Re: Security issue in Zsh restricted mode (zsh -r) – escape via history built‑ins

[Oliver Kiddle <opk@xxxxxxx>]

On further deliberation, I think we should just drop the whole
restricted mode feature. The documentation has carried a warning that
"the feature may be removed in future" for the past six years.

Please say if you disagree.

Mikael Magnusson wrote:
> Is this bit supposed to also have an isset(RESTRICTED)?

Yes, sorry. Though I notice that the documentation specifically mentions
that the system module should be disabled for restricted mode so if
we do want to "fix" restricted mode, this part is not necessary. We
could perhaps just recommend disabling zcompile in the documentation.
Variables like TMPPREFIX are problematic, though. Many of the variables
used by the runtime loader are also a major flaw with the concept behind
a restricted shell. If writing to files is to be blocked then Linux's
LD_DEBUG_OUTPUT gets around that. LD_PRELOAD or LD_LIBRARY_PATH may make
for an easier escape route. It's not the shell's job to block these off
and they vary considerably across operating systems.

In zsh, the feature apparently dates to Jan 1997 and was first released
with 3.1.2. Just about too old for there to be a mailing list post so
I'll just have to assume it was added because ksh has the feature.

Oliver