Josh Hurst writes:
> On 10/29/08, James Carlson <james.d.carlson at sun.com> wrote:
> >  The usage case is for processes that are attempting to use
> >  user-configured strings that may have been configured with a different
> >  level of privilege than the current process.  It's an escalation threat.
> 
> Use rksh to prevent this escalation thread. Creating a new API which
> can't get even the basic rules of quoting right isn't the way to go

That's insufficient.  rksh can still execute things that the original
designer didn't intend.

Consider, as a hypothetical example, some code like this (and ignore
all the code review issues, please):

        sprintf(buf, "rm -rf /tmp/%s.my.stuff", user_stuff);
        system(buf);

If "user_stuff" were to be passed in as:

        "; cp /bin/sh /tmp/gotcha; chmod 4555 /tmp/gotcha ; echo"

... then we'd have a security problem, and merely invoking rksh
(without creating a whole new /usr/rbin world) would not resolve the
problem.

-- 
James Carlson, Solaris Networking              <james.d.carlson at sun.com>
Sun Microsystems / 35 Network Drive        71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677

Reply via email to