Joe Zbiciak wrote:
> John Dow said previously:
>
> | - but then again, my system("clear") wasn't particularly
> | elegant either. How about system("/usr/bin/clear")?
>
> That won't work. An attack along these lines will slice through
> that "fix" pretty quickly, if I'm not mistaken.
>
> export IFS=/
> export PATH=.:$PATH
> echo "cp /bin/sh ./root_sh; chmod 4755 ./root_sh" > ./usr
> chmod 755 ./usr
> lizards
Actually recent POSIX shells are immune to this kind of attack, since IFS
is only used to split the result of parameter expansion. No shells under
Linux has this behaviour. This system() call seems to be secure, but it
is still bad practice.
Recent shells disable .bashrc, $ENV etc. processing when euid != uid or
egid != gid and functions are not imported (see the privileged option in
the bash manual).
> "system()" is just not cut out for security.
Definitely. And its performance is also quite bad. It's a waste of
resources to fork/exec a large shell just to execute a tiny program.
Zoltan
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:32:16 PDT