From owner-freebsd-security  Tue Oct 10 21:10: 7 2000
Delivered-To: freebsd-security@freebsd.org
Received: from fledge.watson.org (fledge.watson.org [204.156.12.50])
	by hub.freebsd.org (Postfix) with ESMTP
	id 79E2437B66F; Tue, 10 Oct 2000 21:10:02 -0700 (PDT)
Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3])
	by fledge.watson.org (8.9.3/8.9.3) with SMTP id AAA37803;
	Wed, 11 Oct 2000 00:10:00 -0400 (EDT)
	(envelope-from robert@fledge.watson.org)
Date: Wed, 11 Oct 2000 00:09:59 -0400 (EDT)
From: Robert Watson <rwatson@FreeBSD.org>
X-Sender: robert@fledge.watson.org
To: "Brian F. Feldman" <green@FreeBSD.org>
Cc: Peter Pentchev <roam@orbitel.bg>, achilov@granch.ru,
	Przemyslaw Frasunek <venglin@freebsd.lublin.pl>,
	freebsd-security@FreeBSD.org
Subject: Re: ncurses buffer overflows (fwd) 
In-Reply-To: <200010110038.e9B0cH562984@green.dyndns.org>
Message-ID: <Pine.NEB.3.96L.1001011000711.28422E-100000@fledge.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 10 Oct 2000, Brian F. Feldman wrote:

> > Uhm.. it explicitly says '#!/bin/csh' at the start; why are you running
> > it with 'sh'?
> 
> The canonical lazy person's execution method for scripts is "shell 
> script.shell", because it is easier than "chmod +x script.shell; ./
> script.shell".  C shell scripts are supposed to be named .csh for 
> consistency, or nothing at all.

We seem to have some bugs in how shells load and run shell scripts for
other shells, and in handling of scripts with invalid or bad #! lines at
the beginning.  I think I filed a PR a while ago about handling of scripts
in single-user mode in particular.  If you feel bored someday, you could
try and fix them :-).  The general gyst is the following: shells
(especially when running in single-user mode for some reason) will tend to
execute shell scripts themselves, rather than using the interpreter
defined in the file (not in multi-user mode?).  When a failure occurs in
locating or executing the interpreter, or if interpreters are recursive,
rather than failing (as the kernel execve call does), it will go ahead and
execute it using the current shell.  Doubt this could be exploited as a
security bug, but it is probably "wrong".  The kernel seems to correctly
handle layered interpreters by returning an image error (an interpreter
cannot be another interpreter, preventing recursion).

  Robert N M Watson 

robert@fledge.watson.org              http://www.watson.org/~robert/
PGP key fingerprint: AF B5 5F FF A6 4A 79 37  ED 5F 55 E9 58 04 6A B1
TIS Labs at Network Associates, Safeport Network Services





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message