Date: Thu, 06 Apr 2006 14:49:25 +0400 From: "Sply Splyeff" <lists@sply.org> To: Peter Jeremy <peterjeremy@optushome.com.au>,cv@io.ru Cc: freebsd-hackers@freebsd.org Subject: Re: setuid scripts wrapper (RFC, proposal) Message-ID: <web-5272059@inc.ru> In-Reply-To: <redirect-1461310@inc.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
> The biggest problem is its failure to check the sanity of the input > parameters - that a particular argument actually exists before > referencing it. Do you mean that evil Bob can substitue Alice's script between stat() and execve() calls? Yes, I've missed this point. We can use realpath and check if all nodes are writable only by file owner or by root. Yes, that's a big limitation, but in most common tasks it would be acceptable. And it saves from race conditions, am I right? And there are another ways but more slowly or complex - own sub-wrapper for each interpreter with passes script as file descriptor as you wrote at beginning; hardlink or copy files to safe directory; fork child and ptrace him for watching if the files it opens are really the same. Too confusing. But if the first way is ok, maybe it'sbetter to stay on it. > Other issues I noticed: > - strncpy() is virtually always the wrong function. You already do > validation so you could just use strcpy() ok. i've replace to memcpy as len is already known > - strncpy(penvd + penvsz, "=", 1); could be penvd[penvsz] = '='; sure, it was done only for hold in one style all string operations > - No error if number of environment variables too great. fixed
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?web-5272059>