Subject: (in)secure /bin/sh scripts
To: None <current-users@sun-lamp.cs.berkeley.edu>
From: None <Mark_Weaver@brown.edu>
List: current-users
Date: 07/22/1994 13:40:23
When /bin/sh starts up, it reads in the file named in the environment
variable "ENV". I don't see any option that can turn this off,
from looking at both the man page and the source.
This seems like a gaping security hole to me. Assuming I read the
source correctly, can I suggest making sh ignore ENV by default if
uid!=euid?
*** src/bin/sh/main.c.mhw1 Sun Jun 12 06:01:35 1994
--- src/bin/sh/main.c Fri Jul 22 13:30:47 1994
***************
*** 159,166 ****
}
state2:
state = 3;
! if ((shinit = lookupvar("ENV")) != NULL &&
! *shinit != '\0') {
state = 3;
read_profile(shinit);
}
--- 159,167 ----
}
state2:
state = 3;
! if (getuid() == geteuid() &&
! (shinit = lookupvar("ENV")) != NULL &&
! *shinit != '\0') {
state = 3;
read_profile(shinit);
}
I haven't extensively looked for other possible security holes,
but as long as sh isn't a login shell, I don't think it loads any
other files. Of course, always make sure you set your PATH at the
beginning of the script.
Mark
--------------------------------------------------------------------
Email: Mark_Weaver@brown.edu | Brown University
PGP Key: finger mhw@cs.brown.edu | Dept of Computer Science
------------------------------------------------------------------------------