[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: GNU Sharutils and security
From: |
Bruno Haible |
Subject: |
Re: GNU Sharutils and security |
Date: |
Fri, 16 Jul 2004 19:36:13 +0200 |
User-agent: |
KMail/1.5 |
Paul Eggert wrote:
> Perhaps the simplest way would be to revert the November 1994 change,
> which merged GNU shar 4.0 and GNU uuencode 1.0 into GNU sharutils 4.1.
> We could, for example, rename GNU sharutils back to GNU uuencode and
> bump the version number, thus removing shar and unshar.
I agree this would be good.
> If simply removing shar and unshar is considered to be too drastic,
> another possibility is to substitute a "safer" unshar, which doesn't
> actually invoke the shell, but which verifies the input and only does
> "safe" things.
Still this would get the wrong message around the globe. We need to
emphasize to people that text files that start with "#!/bin/sh" are
untrusted and should not be used for transmitting data. We have tar and
zip for that.
Furthermore a program which "doesn't actually invoke the shell, but which
verifies the input and only does "safe" things" would be very complex -
at some points even more complex than the shell itself. I wouldn't want
to invest effort in such a program - especially if it makes it more
complicated for the average user to understand which operations are safe
which are unsafe/trojan-carriers.
Bruno
- Re: GNU Sharutils and security, (continued)
- Re: GNU Sharutils and security, Stepan Kasal, 2004/07/01
- Message not available
- Re: GNU Sharutils and security, Paul Eggert, 2004/07/01
- Re: GNU Sharutils and security, Paul Jarc, 2004/07/01
- Re: GNU Sharutils and security, Bruce Korb, 2004/07/01
- Re: GNU Sharutils and security, Paul Eggert, 2004/07/02
- Re: GNU Sharutils and security, Bruce Korb, 2004/07/02
- Re: GNU Sharutils and security, Paul Jarc, 2004/07/02
- Re: GNU Sharutils and security, Stepan Kasal, 2004/07/02
Re: GNU Sharutils and security,
Bruno Haible <=
Re: GNU Sharutils and security, Bruce Korb, 2004/07/01