Commit | Line | Data |
---|---|---|
a0d0e21e LW |
1 | =head1 NAME |
2 | ||
3 | perlsec - Perl security | |
4 | ||
5 | =head1 DESCRIPTION | |
6 | ||
425e5e39 | 7 | Perl is designed to make it easy to program securely even when running |
8 | with extra privileges, like setuid or setgid programs. Unlike most | |
54310121 | 9 | command line shells, which are based on multiple substitution passes on |
425e5e39 | 10 | each line of the script, Perl uses a more conventional evaluation scheme |
11 | with fewer hidden snags. Additionally, because the language has more | |
54310121 | 12 | builtin functionality, it can rely less upon external (and possibly |
425e5e39 | 13 | untrustworthy) programs to accomplish its purposes. |
a0d0e21e | 14 | |
425e5e39 | 15 | Perl automatically enables a set of special security checks, called I<taint |
16 | mode>, when it detects its program running with differing real and effective | |
17 | user or group IDs. The setuid bit in Unix permissions is mode 04000, the | |
18 | setgid bit mode 02000; either or both may be set. You can also enable taint | |
5f05dabc | 19 | mode explicitly by using the B<-T> command line flag. This flag is |
425e5e39 | 20 | I<strongly> suggested for server programs and any program run on behalf of |
fb73857a | 21 | someone else, such as a CGI script. Once taint mode is on, it's on for |
22 | the remainder of your script. | |
a0d0e21e | 23 | |
1e422769 | 24 | While in this mode, Perl takes special precautions called I<taint |
25 | checks> to prevent both obvious and subtle traps. Some of these checks | |
26 | are reasonably simple, such as verifying that path directories aren't | |
27 | writable by others; careful programmers have always used checks like | |
28 | these. Other checks, however, are best supported by the language itself, | |
fb73857a | 29 | and it is these checks especially that contribute to making a set-id Perl |
425e5e39 | 30 | program more secure than the corresponding C program. |
31 | ||
fb73857a | 32 | You may not use data derived from outside your program to affect |
33 | something else outside your program--at least, not by accident. All | |
34 | command line arguments, environment variables, locale information (see | |
d929ce6f | 35 | L<perllocale>), results of certain system calls (readdir(), |
41d6edb2 JH |
36 | readlink(), the variable of shmread(), the messages returned by |
37 | msgrcv(), the password, gcos and shell fields returned by the | |
38 | getpwxxx() calls), and all file input are marked as "tainted". | |
39 | Tainted data may not be used directly or indirectly in any command | |
40 | that invokes a sub-shell, nor in any command that modifies files, | |
b7ee89ce AP |
41 | directories, or processes, B<with the following exceptions>: |
42 | ||
43 | =over 4 | |
44 | ||
45 | =item * | |
46 | ||
ee556d55 | 47 | If you pass more than one argument to either C<system> or C<exec>, |
bbd7eb8a RD |
48 | the arguments are checked for taintedness B<but> the operation will still |
49 | be attempted, emitting an optional warning. This will be fatal in a | |
50 | future version of perl so do not rely on it to bypass the tainting | |
51 | mechanism. | |
b7ee89ce AP |
52 | |
53 | =item * | |
54 | ||
55 | Arguments to C<print> and C<syswrite> are B<not> checked for taintedness. | |
56 | ||
7f6513c1 JH |
57 | =item * |
58 | ||
59 | Symbolic methods | |
60 | ||
61 | $obj->$method(@args); | |
62 | ||
63 | and symbolic sub references | |
64 | ||
65 | &{$foo}(@args); | |
66 | $foo->(@args); | |
67 | ||
68 | are not checked for taintedness. This requires extra carefulness | |
69 | unless you want external data to affect your control flow. Unless | |
70 | you carefully limit what these symbolic values are, people are able | |
71 | to call functions B<outside> your Perl code, such as POSIX::system, | |
