� ���, 02.06.2002, � 10:49, Doug McClendon �������: > > > Liam R. E. Quin wrote: > > >the security stuff is to > >do with unquoted shell variables > > > Can you explain, or give me a pointer to a relevent faq/document? I > found the > "NCSA Secure Programming Guidelines", and it mentions the IFS thing, but > nothing about quoted vs unquoted variables. It also fails to mention > why setting > IFS is a good thing. >
IFS is used to split results of variable substitution. I.e. if somebody sets IFS=: and then does IFS=: foo=rm:-rf:/ $foo it will split $foo into separate words and then execute the result ... all of this is pretty much basic shell programming. Note that actually SUS V3 recommends that shell should ignore IFS value found in environment that is always a good thing. Current version of bash does it. > Really I'm just looking to develop good shell scripting style. So if > their are guidelines > on when you should quote things, and when not to (even when both ways > seem to > work), I would like to know. As well as any other similar techniques. > > -dmc > > >- probably IFS should be set > >somewhere, too, for the case where someone does su from a malicious > >user's terminal, then runs an init script. > > It is not an issue because bash ignores inherited IFS. And I actually fail to see how you can do su from malicious terminal unless you _are_ the malicious person ... in which case if you can do su you can do everything. -andrej P.S. Could you in future use unified diff please? It is much easier to review.
