Date: Mon, 30 Oct 2000 20:59:32 -0600 (CST) From: James Wyatt <jwyatt@rwsystems.net> To: Kris Kennaway <kris@FreeBSD.ORG> Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, freebsd-security@FreeBSD.ORG Subject: Re: tcsh: unsafe tempfile in << redirects (fwd) Message-ID: <Pine.BSF.4.10.10010302018280.60655-100000@bsdie.rwsystems.net> In-Reply-To: <20001030173258.B15245@citusc17.usc.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 30 Oct 2000, Kris Kennaway wrote: > On Mon, Oct 30, 2000 at 06:59:12PM -0600, James Wyatt wrote: > > On Mon, 30 Oct 2000, Kris Kennaway wrote: > > > On Mon, Oct 30, 2000 at 01:26:41PM -0800, Cy Schubert - ITSD Open Systems Group wrote: > > > > Our tcsh appears vulnerable. So is the 44bsd-csh port. > > > > > > Yep, stupid braindead $*&^*# shells... > > > > Was that comment *really* necessary? I use bash myself, but have enough > > users using tcsh (and ksh, etc) that I care about them too. Of course, > > some folks consider Emacs their shell... Most are just glad to have > > something besides command.com to work with. (^_^) > > I don't care about features of the shell, I care about braindead > coding practises like thinking you don't have to worry that your > filename is predictable and is created insecurely. I can see your (and David G. Andersen's) point about this and agree. (Your answers to my response were much clearer than the original comment.) This also argues against allowing suid shell-scripts anywhere. Are there any shells that are audited for correctness or security? (does sh qualify?) Is using Perl for system scripts really more secure than shell scripts? - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.10010302018280.60655-100000>