72 | in which case they are able to run arbitrary external code. | |
73 | ||
b7ee89ce AP |
74 | =back |
75 | ||
ee556d55 MG |
76 | The value of an expression containing tainted data will itself be |
77 | tainted, even if it is logically impossible for the tainted data to | |
78 | affect the value. | |
79 | ||
d929ce6f JH |
80 | Because taintedness is associated with each scalar value, some |
81 | elements of an array can be tainted and others not. | |
a0d0e21e | 82 | |
a0d0e21e LW |
83 | For example: |
84 | ||
425e5e39 | 85 | $arg = shift; # $arg is tainted |
86 | $hid = $arg, 'bar'; # $hid is also tainted | |
87 | $line = <>; # Tainted | |
8ebc5c01 | 88 | $line = <STDIN>; # Also tainted |
89 | open FOO, "/home/me/bar" or die $!; | |
90 | $line = <FOO>; # Still tainted | |
a0d0e21e | 91 | $path = $ENV{'PATH'}; # Tainted, but see below |
425e5e39 | 92 | $data = 'abc'; # Not tainted |
a0d0e21e | 93 | |
425e5e39 | 94 | system "echo $arg"; # Insecure |
bbd7eb8a RD |
95 | system "/bin/echo", $arg; # Allowed but considered insecure |
96 | # (Perl doesn't know about /bin/echo) | |
425e5e39 | 97 | system "echo $hid"; # Insecure |
98 | system "echo $data"; # Insecure until PATH set | |
a0d0e21e | 99 | |
425e5e39 | 100 | $path = $ENV{'PATH'}; # $path now tainted |
a0d0e21e | 101 | |
54310121 | 102 | $ENV{'PATH'} = '/bin:/usr/bin'; |
c90c0ff4 | 103 | delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'}; |
a0d0e21e | 104 | |
425e5e39 | 105 | $path = $ENV{'PATH'}; # $path now NOT tainted |
106 | system "echo $data"; # Is secure now! | |
a0d0e21e | 107 | |
425e5e39 | 108 | open(FOO, "< $arg"); # OK - read-only file |
109 | open(FOO, "> $arg"); # Not OK - trying to write | |
a0d0e21e | 110 | |
bbd7eb8a | 111 | open(FOO,"echo $arg|"); # Not OK |
425e5e39 | 112 | open(FOO,"-|") |
bbd7eb8a | 113 | or exec 'echo', $arg; # Allowed but not really OK |
a0d0e21e | 114 | |
425e5e39 | 115 | $shout = `echo $arg`; # Insecure, $shout now tainted |
a0d0e21e | 116 | |
425e5e39 | 117 | unlink $data, $arg; # Insecure |
118 | umask $arg; # Insecure | |
a0d0e21e | 119 | |
bbd7eb8a RD |
120 | exec "echo $arg"; # Insecure |
121 | exec "echo", $arg; # Allowed but considered insecure | |
425e5e39 | 122 | exec "sh", '-c', $arg; # Considered secure, alas! |
a0d0e21e | 123 | |
3a4b19e4 GS |
124 | @files = <*.c>; # insecure (uses readdir() or similar) |
125 | @files = glob('*.c'); # insecure (uses readdir() or similar) | |
7bac28a0 | 126 | |
3f7d42d8 JH |
127 | # In Perl releases older than 5.6.0 the <*.c> and glob('*.c') would |
128 | # have used an external program to do the filename expansion; but in | |
129 | # either case the result is tainted since the list of filenames comes | |
130 | # from outside of the program. | |
131 | ||
ee556d55 MG |
132 | $bad = ($arg, 23); # $bad will be tainted |
133 | $arg, `true`; # Insecure (although it isn't really) | |
134 | ||
a0d0e21e | 135 | If you try to do something insecure, you will get a fatal error saying |
62f468fc | 136 | something like "Insecure dependency" or "Insecure $ENV{PATH}". Note that you |
425e5e39 | 137 | can still write an insecure B<system> or B<exec>, but only by explicitly |
bbd7eb8a RD |
138 | doing something like the "considered secure" example above. This will not |
139 | be possible in a future version of Perl. | |
425e5e39 | 140 | |
141 | =head2 Laundering and Detecting Tainted Data | |
142 | ||
3f7d42d8 JH |
143 | To test whether a variable contains tainted data, and whose use would |
144 | thus trigger an "Insecure dependency" message, you can use the | |
145 | tainted() function of the Scalar::Util module, available in your | |
146 | nearby CPAN mirror, and included in Perl starting from the release 5.8.0. | |
147 | Or you may be able to use the following I<is_tainted()> function. | |
425e5e39 | 148 | |
149 | sub is_tainted { | |
61890e45 | 150 | return ! eval { eval("#" . substr(join("", @_), 0, 0)); 1 }; |
