很久没有更新博客了,生物-信息复合培养实验班、信息生物学研究中心(Center for Informational Biology)、第七届全国生物信息学与系统生物学学术大会,各种交流、各种酱油、各种忙。最近忽然想起一拖再拖的入门级教学项目《Perl生物信息学编程》,赶紧重新开工。写了一小段示例代码,在Eclipse中运行后,控制台反馈:Insecure dependency in unlink while running with -T switch at file-demo.pl line 9.
真是太不给面子了。转到CMD窗口,到相应目录运行perl file-demo.pl一切如愿。于是perl -h,发现有这么两行很相关:
-t enable tainting warnings
-T enable tainting checks
忽然想起配置EPIC时似乎有个相关的选项。于是点Eclipse的Windows菜单的Preferences项,弹出如下窗口。
把上图中Enable taint mode勾去后,终于在Eclipse中如愿地直接运行示例脚本了。
这个taint mode的对应中文似乎还没有,我这里就权且翻译为臭美模式吧。本来英文单词taint的意思是污点、污染,类似于不干不净吃了没病的,而这也是Perl天生最擅长的。怎么还要taint mode一下呢?实际上,大家从-t和-T的解释可以看到,这俩开关不是开启不干不净模式,而是要对污点(不干不净)进行警告和检测。因此,我觉得叫臭美模式挺确切的。更多相关文档,见http://perldoc.perl.org/perlsec.html#Taint-mode。这里摘录几段:
Taint mode
Perl automatically enables a set of special security checks, called taint mode, when it detects its program running with differing real and effective user or group IDs. The setuid bit in Unix permissions is mode 04000, the setgid bit mode 02000; either or both may be set. You can also enable taint mode explicitly by using the -T command line flag. This flag is strongly suggested for server programs and any program run on behalf of someone else, such as a CGI script. Once taint mode is on, it's on for the remainder of your script.
While in this mode, Perl takes special precautions called taint checks to prevent both obvious and subtle traps. Some of these checks are reasonably simple, such as verifying that path directories aren't writable by others; careful programmers have always used checks like these. Other checks, however, are best supported by the language itself, and it is these checks especially that contribute to making a set-id Perl program more secure than the corresponding C program.
Taint mode and @INC
When the taint mode (-T ) is in effect, the "." directory is removed from @INC , and the environment variablesPERL5LIB and PERLLIB are ignored by Perl. You can still adjust @INC from outside the program by using the -Icommand line option as explained in perlrun. The two environment variables are ignored because they are obscured, and a user running a program could be unaware that they are set, whereas the -I option is clearly visible and therefore permitted.