From owner-freebsd-bugs Sun Oct 27 08:30:36 1996 Return-Path: owner-bugs Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id IAA29655 for bugs-outgoing; Sun, 27 Oct 1996 08:30:36 -0800 (PST) Received: from magigimmix.xs4all.nl (magigimmix.xs4all.nl [194.109.6.25]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id IAA29649 for ; Sun, 27 Oct 1996 08:30:22 -0800 (PST) Received: from asterix.xs4all.nl (asterix.xs4all.nl [194.109.6.11]) by magigimmix.xs4all.nl (8.7.5/XS4ALL) with ESMTP id RAA25772; Sun, 27 Oct 1996 17:30:06 +0100 (MET) Received: from tangram.xs4all.nl (uucp@localhost) by asterix.xs4all.nl (8.7.5/8.7.2) with UUCP id RAA26768; Sun, 27 Oct 1996 17:21:42 +0100 (MET) Received: (from jh@localhost) by tangram.xs4all.nl (8.6.12/8.6.12) id RAA01836; Sun, 27 Oct 1996 17:13:41 +0100 Date: Sun, 27 Oct 1996 17:13:41 +0100 Message-Id: <199610271613.RAA01836@tangram.xs4all.nl> From: Jan-Hein Buhrman To: joerg_wunsch@uriah.heep.sax.de CC: marcs@worldgate.com, freebsd-bugs@FreeBSD.org In-reply-to: <199610232049.WAA27794@uriah.heep.sax.de> (j@uriah.heep.sax.de) Subject: Re: docs/1383 Sender: owner-bugs@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk >>>>> "J\"org" == J Wunsch writes: > As Marc Slemko wrote: >> > There are not much risks with `interpreted executables' other than >> > the one described there. This one however can easily be avoided by >> > suggesting >> > >> > #!/bin/sh >> > exec /usr/sbin/ppp -direct >> > >> > in the man page. >> >> Not true. Doing so will NOT avoid the problem. > Ahhhrg. I should have read the entire audit-trail before. Now i see > that i've already looked at it earlier... [ About instructing the server side of the telnet session setting the envvar "ENV" to "/etc/shells" (see sh(1)), even before a connect is initiated. ] > The shell should really have the equivalent of csh -f. (sh -q? > Any opinions on this?) IIRC, the Korn Shell had a `-p'-option that more-or-less provides this functionality. Since this ENV-thing is also a ksh-derived `feature', perhaps that option could be added. BTW, IMHO it's a _bad_ thing that Bourne-shell scripts can now suddenly change drastically in their behaviour (because the caller has a "$ENV" that is not according to the advice mentioned in the sh man-page) without a sane possibility for the script writer currently to do something about it, I always believed that by sticking to plain Bourne-Shell scripts I would never have any troubles like a $ENV-file. Tomorrow they will tell me that the `.' command (for sourceing other files) will suddenly use the PATH envvar (a major incompatibility between ksh and sh). Probably this whole ENV-thing comes from the POSIX people, otherwise I would vote for *not* source-ing $ENV at all when the shell is not running interactively (i.e. $- contains no `i') unless some other flag (having the opposite meaning of ksh's `-p') is set in the interpreter line. (I'm thinking of all the currently existsting shell scripts that need be changed otherwise). One other thing: Aren't there any other security-related risks with allowing stuffing the environment even before an actual login is performed (can't really come up with something, but I'm thinking of some classic ones, like IFS, LD_*)? > The only alternative by now to your attack is putting a ``kill 0'' on > top of /etc/shells. ;-) > -- > cheers, J"org Regards, -jh