425e5e39 | 151 | } |
152 | ||
153 | This function makes use of the fact that the presence of tainted data | |
154 | anywhere within an expression renders the entire expression tainted. It | |
155 | would be inefficient for every operator to test every argument for | |
156 | taintedness. Instead, the slightly more efficient and conservative | |
157 | approach is used that if any tainted value has been accessed within the | |
158 | same expression, the whole expression is considered tainted. | |
159 | ||
5f05dabc | 160 | But testing for taintedness gets you only so far. Sometimes you have just |
425e5e39 | 161 | to clear your data's taintedness. The only way to bypass the tainting |
54310121 | 162 | mechanism is by referencing subpatterns from a regular expression match. |
425e5e39 | 163 | Perl presumes that if you reference a substring using $1, $2, etc., that |
164 | you knew what you were doing when you wrote the pattern. That means using | |
165 | a bit of thought--don't just blindly untaint anything, or you defeat the | |
a034a98d DD |
166 | entire mechanism. It's better to verify that the variable has only good |
167 | characters (for certain values of "good") rather than checking whether it | |
168 | has any bad characters. That's because it's far too easy to miss bad | |
169 | characters that you never thought of. | |
425e5e39 | 170 | |
171 | Here's a test to make sure that the data contains nothing but "word" | |
172 | characters (alphabetics, numerics, and underscores), a hyphen, an at sign, | |
173 | or a dot. | |
174 | ||
54310121 | 175 | if ($data =~ /^([-\@\w.]+)$/) { |
425e5e39 | 176 | $data = $1; # $data now untainted |
177 | } else { | |
178 | die "Bad data in $data"; # log this somewhere | |
179 | } | |
180 | ||
5f05dabc | 181 | This is fairly secure because C</\w+/> doesn't normally match shell |
425e5e39 | 182 | metacharacters, nor are dot, dash, or at going to mean something special |
183 | to the shell. Use of C</.+/> would have been insecure in theory because | |
184 | it lets everything through, but Perl doesn't check for that. The lesson | |
185 | is that when untainting, you must be exceedingly careful with your patterns. | |
19799a22 | 186 | Laundering data using regular expression is the I<only> mechanism for |
425e5e39 | 187 | untainting dirty data, unless you use the strategy detailed below to fork |
188 | a child of lesser privilege. | |
189 | ||
a034a98d DD |
190 | The example does not untaint $data if C<use locale> is in effect, |
191 | because the characters matched by C<\w> are determined by the locale. | |
192 | Perl considers that locale definitions are untrustworthy because they | |
193 | contain data from outside the program. If you are writing a | |
194 | locale-aware program, and want to launder data with a regular expression | |
195 | containing C<\w>, put C<no locale> ahead of the expression in the same | |
196 | block. See L<perllocale/SECURITY> for further discussion and examples. | |
197 | ||
3a52c276 CS |
198 | =head2 Switches On the "#!" Line |
199 | ||
200 | When you make a script executable, in order to make it usable as a | |
201 | command, the system will pass switches to perl from the script's #! | |
54310121 | 202 | line. Perl checks that any command line switches given to a setuid |
3a52c276 | 203 | (or setgid) script actually match the ones set on the #! line. Some |
54310121 | 204 | Unix and Unix-like environments impose a one-switch limit on the #! |
3a52c276 | 205 | line, so you may need to use something like C<-wU> instead of C<-w -U> |
54310121 | 206 | under such systems. (This issue should arise only in Unix or |
207 | Unix-like environments that support #! and setuid or setgid scripts.) | |
3a52c276 | 208 | |
425e5e39 | 209 | =head2 Cleaning Up Your Path |
210 | ||
