Re^4: Distro Pkg-Managed, broken Install.pm, sudo clears $PERL5LIB (sudoers)


P is for Practical
	PerlMonks

Re^4: Distro Pkg-Managed, broken Install.pm, sudo clears $PERL5LIB (sudoers)

by Crackers2 (Parson)

on Oct 01, 2010 at 23:51 UTC ( [id://863024]=note: print w/replies, xml )

Need Help??

in reply to Re^3: Distro Pkg-Managed, broken Install.pm, sudo clears $PERL5LIB (sudoers)
in thread Distro Pkg-Managed, broken Install.pm, sudo clears $PERL5LIB

But please do not make passing on PERL5LIB a default.
Why? The PERL5LIB environment variable is set up after the fact (of changing $< and $>) of getting broader permissions via sudo. So, a well thought-out privilege evelating scheme is more important than the passing of an environment variable while changing $UID, becaue you could set that very ENV var by hand, after running sudo.

^^^ What martin said. In a lot of cases the user making the sudo call does not control the code that is being called.

In that case, passing through PERL5LIB is like passing through PATH or LD_LIBRARY_PATH. Just google "sudo PATH exploit" to find plenty of examples of the trouble you can run into.

So yes, if you're sure that sudo is only used to give full shell access, then by all means go ahead and pass through PERL5LIB. In all other cases, leaving it out it probably a better idea.

Comment on Re^4: Distro Pkg-Managed, broken Install.pm, sudo clears $PERL5LIB (sudoers) Download Code

In Section Meditations

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://863024]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others examining the Monastery: (4)

As of 2024-04-19 21:05 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found