Capturing caller id

Chris Lewis (clewis@ferret.ocunix.on.ca)
Wed, 8 Nov 1995 06:28:10 +0100

Messages sorted by:[ date ][ thread ][ subject ][ author ]

In article <199511072257.RAA25819@tarsier.cv.nrao.edu>,
Jeff Uphoff <juphoff@tarsier.cv.nrao.edu> wrote:
>"GD" == Gert Doering <gert@greenie.muc.de> writes:
>
>GD> How secure *is* perl? I'd never do something like that in /bin/sh, but
>GD> perl is rumored to be quite secure...
>
>It is.  With the -T option (or when running setuid or setgid), "taint"
>checks are turned on.  This prevents a programmer from using his/her
>copious amounts of stupidity unless said programmer is *really* intent
>upon it.

>Here's the perlsec(1) manual page for Perl v5, just for kicks:

setuidishness isn't particularly relevant here, because uulogin isn't
a setuid script.  Programming in perl is not any inherently less
secure than C.  However, that script needs to be carefully checked over
to make sure that the user can't do anything funny with metacharacters
in the password or signals.  If I'm not mistaken, taintperl would
reject it.

I'm also not particularly enamored of doing system("stty...") when
ioctl() is the preferred solution (but that does introduce some
system dependencies)
-- 
Chris Lewis: _Una confibula non sat est_
Latest psroff: ftp://ftp.uunet.ca/distrib/chris_lewis/psroff3.0pl17/*
Latest hp2pbm: ftp://ftp.uunet.ca/distrib/chris_lewis/hp2pbm/*
NNTP AUTHINFO GENERIC info: ftp://ftp.uunet.ca/distrib/chris_lewis/generic/*