Xref: utzoo comp.unix.wizards:13675 news.admin:4359 news.sysadmin:1997 Path: utzoo!attcan!uunet!ncrlnk!ncr-sd!hp-sdd!ucsdhub!sdcsvax!ucsd!rutgers!mailrus!purdue!decwrl!eda!jim From: jim@eda.com (Jim Budler) Newsgroups: comp.unix.wizards,news.admin,news.sysadmin Subject: Re: unshar business Message-ID: <420@eda.com> Date: 23 Dec 88 21:14:52 GMT References: <232@logicon.arpa> <7876@well.UUCP> <395@eda.com> <164@ecicrl.UUCP> <397@eda.com> <167@ecicrl.UUCP> <419@eda.com> Reply-To: jim@eda.com (Jim Budler) Organization: EDA Systems,Inc. Santa Clara, CA Lines: 160 In article <419@eda.com> jim@eda.com (Jim Budler) writes: | In article <167@ecicrl.UUCP> clewis@ecicrl.UUCP (Chris Lewis) writes: Chris doesn't like what I said, but one of the things I said was that I intended to make a couple of changes to Cathy's uns.c and then run it out from under uuhosts instead of under uuhosts/mapsh. I'll put my mouth where my mouth was, since I am on vacation and have been spurred to find the time. I do not do this because my previous way of running it was insecure (under uuhosts and mapsh), but because with these trivial changes the security is maintained, while the processing is simplified. An advantage gained compared to the original uuhosts, with or without mapsh, is increased security. mapsh prevented most problems, but could have been susceptible to malicious inode usage. Uuhosts itself did *limited* checking of the map shar before passing it to sh. Another advantage over the original uuhosts is a single letter to news (aliased to me) logging the actions, instead of a letter for each map file. The changes I made: Lengthened the input filename buffer to allow the method I use, detailed below. Lengthened the line buffer to allow longer lined shars. Dissallowed '/' in the output filenames. It must be run in the map directory. Thank you Cathy Segedy for uns.c Details: My news sys file entry related to maps: ================= maps:world,comp.mail.maps:F:/usr/spool/news/maps/comp.mail.maps/Batch ================= My crontab entry: ================= 30 5 * * * /usr/spool/news/maps/comp.mail.maps/Process > /dev/null 2>&1 ================= Note: I have a sysV type crontab with different crontabs for each user. This crontab entry runs as news, not root. A v7/BSD one *might* look like: ================= 30 5 * * * /bin/su news < /usr/spool/news/maps/comp.mail.maps/Process > /dev/null 2>&1 ================= I could be wrong about that, check your manual. The script /usr/spool/news/maps/comp.mail.maps/Process : ================= #! /bin/sh # unbatch the maps, then make install paths umask 2 cd /usr/spool/news/maps/comp.mail.maps if [ -f Batch ]; then # /usr/local/bin/uuhosts -unbatch # using uns instead of uuhosts to unbatch mv Batch Batch.working for file in `cat Batch.working` do uns $file >> Batch.log done # use uuhosts to create the index file /usr/local/bin/uuhosts -i mail -s 'Map Process Log' postmaster < Batch.log rm -f Batch.working Batch.log make -s install fi ================= And finally diff. By the way for you who have been listening, Cathy's program did not use gets(), it always used fgets(). ================= *** /tmp/,RCSt1a26060 Fri Dec 23 12:50:39 1988 --- uns.c Fri Dec 23 12:50:19 1988 *************** *** 26,35 **** after the SHAR_EOF. Someone might wish to shorten MAXLIN (do map files have a line limit?) */ #include ! #define MAXLIN 256 main(argc,argv) int argc; --- 26,39 ---- after the SHAR_EOF. Someone might wish to shorten MAXLIN (do map files have a line limit?) */ + /* lengthened MAXLIN cause someone said they found longer lines in + * a shar file. I don't know if this was a map shar file. + * Is there a line length on a map shar file? - jim budler + */ #include ! #define MAXLIN 1024 main(argc,argv) int argc; *************** *** 38,50 **** FILE *fp, *fp2; char buffer[MAXLIN]; int at_beginning, at_end; ! char filename[20], file2[20]; at_beginning = 0; at_end = 0; if(argc != 2){ ! printf("bad arguements\n"); exit(1); } --- 42,58 ---- FILE *fp, *fp2; char buffer[MAXLIN]; int at_beginning, at_end; ! char filename[1024], file2[20]; ! /* lengthened the buffer for filename. The full path for filename is ! * presented by my method of passing the input name to uns, so ! * a longer buffer was required than 20 char. - jim budler. ! */ at_beginning = 0; at_end = 0; if(argc != 2){ ! printf("bad arguments\n"); exit(1); } *************** *** 68,73 **** --- 76,86 ---- } printf("removing end-of-line while copying\n"); strncpy(file2,&buffer[20],(strlen(&buffer[20]) - 1)); + /* check for / in output filenames. Disallow such files - jim budler */ + if ( rindex ( file2, '/') != NULL ) { + printf ("%s contains /, aborting.\n", file2); + exit(1); + } printf("opening file {%s}\n",file2); if((fp2 = fopen(file2, "w")) == NULL) { printf("can not open file {%s}\n",file2); ================= -- Jim Budler address = uucp: ...!{decwrl,uunet}!eda!jim OR domain: jim@eda.com #define disclaimer "I do not speak for my employer" Notice: I record license plate numbers of tailgaters