Re: limiting subroutine run time

[prev] [thread] [next] [Date index for 2005/05/11]

Igor Chudov wrote:
> --- Perrin Harkins <perrin@xxxx.xxx> wrote:
> 
> 
>>On Wed, 2005-05-11 at 07:57 -0700, Igor Chudov
>>wrote:
>>
>>>Can you be a little more specific? Are you talking
>>>about damage such as abuse of resources, or are
>>
>>you
>>
>>>talking about gaining unauthorized privileges?
>>
>>Possibly both.  The thing is, no one uses Safe. 
>>Since no one uses it,
>>you can't count on it to be thoroughly debugged. 
>>Much more discussion
>>on it is here:
>>http://perlmonks.org/index.pl?node_id=430804
> 
> 
> Thanks Perrin. The ability of tutors to define perl
> scripts is valuable, so I will dig more in this
> direction, being mindful of Safe.pm vulnerabilities.
> The main vulnerabilities of Safe that I have seen
> mentioned personally, are related to use of bless and
> tie, and therefore I disabled those opcodes. I
> appreciate your input and I will treat safe.pm with
> great caution.

What's sure is that you want to run your server in a jail/chroot 
environment if you plan to run untrusted code. google for more information 
on this topic. There is some information on this topic in the "Practical 
mod_perl" book:
http://www.google.ca/search?as_q=jail&num=10&hl=en&btnG=Google+Search&as_epq=&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=modperlbook.org&safe=off

        -- 
        __________________________________________________________________
Stas Bekman            JAm_pH ------> Just Another mod_perl Hacker
http://stason.org/     mod_perl Guide ---> http://perl.apache.org
mailto:stas@xxxxxx.xxx http://use.perl.org http://apacheweek.com
http://modperlbook.org http://apache.org   http://ticketmaster.com