From owner-freebsd-hackers Thu May 1 05:08:12 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id FAA20305 for hackers-outgoing; Thu, 1 May 1997 05:08:12 -0700 (PDT) Received: from who.cdrom.com (who.cdrom.com [204.216.27.3]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id FAA20274 for ; Thu, 1 May 1997 05:08:09 -0700 (PDT) Received: from punt-2.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by who.cdrom.com (8.8.5/8.6.11) with SMTP id BAA10531 for ; Thu, 1 May 1997 01:38:46 -0700 (PDT) Received: from erlenstar.demon.co.uk ([194.222.144.22]) by punt-2.mail.demon.net id aa1013798; 1 May 97 9:34 BST Received: (from andrew@localhost) by erlenstar.demon.co.uk (8.8.5/8.8.5) id JAA03777; Thu, 1 May 1997 09:34:15 +0100 (BST) To: Joerg Wunsch Cc: hackers@freebsd.org Subject: Re: /bin/sh -c and ENV References: <87rafr6a0o.fsf@erlenstar.demon.co.uk> <19970501093129.LO56219@uriah.heep.sax.de> From: Andrew Gierth In-Reply-To: j@uriah.heep.sax.de's message of Thu, 1 May 1997 09:31:29 +0200 X-Mayan-Date: Long count = 12.19.4.2.5; tzolkin = 9 Chicchan; haab = 3 Uo X-Attribution: AG Date: 01 May 1997 09:34:15 +0100 Message-ID: <87afmf616g.fsf@erlenstar.demon.co.uk> Lines: 36 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk >>>>> "J" == J Wunsch writes: >> Just noticed that /bin/sh is executing the ENV file even when invoked >> with the -c option. Is this a bug or a feature? :-) J> Feature. Accidental misfeature or deliberate? What reasons exist that justify this behaviour? What does the POSIX standard say (if anything) about it? >> (Executing the ENV file in calls to system(3) or popen(3) could be >> considered a Bad Thing, even in non-suid programs, and the last >> system I used where system and popen invoked a Posix shell >> specifically disabled the ENV file if the -c option was used.) J> . Suid programs that do system() deserve to be shot immediately [...] J> . If the shell detects that the real and effective UID are different, J> option -p is in effect, and no $ENV processing happens anyway. I know - that's why I mentioned non-suid programs. J> . If your $ENV file is not bulletproof, go back 10 or 15 years in J> history, go to Berkeley, you'll certainly use a csh. You'll then J> learn how to write .cshrc files that don't depend on the interactive- J> ness of the shell. :-) I'm not concerned about *my* ENV file - but about others. Consider: programs that don't expect /bin/sh to be a Posix shell will not delete ENV from the environment before calling system() or popen() or invoking /bin/sh in any other way. They are therefore completely vulnerable to any error in the ENV variable or in the referenced script. -- Andrew.