[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[suse-security] Creating non-root perl owner to run CPAN



There are a number of Linux language packages
 that are self-extending such as Perl, python, and R,

For example, installing the BioConductor package
 is easiest from within R,  just run R,
 source a URL to download the script,
 then run the function thus created.
Lots happens, and hey presto, a new R library!

Traditionally everything is owned and maintained by root,
 but being a sysadmin (paid professional paranoid)
 I created a user  "rowner"  and group  "rusers"
 and  "chown -R"  the R base directory  "/usr/lib/R"
Now I su to rowner before doing the above,
 and the system is isolated from any malicious code
 somewhere in R's contributed package libraries.

So much for a language I don't know (or like or trust).
What about the language I do know, love and trust, Perl?
Su to root,  set dependencies to  "follow",  run CPAN,
  "install Bundle::Evil::RootKit"  and go have a cup of coffee...

There's an awful lot of libraries and contributors...
Do I trust them all?  Historically I've effectively said,
 "Of course!  Anyone who hacks Perl has to be a good-guy!"

Well history aside, maybe it's not such a good idea;
 what do people think of using the R strategy
 for all self extending languages?

michaelj

-- 
Michael James                         michael.james@xxxxxxxx
System Administrator                    voice:  02 6246 5040
CSIRO Bioinformatics Facility             fax:  02 6246 5166

No matter how much you pay for software,
 you always get less than you hoped.
Unless you pay nothing, then you get more.

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here