Date: Mon, 30 Oct 2000 20:04:33 -0800 From: Kris Kennaway <kris@FreeBSD.ORG> To: James Wyatt <jwyatt@rwsystems.net> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, freebsd-security@FreeBSD.ORG Subject: Re: tcsh: unsafe tempfile in << redirects (fwd) Message-ID: <20001030200433.B16017@citusc17.usc.edu> In-Reply-To: <Pine.BSF.4.10.10010302018280.60655-100000@bsdie.rwsystems.net>; from jwyatt@rwsystems.net on Mon, Oct 30, 2000 at 08:59:32PM -0600 References: <20001030173258.B15245@citusc17.usc.edu> <Pine.BSF.4.10.10010302018280.60655-100000@bsdie.rwsystems.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--eAbsdosE1cNLO4uF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Oct 30, 2000 at 08:59:32PM -0600, James Wyatt wrote: > I can see your (and David G. Andersen's) point about this and agree. (Your > answers to my response were much clearer than the original comment.) This > also argues against allowing suid shell-scripts anywhere. Are there any > shells that are audited for correctness or security? (does sh qualify?) Is > using Perl for system scripts really more secure than shell scripts? - Jy@ Perl at least tries to taint external input, etc. I don't know of any POSIX-like shells which have this feature. Kris --eAbsdosE1cNLO4uF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEUEARECAAYFAjn+RNAACgkQWry0BWjoQKXYYwCXdCpw8iMFfhhut3fjwca0ygTm FwCgjJuPc94tojzoxkhgAiSXZJ4OxQY= =/wyh -----END PGP SIGNATURE----- --eAbsdosE1cNLO4uF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001030200433.B16017>