Skip Menu |

This queue is for tickets about the CPAN CPAN distribution.

Report information
The Basics
Id: 40911
Status: open
Priority: 0/
Queue: CPAN

People
Owner: Nobody in particular
Requestors: mschwern [...] cpan.org
Cc:
AdminCc:

Bug Information
Severity: Wishlist
Broken in: (no value)
Fixed in: (no value)



Subject: Running as root detection and optional correction.
As I mentioned on perl-qa, it is insecure to run the CPAN shell as root. Instead, only the install process should be run as root. CPAN.pm has facilities to do this but many folks don't know about it. It would be nice if the CPAN shell issued a warning if run as root, just once. It would then offer to reconfigure itself to work as a regular user and use sudo (or whatever works) as appropriate. Included would be instructions (or if possible just do it automatically) on how to fix the .cpan file permissions to work with a regular user. If the user rejects this, it will not nag them about it again (it'll flip a toggle in the CPAN config). But now no one can blame us for not trying to fix their security hole. How does that sound? That'll close a huge gaping hole in user-end security. I've included a little prototype program to show the user interaction.
Subject: cpan_root_detect.plx
Download cpan_root_detect.plx
application/octet-stream 3.6k

Message body not shown because it is not plain text.

Subject: Re: [rt.cpan.org #40911] Running as root detection and optional correction.
Date: Fri, 14 Nov 2008 04:41:28 +0100
To: bug-CPAN [...] rt.cpan.org
From: andreas.koenig.7os6VVqR [...] franz.ak.mind.de (Andreas J. Koenig)
Very nice. Thank you! Thie will be integrated ASAP. -- andreas