Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: 8-bit patch for zle_tricky.c
- X-seq: zsh-workers 1106
- From: Hrvoje.Niksic@xxxxxxxxxxxxxx (Hrvoje Niksic)
- To: A.Main@xxxxxxxxxxxxxxxxx (Zefram)
- Subject: Re: 8-bit patch for zle_tricky.c
- Date: Tue, 21 May 1996 00:43:29 +0200 (MET DST)
- Cc: hzoli@xxxxxxxxxx, schaefer@xxxxxxx, A.Main@xxxxxxxxxxxxxxxxx, zsh-workers@xxxxxxxxxxxxxxx
- In-reply-to: <1222.199605202109@xxxxxxxxxxxxxxxxxxxxxxx> from Zefram at "May 20, 96 10:09:08 pm"
- Reply-to: hniksic@xxxxxxxxxxxxxx
In your mail, you said:
> It is a security hole, but (a) setuid shell scripts are insecure anyway
> on most systems, and (b) there's a way to avoid it:
As far as I understand, the other problem is with setuid programs calling
other programs with system(), like:
system("/bin/date");
to output date. If the IFS contains '/', someone might have a program named
bin in their path, and then...
--
hniksic@xxxxxxx | Student of electrical engineering
hniksic@xxxxxxxxxxxxx | University of Zagreb, Croatia
------------------------------------------------------------------
`VI' - An editor used by those heretics that don't subscribe to
the Emacs religion.
Messages sorted by:
Reverse Date,
Date,
Thread,
Author