E
el_roachmeister
I disagree with a few things in perlsec relating to "Protecting your
program", namely these two paragraphs:
First of all, however, you can't take away read permission, because the
source code has to be readable in order to be compiled and interpreted.
(That doesn't mean that a CGI script's source is readable by people on
the web, though.) So you have to leave the permissions at the socially
friendly 0755 level. This lets people on your local system only see
your source.
Some people mistakenly regard this as a security problem. If your
program does insecure things, and relies on people not knowing how to
exploit those insecurities, it is not secure. It is often possible for
someone to determine the insecure things and exploit them without
viewing the source. Security through obscurity, the name for hiding
your bugs instead of fixing them, is little security indeed.
=======================================
If you are concerned about security you why are you going to let people
on your local system see your source? The default should be 700. You
would only need 755 if you have a definite need to do so.
Security is not a black and white issue. No script on this planet is
100% secure. It is all about reducing your probablity of being hacked.
Anything you do to make it more difficult for a script to be hacked
will increase the "security" of the script. Even if you write the
"perfectly secure" script, there are other ways into your program
beside your script. A hacker could just decide to break into your web
hosting account directly.
Security by obscurity is very helpful in reducing your risks. The
perlsec makes it sounds like it has no effect on protecting it. I
suggest perslec either eliminate any comments about security by
obscurity since that really has nothing to do with perl anyways. Or
they should be more realistic about what it really means.
The convenience store in the bad neighborhood will always get robbed
day in and day out, while the billions of dollars sitting in bank
accounts that nobody knows exists will remain untouched.
program", namely these two paragraphs:
First of all, however, you can't take away read permission, because the
source code has to be readable in order to be compiled and interpreted.
(That doesn't mean that a CGI script's source is readable by people on
the web, though.) So you have to leave the permissions at the socially
friendly 0755 level. This lets people on your local system only see
your source.
Some people mistakenly regard this as a security problem. If your
program does insecure things, and relies on people not knowing how to
exploit those insecurities, it is not secure. It is often possible for
someone to determine the insecure things and exploit them without
viewing the source. Security through obscurity, the name for hiding
your bugs instead of fixing them, is little security indeed.
=======================================
If you are concerned about security you why are you going to let people
on your local system see your source? The default should be 700. You
would only need 755 if you have a definite need to do so.
Security is not a black and white issue. No script on this planet is
100% secure. It is all about reducing your probablity of being hacked.
Anything you do to make it more difficult for a script to be hacked
will increase the "security" of the script. Even if you write the
"perfectly secure" script, there are other ways into your program
beside your script. A hacker could just decide to break into your web
hosting account directly.
Security by obscurity is very helpful in reducing your risks. The
perlsec makes it sounds like it has no effect on protecting it. I
suggest perslec either eliminate any comments about security by
obscurity since that really has nothing to do with perl anyways. Or
they should be more realistic about what it really means.
The convenience store in the bad neighborhood will always get robbed
day in and day out, while the billions of dollars sitting in bank
accounts that nobody knows exists will remain untouched.