Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: 8-bit patch for zle_tricky.c

X-seq: zsh-workers 1106
From: Hrvoje.Niksic@xxxxxxxxxxxxxx (Hrvoje Niksic)
To: A.Main@xxxxxxxxxxxxxxxxx (Zefram)
Subject: Re: 8-bit patch for zle_tricky.c
Date: Tue, 21 May 1996 00:43:29 +0200 (MET DST)
Cc: hzoli@xxxxxxxxxx, schaefer@xxxxxxx, A.Main@xxxxxxxxxxxxxxxxx, zsh-workers@xxxxxxxxxxxxxxx
In-reply-to: <1222.199605202109@xxxxxxxxxxxxxxxxxxxxxxx> from Zefram at "May 20, 96 10:09:08 pm"
Reply-to: hniksic@xxxxxxxxxxxxxx

In your mail, you said:
> It is a security hole, but (a) setuid shell scripts are insecure anyway
> on most systems, and (b) there's a way to avoid it:

As far as I understand, the other problem is with setuid programs calling
other programs with system(), like:
system("/bin/date");
to output date. If the IFS contains '/', someone might have a program named
bin in their path, and then...

-- 
hniksic@xxxxxxx              |  Student of electrical engineering
hniksic@xxxxxxxxxxxxx        |  University of Zagreb, Croatia
------------------------------------------------------------------
`VI' - An editor used by those heretics that don't subscribe to
       the Emacs religion.

Follow-Ups:
- Re: 8-bit patch for zle_tricky.c
  - From: Zefram

References:
- Re: 8-bit patch for zle_tricky.c
  - From: Zefram

Messages sorted by: Reverse Date, Date, Thread, Author