Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!rutgers!lll-lcc!pyramid!prls!mips!dce From: dce@mips.UUCP Newsgroups: comp.unix.wizards Subject: Re: \"special\" shells a security hole? Message-ID: <169@quacky.mips.UUCP> Date: Sun, 8-Feb-87 23:30:31 EST Article-I.D.: quacky.169 Posted: Sun Feb 8 23:30:31 1987 Date-Received: Tue, 10-Feb-87 02:27:44 EST References: <3953@brl-adm.ARPA> <2590002@hpisod2.HP> <3037@gitpyr.gatech.EDU> <1317@ho95e.ATT.COM> Reply-To: dce@quacky.UUCP (David Elliott) Organization: MIPS Computer Systems, Sunnyvale, CA Lines: 46 In article <1317@ho95e.ATT.COM> wcs@ho95e.UUCP (46133-#Bill.Stewart,2G202,x0705,) writes: >In article <3037@gitpyr.gatech.EDU> robert@gitpyr.UUCP (Robert Viduya) writes: >>Watch out for programs that allow shell escapes but ignore SHELL, though. >>I don't know of any that do, but that doesn't mean they don't exist. >>They're anti-social anyway. > >The "system(3)" subroutine call does this, at least on V7, 4.1BSD, and >System V Release 0 and 2. A lot of commands use it, including /bin/mail. >Aside from being anti-social (4.*BSD and SVR2 are old enough to know better), >it can also be a source of bugs and/or security risks. >-- ># Bill Stewart, AT&T Bell Labs 2G-202, Holmdel NJ 1-201-949-0705 ihnp4!ho95c!wcs I'm not quite sure what Bill means here, but it appears that he is saying that he feels that it is improper for system(3) to ignore the value of SHELL. If this is the case, then I have to strongly disagree. When I write a program that uses system(), I am assuming that it will use /bin/sh. Without that assumption, the most I can expect to execute is a command like command 'arg1' 'arg2' ... < 'infile' > 'outfile' and I'm expecting a lot here (command execution syntax, quoting, and redirection must be sh-compatible, so any kind of new shell, such as a Lisp-based shell, would be out of the question). (You might argue that the quoting doesn't matter, but that's another discussion.) And, if all I can expect is the above, I'm much better off writing a fork/redirect/exec subroutine than using system(), for better speed and control. The idea of using the SHELL environment variable is something that really wreaks havoc when you port the System V.2 or better version of make(1) to a BSD system (or use it in System V.3). Take a look around and count how many makefiles would break if run using csh instead of sh. The person that came up with this method really needs a talking to. We ended up changing sh to not import the value of SHELL from the environment. If a makefile needs to use a different shell, it should be specifiable on a per-makefile basis, instead of having the user screw something up unknowingly. shell, the user can just -- David Elliott UUCP: {decvax,ucbvax,ihnp4}!decwrl!mips!dce, DDD: 408-720-1700