Re: Adding a simple editor to the base system

To: "D'Arcy J.M. Cain" <darcy%druid.net@localhost>
Subject: Re: Adding a simple editor to the base system
From: Arnaud Lacombe <lacombar%gmail.com@localhost>
Date: Thu, 12 Feb 2009 13:32:14 -0500

On Thu, Feb 12, 2009 at 11:48 AM, D'Arcy J.M. Cain <darcy%druid.net@localhost> 
wrote:
> ------------ File: /usr/bin/edit -----------
> #! /bin/sh
> exec ${EDITOR:-/usr/bin/vi}
> --------------------------------------------
>
This looks like the "alternatives" sub-system Debian had for at least
14years[0], except that your proposal can be exploited very easily:
 1) make ${EDITOR} point to an evil binary
 2) make the user become root (using su(1))
 3) tell him to edit a file
 4) evil 1 - user 0

 - Arnaud

[0]: not less if I trust the copyright notice of `/usr/sbin/update-alternatives'

References:
- Re: Adding a simple editor to the base system
  - From: Iain Hibbert
- Re: Adding a simple editor to the base system
  - From: David Brownlee
- Re: Adding a simple editor to the base system
  - From: D'Arcy J.M. Cain

Prev by Date: Re: Input line editing
Next by Date: Re: Input line editing
Previous by Thread: Re: Adding a simple editor to the base system
Next by Thread: Re: Adding a simple editor to the base system
Indexes:

Home | Main Index | Thread Index | Old Index