[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
read -e allows execution of commands (edit-and-execute-command) as the s
|
From: |
Eduardo Bustamante |
|
Subject: |
read -e allows execution of commands (edit-and-execute-command) as the shell's process user |
|
Date: |
Mon, 8 May 2017 12:31:42 -0500 |
I think `edit-and-execute-command' shouldn't be allowed under `read -e'.
dualbus@debian:~$ cat prompt.sh
#!/bin/bash
declare -p UID EUID
read -p '> ' -e
declare -p REPLY
dualbus@debian:~$ id -u
1000
dualbus@debian:~$ sudo ./prompt.sh
declare -ir UID="0"
declare -ir EUID="0"
>
id -u
0
> bye
declare -- REPLY="bye"
The user can protect against this specific problem with:
dualbus@debian:~$ cat prompt.sh
#!/bin/bash
declare -p UID EUID
VISUAL=: read -p '> ' -e
declare -p REPLY
Although I'm not sure. Perhaps it's better to just discourage the use
of `read -e' if the input cannot be trusted. Since there are other
problems inherent to this approach (enumerate files with
glob-expand-word).
The particular case where I think this could be a problem is in the
situation where a system administrator allows a user to run a specific
script (and that script only) with elevated privileges using sudo, and
a malicious user abuses `edit-and-execute-command' to workaround the
restriction.
- read -e allows execution of commands (edit-and-execute-command) as the shell's process user,
Eduardo Bustamante <=