Date: 01 May 1997 09:34:15 +0100 From: Andrew Gierth <andrew@erlenstar.demon.co.uk> To: Joerg Wunsch <joerg_wunsch@uriah.heep.sax.de> Cc: hackers@freebsd.org Subject: Re: /bin/sh -c and ENV Message-ID: <87afmf616g.fsf@erlenstar.demon.co.uk> In-Reply-To: j@uriah.heep.sax.de's message of Thu, 1 May 1997 09:31:29 %2B0200 References: <87rafr6a0o.fsf@erlenstar.demon.co.uk> <19970501093129.LO56219@uriah.heep.sax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "J" == J Wunsch <j@uriah.heep.sax.de> writes: >> Just noticed that /bin/sh is executing the ENV file even when invoked >> with the -c option. Is this a bug or a feature? :-) J> Feature. Accidental misfeature or deliberate? What reasons exist that justify this behaviour? What does the POSIX standard say (if anything) about it? >> (Executing the ENV file in calls to system(3) or popen(3) could be >> considered a Bad Thing, even in non-suid programs, and the last >> system I used where system and popen invoked a Posix shell >> specifically disabled the ENV file if the -c option was used.) J> . Suid programs that do system() deserve to be shot immediately [...] J> . If the shell detects that the real and effective UID are different, J> option -p is in effect, and no $ENV processing happens anyway. I know - that's why I mentioned non-suid programs. J> . If your $ENV file is not bulletproof, go back 10 or 15 years in J> history, go to Berkeley, you'll certainly use a csh. You'll then J> learn how to write .cshrc files that don't depend on the interactive- J> ness of the shell. :-) I'm not concerned about *my* ENV file - but about others. Consider: programs that don't expect /bin/sh to be a Posix shell will not delete ENV from the environment before calling system() or popen() or invoking /bin/sh in any other way. They are therefore completely vulnerable to any error in the ENV variable or in the referenced script. -- Andrew.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?87afmf616g.fsf>