\"special\" shells a security hole?

[dce at mips.UUCP]

In article <1684 at druhi.UUCP> clive at druhi.UUCP (Clive Steward) writes:
>Probably, I don't have the gruedom to know why something like this
>won't quickly 'automaintain' all those 'thousands of makefiles' to say
>what their shell should be:
>
code example
>
>Frankly, it would probably be a good idea all around, given the
>experiences I've had with ksh, for instance, breaking makes.  
>Especially on small memoried machines.  
>
>Users should be able to use any shell; and Makefiles also, not
>necessarily the same one.

You're missing the point.

The "grue"s (how do you like being called a "grue", Guy?) that are
arguing against the change could easily write commands that add a
SHELL=/bin/sh line to the beginning of each makefile, but why
should they have to?

Think about us people with BSD-based systems, where the fact
that most users still use csh causes even more problems (you think
ksh breaks bad?). We'd like to have the features of the AT&T make,
but can't afford to go into every user's makefiles and make the
change (announce it on news, you say? Half of the people here don't
even read their mail!).

Once more, I must bring up the point of customers. Mips is in the
OEM business, so most of our customers sell our systems to other
people. What are we supposed to do? "Hello. This is Bill at Jim's
Computer Systems. Why does make do ...?" "Well, Bill, you need to
to put a SHELL=/bin/sh at the top." "We lost the XYZ CAD account
because the software wouldn't build. We're suing."

One final question: how would you like it if AT&T changed all of
the shells such that they use $SHELL to run your shell scripts
by default? Do you write all of your shell scripts entirely
without ksh builtins? Do you expect everyone to?
-- 
			David Elliott

UUCP: 	{decvax,ucbvax,ihnp4}!decwrl!mips!dce, DDD:  	408-720-1700