Re: [MacPerl] perl->c supporting Mac extensions? (fwd)

[Tom Holub <tom_holub@ls.berkeley.edu>]

At 2:58 PM -0600 4/3/97, Mark Manning/Metrica wrote:
>
>A. Create your Perl files.
>B. Set them to be owned by the web server.
>C. Set their chmod to 000.
>D. Create a new Perl program.
>D1. Make this program accept the names of files to execute.
>D2. Make this program first chmod the file to be read to
>	400 and then include the file into the program or chmod
>	the program to 700 and use the system command to execute it.
>E. Reset the chmod to 000 on the file.
>
>This would make your scripts execute slower but it gives
>you a two step filter which, even if the person knew what
>the file name was - they would not be able to view the file
>and/or retrieve it because the file doesn't allow anyone to
>do anything with the file until it has been chmod'd.  So
>long as the person can not execute commands on your system,
>this should be fairly secure.

No, it's not.

A. Hacker accesses web server
B. Hacker tells web server he wants to execute foo.cgi
C. Web server chmod's the file
D. Hacker now uses whatever method he has to view foo.cgi

This is known as a "race condition", and it will be obvious to any hacker.
You get a lot more headaches than security with a system like this.

---
Tom Holub (tom_holub@ls.berkeley.edu)
Letters & Sciences Computer Resources
455 LSA (510-642-9069)