1fef88e7 | 211 | For "Insecure C<$ENV{PATH}>" messages, you need to set C<$ENV{'PATH'}> to a |
1e422769 | 212 | known value, and each directory in the path must be non-writable by others |
213 | than its owner and group. You may be surprised to get this message even | |
214 | if the pathname to your executable is fully qualified. This is I<not> | |
215 | generated because you didn't supply a full path to the program; instead, | |
216 | it's generated because you never set your PATH environment variable, or | |
217 | you didn't set it to something that was safe. Because Perl can't | |
218 | guarantee that the executable in question isn't itself going to turn | |
219 | around and execute some other program that is dependent on your PATH, it | |
54310121 | 220 | makes sure you set the PATH. |
a0d0e21e | 221 | |
a3cb178b GS |
222 | The PATH isn't the only environment variable which can cause problems. |
223 | Because some shells may use the variables IFS, CDPATH, ENV, and | |
224 | BASH_ENV, Perl checks that those are either empty or untainted when | |
225 | starting subprocesses. You may wish to add something like this to your | |
226 | setid and taint-checking scripts. | |
227 | ||
228 | delete @ENV{qw(IFS CDPATH ENV BASH_ENV)}; # Make %ENV safer | |
229 | ||
a0d0e21e LW |
230 | It's also possible to get into trouble with other operations that don't |
231 | care whether they use tainted values. Make judicious use of the file | |
232 | tests in dealing with any user-supplied filenames. When possible, do | |
fb73857a | 233 | opens and such B<after> properly dropping any special user (or group!) |
234 | privileges. Perl doesn't prevent you from opening tainted filenames for reading, | |
a0d0e21e LW |
235 | so be careful what you print out. The tainting mechanism is intended to |
236 | prevent stupid mistakes, not to remove the need for thought. | |
237 | ||
425e5e39 | 238 | Perl does not call the shell to expand wild cards when you pass B<system> |
239 | and B<exec> explicit parameter lists instead of strings with possible shell | |
240 | wildcards in them. Unfortunately, the B<open>, B<glob>, and | |
54310121 | 241 | backtick functions provide no such alternate calling convention, so more |
242 | subterfuge will be required. | |
425e5e39 | 243 | |
244 | Perl provides a reasonably safe way to open a file or pipe from a setuid | |
245 | or setgid program: just create a child process with reduced privilege who | |
246 | does the dirty work for you. First, fork a child using the special | |
247 | B<open> syntax that connects the parent and child by a pipe. Now the | |
248 | child resets its ID set and any other per-process attributes, like | |
249 | environment variables, umasks, current working directories, back to the | |
250 | originals or known safe values. Then the child process, which no longer | |
251 | has any special permissions, does the B<open> or other system call. | |
252 | Finally, the child passes the data it managed to access back to the | |
5f05dabc | 253 | parent. Because the file or pipe was opened in the child while running |
425e5e39 | 254 | under less privilege than the parent, it's not apt to be tricked into |
255 | doing something it shouldn't. | |
256 | ||
54310121 | 257 | Here's a way to do backticks reasonably safely. Notice how the B<exec> is |
425e5e39 | 258 | not called with a string that the shell could expand. This is by far the |
259 | best way to call something that might be subjected to shell escapes: just | |
fb73857a | 260 | never call the shell at all. |
cb1a09d0 | 261 | |
a1ce9542 | 262 | use English '-no_match_vars'; |
e093bcf0 GW |
263 | die "Can't fork: $!" unless defined($pid = open(KID, "-|")); |
264 | if ($pid) { # parent | |
265 | while (<KID>) { | |
266 | # do something | |
267 | } | |
268 | close KID; | |
269 | } else { | |
270 | my @temp = ($EUID, $EGID); | |
