Josh Hurst writes: > On 10/29/08, James Carlson <james.d.carlson at sun.com> wrote: > > The usage case is for processes that are attempting to use > > user-configured strings that may have been configured with a different > > level of privilege than the current process. It's an escalation threat. > > Use rksh to prevent this escalation thread. Creating a new API which > can't get even the basic rules of quoting right isn't the way to go
That's insufficient. rksh can still execute things that the original designer didn't intend. Consider, as a hypothetical example, some code like this (and ignore all the code review issues, please): sprintf(buf, "rm -rf /tmp/%s.my.stuff", user_stuff); system(buf); If "user_stuff" were to be passed in as: "; cp /bin/sh /tmp/gotcha; chmod 4555 /tmp/gotcha ; echo" ... then we'd have a security problem, and merely invoking rksh (without creating a whole new /usr/rbin world) would not resolve the problem. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677