berghold -- Unix Professional
Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg
| [reply] |
|
| [reply] |
|
You shouldn't mess with the base OS,
Huh? /usr/bin/perl is an installed application like any
other and is not the OS. So, what you are telling me is
that it is better to leave a broken Perl in place than
replace it with one that works?
Let me give a really good example of why I'll put my own
copy of /usr/bin/perl in place of one that is there
already. Solaris 10 comes with a version of Perl.
Unfortunately it is compiled with Sun's own liscenced
compiler. If I just want to accept the list of CPAN
modules that Sun has so graciously supplied then that's
ok.
However, in this case our environment, which stores all
user account information in LDAP needs to have
Net::LDAP and friends installed on all the servers
for some of our user administration tools to work. Since
our LDAP servers are connected to via LDAPS and not clear
text LDAP we need the whole family of SSL related
modules compiled in as well.
None of those will work correctly if you try and compile
them with a compiler other than Sun's compiler assuming we
leave Sun's version of Perl in place.
Contractual and financial realities being what they
are on that account we are not going to be having access
to a Sun compiler anytime soon, so we use GCC.
who knows what that might break.
That's where proper engineering practices come into play.
Anything we do in our production environment has already
been done on test boxes. While we don't have the luxury
of an official Sun compiler, we do have test boxes we
can do things to before impacting production.
So, your argument of "don't mess with it" in this case
doesn't hold much water. I would agree with your
assesment if proper engineering wasn't done ahead of time
and without a good understanding of the systems and
applications involved.
Peter L. Berghold -- Unix Professional
Peter -at- Berghold -dot- Net; AOL IM redcowdawg Yahoo IM: blue_cowdawg
| [reply] |
|
|
|
Re: Secure deployment of binary perl modules
by Rhandom (Curate) on Mar 19, 2007 at 15:55 UTC
|
| [reply] |
|
| [reply] |
Re: Secure deployment of binary perl modules
by dragonchild (Archbishop) on Mar 19, 2007 at 13:11 UTC
|
You can just copy the perl binary and all of /usr/local/lib/perl5 - that should do the trick.
My criteria for good software:
- Does it work?
- Can someone else come in, make a change, and be reasonably certain no bugs were introduced?
| [reply] |
|
I understood the OP to be implying that whoever is enforcing the security policy thinks the perl binary is a compiler or is categorising it as such for security purposes.
| [reply] |
|
You've probably misunderstood then. It's a somewhat common practice to remove (or not install initially) the C compiler on machines that are exposed to the wild (e.g. on the Internet directly or in a DMZ). In this case you're in the same boat as most Wintendo users in that you don't have a compiler available to install Perl modules with a C component (then again attackers don't have a ready means to compile exploit code on the box either). Granted it's a minor speed bump (especially if you're talking a common platform), but it can be worked around (unfortunately just as easily by both the white and black hats).
| [reply] |
|
|
| [reply] [d/l] |
|
Hmmm ... maybe we should publicise this. Perl is finally a compiled language! :-)
My criteria for good software:
- Does it work?
- Can someone else come in, make a change, and be reasonably certain no bugs were introduced?
| [reply] |
Re: Secure deployment of binary perl modules
by derby (Abbot) on Mar 19, 2007 at 18:44 UTC
|
One way to handle this is to build on one machine and then use either rdist or rsync to update the others.
update: I should have said --- use the OS's preferred package mechanism to update the build machine (rpm, pkgadd, cpan, whatever ...) and then use rdist/rsync to update the others.
| [reply] |
|
And you you should have replaced rysnc/rdist with something more secure like scp/sftp.
Upate:
Ooops! I was thinking "rcp" when I read "rsync". I agree that it can be made secure. In fact Using Rsync and SSH disccuses how to use it with SSH.
I see from the rdist homepage that it has also come a long way. However as they point out many operating systems ship with a much older, insecure version. So I guess Linux users are more familair with the newer version while those of us used to e.g. Solaris are used to the older version. Looks like it is one of those things that one needs to be careful of recommending given the wide audience.
I will point out that it looks like both rsync and rdist make use of SSH for better security. So I think my original comment still has validity.
| [reply] |
|
| [reply] |