http://qs321.pair.com?node_id=637504


in reply to How to answer "Perl is not secure" objections?

I have a feeling manager^3 was thinking about Perl's setuid functionality. I found this interesting (though out-dated, I believe) write-up about Perl's setuid features in context of security.

http://www.cs.cmu.edu/People/rgs/pl-suid.html

---
It's all fine and dandy until someone has to look at the code.

Replies are listed 'Best First'.
Re^2: How to answer "Perl is not secure" objections?
by mr_mischief (Monsignor) on Sep 06, 2007 at 18:54 UTC
    Of course, large projects should never be run setuid anyway. Any setuid program in any language should be as small as possible, do as little as needs to be done setuid, then hand off to non-setuid executables.
      Regardless of the problems that running SUID programs (and SUID interpreted scripts in particular) can cause, note that you need to have root permissions in order to make anything SUID root.

      I might as well claim that all languages are insecure because I could code something destructive and run it using sudo.

      These kinds of issues should, for the most part, be solved by using sane system administrator (to make the policies) and a sane OS (to enforce the policies).

        sane system administrator

        I know all those words but that phrase makes no sense . . .

        (Says the still recovering mostly-former sysadmin . . . :)