Path: utzoo!mnetor!uunet!mcvax!enea!liuida!mikpe
From: mikpe@senilix.liu.se (Mikael Pettersson)
Newsgroups: comp.bugs.sys5
Subject: Re: A security hole + FIX(?)
Message-ID: <766@senilix.liu.se>
Date: 24 Mar 88 23:03:26 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <478@minya.UUCP> <892@cosmo.UUCP> <175@pcsbst.UUCP>
Organization: CIS Dept, Univ of Linkoping, Sweden
Lines: 26

In article <175@pcsbst.UUCP> jh@pcsbst.UUCP (Johannes Heuft) writes:
>In article <892@cosmo.UUCP> jum@cosmo.UUCP (Jens-Uwe Mager(sysop))
>reveals the IFS trick.
> ...
>Does somebody care to comment or add to the list??

The IFS stuff can be dealt with by patching the shell. Those with source
could easily add a putenv("IFS= \t\n") (or something equivalent) in some
convenient place to stop the shell from inheriting IFS.

If you don't have source, you could do what I did on a SVR2(-like) machine
I'm administrating. Write a small program that simply does:
		putenv("IFS= \t\n");
		execv("/bin/.real-sh", argv);
and call it /bin/sh. (you mv'd /bin/sh to /bin/.real-sh before of course!).
This works Ok on my machine. Does anybody know of any reasons why somehting
like this shouldn't be done?

>The IFS problem is fixed in SVR3.

How?
-- 
Mikael Pettersson           ! Internet:mpe@ida.liu.se
Dept of Comp & Info Science ! UUCP:    mpe@liuida.uucp  -or-
University of Linkoping     !          {mcvax,munnari,uunet}!enea!liuida!mpe
Sweden                      ! ARPA:    mpe%ida.liu.se@uunet.uu.net