271 | my $orig_uid = $UID; | |
272 | my $orig_gid = $GID; | |
273 | $EUID = $UID; | |
274 | $EGID = $GID; | |
275 | # Drop privileges | |
276 | $UID = $orig_uid; | |
277 | $GID = $orig_gid; | |
278 | # Make sure privs are really gone | |
279 | ($EUID, $EGID) = @temp; | |
280 | die "Can't drop privileges" | |
281 | unless $UID == $EUID && $GID eq $EGID; | |
282 | $ENV{PATH} = "/bin:/usr/bin"; # Minimal PATH. | |
283 | # Consider sanitizing the environment even more. | |
284 | exec 'myprog', 'arg1', 'arg2' | |
285 | or die "can't exec myprog: $!"; | |
286 | } | |
425e5e39 | 287 | |
fb73857a | 288 | A similar strategy would work for wildcard expansion via C<glob>, although |
289 | you can use C<readdir> instead. | |
425e5e39 | 290 | |
291 | Taint checking is most useful when although you trust yourself not to have | |
292 | written a program to give away the farm, you don't necessarily trust those | |
293 | who end up using it not to try to trick it into doing something bad. This | |
fb73857a | 294 | is the kind of security checking that's useful for set-id programs and |
425e5e39 | 295 | programs launched on someone else's behalf, like CGI programs. |
296 | ||
297 | This is quite different, however, from not even trusting the writer of the | |
298 | code not to try to do something evil. That's the kind of trust needed | |
299 | when someone hands you a program you've never seen before and says, "Here, | |
300 | run this." For that kind of safety, check out the Safe module, | |
301 | included standard in the Perl distribution. This module allows the | |
302 | programmer to set up special compartments in which all system operations | |
303 | are trapped and namespace access is carefully controlled. | |
304 | ||
305 | =head2 Security Bugs | |
306 | ||
307 | Beyond the obvious problems that stem from giving special privileges to | |
fb73857a | 308 | systems as flexible as scripts, on many versions of Unix, set-id scripts |
425e5e39 | 309 | are inherently insecure right from the start. The problem is a race |
310 | condition in the kernel. Between the time the kernel opens the file to | |
fb73857a | 311 | see which interpreter to run and when the (now-set-id) interpreter turns |
425e5e39 | 312 | around and reopens the file to interpret it, the file in question may have |
313 | changed, especially if you have symbolic links on your system. | |
314 | ||
315 | Fortunately, sometimes this kernel "feature" can be disabled. | |
316 | Unfortunately, there are two ways to disable it. The system can simply | |
fb73857a | 317 | outlaw scripts with any set-id bit set, which doesn't help much. |
318 | Alternately, it can simply ignore the set-id bits on scripts. If the | |
425e5e39 | 319 | latter is true, Perl can emulate the setuid and setgid mechanism when it |
320 | notices the otherwise useless setuid/gid bits on Perl scripts. It does | |
321 | this via a special executable called B<suidperl> that is automatically | |
54310121 | 322 | invoked for you if it's needed. |
425e5e39 | 323 | |
fb73857a | 324 | However, if the kernel set-id script feature isn't disabled, Perl will |
325 | complain loudly that your set-id script is insecure. You'll need to | |
326 | either disable the kernel set-id script feature, or put a C wrapper around | |
425e5e39 | 327 | the script. A C wrapper is just a compiled program that does nothing |
328 | except call your Perl program. Compiled programs are not subject to the | |
fb73857a | 329 | kernel bug that plagues set-id scripts. Here's a simple wrapper, written |
425e5e39 | 330 | in C: |
331 | ||
332 | #define REAL_PATH "/path/to/script" | |
54310121 | 333 | main(ac, av) |
425e5e39 | 334 | char **av; |
335 | { | |
336 | execv(REAL_PATH, av); | |
54310121 | 337 | } |
cb1a09d0 | 338 | |
54310121 | 339 | Compile this wrapper into a binary executable and then make I<it> rather |
