Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: 8-bit patch for zle_tricky.c



In your mail, you said:
> It is a security hole, but (a) setuid shell scripts are insecure anyway
> on most systems, and (b) there's a way to avoid it:

As far as I understand, the other problem is with setuid programs calling
other programs with system(), like:
system("/bin/date");
to output date. If the IFS contains '/', someone might have a program named
bin in their path, and then...

-- 
hniksic@xxxxxxx              |  Student of electrical engineering
hniksic@xxxxxxxxxxxxx        |  University of Zagreb, Croatia
------------------------------------------------------------------
`VI' - An editor used by those heretics that don't subscribe to
       the Emacs religion.




Messages sorted by: Reverse Date, Date, Thread, Author