bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: declare a="$b" if $a previously set as array


From: Stephane Chazelas
Subject: Re: declare a="$b" if $a previously set as array
Date: Mon, 8 Dec 2014 21:07:23 +0000
User-agent: Mutt/1.5.21 (2010-09-15)

2014-12-08 12:48:05 -0800, Linda Walsh:
[...]
> declare -x fmt='($(echo uid:$UID) $(echo euid:$EUID) $(date) $(uname -n))'
> declare -a out
> declare -l out=$fmt
> echo "address@hidden"
> sudo bash --norc -c 'declare -a out;declare -l out=$fmt; echo
> "address@hidden"'
> 
> 
> ----
> Run that and you get:
> 
>    out=uid:5013 euid:5013 mon dec 8 12:39:06 pst 2014 ishtar
>    out=uid:0 euid:0 mon dec 8 12:39:06 pst 2014 ishtar
> 
> 
> All of the terms are evaluated at the time of final execution.
> 
> --- This usage ***depends*** on delayed evaluation -- which you
> claim is "code injection".   This is the way shell is supposed to
> operate.  The programmer ***HAS*** to choose when to cause the expression
> to be evaluated depending on their need.
[...]

Hi Linda,

then change it to:

sudo bash --norc -c 'declare -a out;declare -l out; out=$fmt; echo 
"address@hidden"'

And you get the behaviour *I* expect (assign the content of $fmt
to out[0] (aka out)).

Would you then say that bash is broken there?

If I want the shell to evaluate the content of a variable as
code, I use "eval". And I know it's a dangerous command and
that I should use it carefully. I don't expect "declare" to do
the job of "eval", I don't expect "declare" to run commands, I
only expect it to declare variables (and possibly assign values
to them).

(BTW, don't forget to add back the "Defaults env_reset" to your
/etc/sudoers as your system is currently probably vulnerable to
local privilege escalation if you're using restricted sudoer
commands).

-- 
Stephane



reply via email to

[Prev in Thread] Current Thread [Next in Thread]