[clug] Creating non-root perl owner to run CPAN

Martin Pool mbp at sourcefrog.net
Tue Mar 7 05:45:15 GMT 2006

On 7 Mar 2006, at 16:01 , Michael James wrote:

> There are a number of Linux language packages
>  that are self-extending such as Perl, python, and R,
> For example, installing the BioConductor package
>  is easiest from within R,  just run R,
>  source a URL to download the script,
>  then run the function thus created.
> Lots happens, and hey presto, a new R library!
> Traditionally everything is owned and maintained by root,
>  but being a sysadmin (paid professional paranoid)
>  I created a user  "rowner"  and group  "rusers"
>  and  "chown -R"  the R base directory  "/usr/lib/R"
> Now I su to rowner before doing the above,
>  and the system is isolated from any malicious code
>  somewhere in R's contributed package libraries.
> So much for a language I don't know (or like or trust).
> What about the language I do know, love and trust, Perl?
> Su to root,  set dependencies to  "follow",  run CPAN,
>   "install Bundle::Evil::RootKit"  and go have a cup of coffee...
> There's an awful lot of libraries and contributors...
> Do I trust them all?  Historically I've effectively said,
>  "Of course!  Anyone who hacks Perl has to be a good-guy!"
> Well history aside, maybe it's not such a good idea;
>  what do people think of using the R strategy
>  for all self extending languages?

It's an interesting approach.  One thing to consider: on many  
systems, some Perl scripts are run as root -- maybe your own scripts,  
or maybe scripts that come with the operating system.  By changing  
the perl libraries an attacker who controls 'perlowner' can gain  
indirectly gain root.

The general exposure is that if you don't trust all the CPAN authors  
you shouldn't put their scripts into root's code path.

To avoid this you might install those libraries into a directory not  
on the default path that's only searched by users who need them.   
This may be more trouble than it's worth...  I don't know if CPAN  
supports anything like that.

Martin Pool

More information about the linux mailing list