\"special\" shells a security hole?
dce at mips.UUCP
dce at mips.UUCP
Mon Feb 9 14:30:31 AEST 1987
In article <1317 at ho95e.ATT.COM> wcs at ho95e.UUCP (46133-#Bill.Stewart,2G202,x0705,) writes:
>In article <3037 at gitpyr.gatech.EDU> robert at gitpyr.UUCP (Robert Viduya) writes:
>>Watch out for programs that allow shell escapes but ignore SHELL, though.
>>I don't know of any that do, but that doesn't mean they don't exist.
>>They're anti-social anyway.
>
>The "system(3)" subroutine call does this, at least on V7, 4.1BSD, and
>System V Release 0 and 2. A lot of commands use it, including /bin/mail.
>Aside from being anti-social (4.*BSD and SVR2 are old enough to know better),
>it can also be a source of bugs and/or security risks.
>--
># Bill Stewart, AT&T Bell Labs 2G-202, Holmdel NJ 1-201-949-0705 ihnp4!ho95c!wcs
I'm not quite sure what Bill means here, but it appears that he is saying
that he feels that it is improper for system(3) to ignore the value of
SHELL.
If this is the case, then I have to strongly disagree. When I write a program
that uses system(), I am assuming that it will use /bin/sh. Without that
assumption, the most I can expect to execute is a command like
command 'arg1' 'arg2' ... < 'infile' > 'outfile'
and I'm expecting a lot here (command execution syntax, quoting, and
redirection must be sh-compatible, so any kind of new shell, such as a
Lisp-based shell, would be out of the question). (You might argue that
the quoting doesn't matter, but that's another discussion.)
And, if all I can expect is the above, I'm much better off writing a
fork/redirect/exec subroutine than using system(), for better speed
and control.
The idea of using the SHELL environment variable is something that
really wreaks havoc when you port the System V.2 or better version
of make(1) to a BSD system (or use it in System V.3). Take a look
around and count how many makefiles would break if run using csh
instead of sh. The person that came up with this method really needs
a talking to. We ended up changing sh to not import the value of
SHELL from the environment. If a makefile needs to use a different
shell, it should be specifiable on a per-makefile basis, instead
of having the user screw something up unknowingly.
shell, the user can just
--
David Elliott
UUCP: {decvax,ucbvax,ihnp4}!decwrl!mips!dce, DDD: 408-720-1700
More information about the Comp.unix.wizards
mailing list