340 | than your script setuid or setgid. | |
425e5e39 | 341 | |
425e5e39 | 342 | In recent years, vendors have begun to supply systems free of this |
343 | inherent security bug. On such systems, when the kernel passes the name | |
fb73857a | 344 | of the set-id script to open to the interpreter, rather than using a |
425e5e39 | 345 | pathname subject to meddling, it instead passes I</dev/fd/3>. This is a |
346 | special file already opened on the script, so that there can be no race | |
347 | condition for evil scripts to exploit. On these systems, Perl should be | |
348 | compiled with C<-DSETUID_SCRIPTS_ARE_SECURE_NOW>. The B<Configure> | |
349 | program that builds Perl tries to figure this out for itself, so you | |
350 | should never have to specify this yourself. Most modern releases of | |
351 | SysVr4 and BSD 4.4 use this approach to avoid the kernel race condition. | |
352 | ||
0325b4c4 JH |
353 | Prior to release 5.6.1 of Perl, bugs in the code of B<suidperl> could |
354 | introduce a security hole. | |
68dc0745 | 355 | |
356 | =head2 Protecting Your Programs | |
357 | ||
358 | There are a number of ways to hide the source to your Perl programs, | |
359 | with varying levels of "security". | |
360 | ||
361 | First of all, however, you I<can't> take away read permission, because | |
362 | the source code has to be readable in order to be compiled and | |
363 | interpreted. (That doesn't mean that a CGI script's source is | |
364 | readable by people on the web, though.) So you have to leave the | |
5a964f20 TC |
365 | permissions at the socially friendly 0755 level. This lets |
366 | people on your local system only see your source. | |
68dc0745 | 367 | |
5a964f20 | 368 | Some people mistakenly regard this as a security problem. If your program does |
68dc0745 | 369 | insecure things, and relies on people not knowing how to exploit those |
370 | insecurities, it is not secure. It is often possible for someone to | |
371 | determine the insecure things and exploit them without viewing the | |
372 | source. Security through obscurity, the name for hiding your bugs | |
373 | instead of fixing them, is little security indeed. | |
374 | ||
83df6a1d JH |
375 | You can try using encryption via source filters (Filter::* from CPAN, |
376 | or Filter::Util::Call and Filter::Simple since Perl 5.8). | |
377 | But crackers might be able to decrypt it. You can try using the byte | |
378 | code compiler and interpreter described below, but crackers might be | |
379 | able to de-compile it. You can try using the native-code compiler | |
68dc0745 | 380 | described below, but crackers might be able to disassemble it. These |
381 | pose varying degrees of difficulty to people wanting to get at your | |
382 | code, but none can definitively conceal it (this is true of every | |
383 | language, not just Perl). | |
384 | ||
385 | If you're concerned about people profiting from your code, then the | |
386 | bottom line is that nothing but a restrictive licence will give you | |
387 | legal security. License your software and pepper it with threatening | |
388 | statements like "This is unpublished proprietary software of XYZ Corp. | |
389 | Your access to it does not give you permission to use it blah blah | |
390 | blah." You should see a lawyer to be sure your licence's wording will | |
391 | stand up in court. | |
5a964f20 | 392 | |
0d7c09bb JH |
393 | =head2 Unicode |
394 | ||
395 | Unicode is a new and complex technology and one may easily overlook | |
396 | certain security pitfalls. See L<perluniintro> for an overview and | |
397 | L<perlunicode> for details, and L<perlunicode/"Security Implications | |
398 | of Unicode"> for security implications in particular. | |
399 | ||
5a964f20 TC |
400 | =head1 SEE ALSO |
401 | ||
402 | L<perlrun> for its description of cleaning up environment variables. |