Hi perl and pyhton people,
Sorry for the crosspost; contrary to what's said in perl-policy and
python-policy, '.' seems to be included in module search-path. I find
it uneasy considering we have quite a few tools running as root. Is
this intentional or unintentional?
regards,
junichi
The following is a full posting I made to debian-security@lists.debian.org:
At Sat, 07 Jan 2006 21:44:24 +0900,
Junichi Uekawa wrote:
>
> Hi,
>
> > > Hi,
> > >
> > > I am wondering what the security implications of having a LOAD_PATH
> > > that includes '.' is.
> >
> > Gerenally speaking, having . in any path is a bad idea. You are correct
> > to feel uneasy about it. Can . not be prepended to the path
> > specifically if desired (as in the shell PATH=.:$PATH)? If it can, I
> > would suggest a bug filed for removal of . in path, with a README entry
> > detailing how to readd it if you want it.
>
> Somebody in @jp pointed out to me that perl and python are not much
> better in this respect, since perl and python do have '.' in their
> load paths; of course, if @INC is handled properly, it wouldn't be a threat.
>
>
> Example of a perl session:
> $ perl -e 'print "@INC\n"'
> /etc/perl /usr/local/lib/perl/5.8.7 /usr/local/share/perl/5.8.7
> /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.8 /usr/share/perl/5.8
> /usr/local/lib/site_perl .
>
>
>
> [12:50:30]dancer64:tmp> cat a.pl
> #!/usr/bin/perl -w
>
> BEGIN {
> eval qq {
> use ;
> };
> if ($@)
> {
> print STDERR "feature not available\n" ;
> }
> }
> [12:50:34]dancer64:tmp> ./a.pl
> feature not available
>
> If I have:
> [21:42:25]dancer64:tmp> cat .pm
> print "r00t!!\n";
> 1;
> [21:42:29]dancer64:tmp> ./a.pl
> r00t!!
>
>
>
> I haven't been able to verify I can exploit it with python, since it seems to
> be changing behavior when it's not executed as ./XXX:
>
> [12:39:00]dancer64:tmp> apt-listchanges
> Usage: apt-listchanges [options] {--apt | filename.deb ...}
> [12:39:33]dancer64:tmp> /usr/bin/apt-listchanges
> Usage: apt-listchanges [options] {--apt | filename.deb ...}
> [12:39:08]dancer64:tmp> cp /usr/bin/apt-listchanges .
> [12:39:08]dancer64:tmp> ./apt-listchanges
> hello r00t
>
> hello r00t
>
> Traceback (most recent call last):
> File "./apt-listchanges", line 218, in ?
> main()
> File "./apt-listchanges", line 44, in main
> config = apt_listchanges.Config()
> AttributeError: 'module' object has no attribute 'Config'
>
>
> [12:39:10]dancer64:tmp> cat apt_listchanges.py
> print "hello r00t\n"
>
> [12:39:23]dancer64:tmp> cat apt_pkg.py
> print "hello r00t\n"
>
>
> regards,
> junichi
>
> --
> [EMAIL PROTECTED],netfort.gr.jp} Debian Project
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
