\"special\" shells a security hole?
gwyn at brl-smoke.UUCP
gwyn at brl-smoke.UUCP
Mon Feb 9 15:37:16 AEST 1987
In article <1317 at ho95e.ATT.COM> wcs at ho95e.UUCP (46133-#Bill.Stewart,2G202,x0705,) writes:
-In article <3037 at gitpyr.gatech.EDU> robert at gitpyr.UUCP (Robert Viduya) writes:
->Watch out for programs that allow shell escapes but ignore SHELL, though.
-The "system(3)" subroutine call does this, at least on V7, 4.1BSD, and
-System V Release 0 and 2. A lot of commands use it, including /bin/mail.
-Aside from being anti-social (4.*BSD and SVR2 are old enough to know better),
-it can also be a source of bugs and/or security risks.
Quite the contrary, it is essential for system(3) to provide a well-behaved
set of semantics in order to NOT create a security hole.
Allowing its behavior to depend on an environment variable would break
many programs.
More information about the Comp.unix.wizards
mailing list