bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

read -e allows execution of commands (edit-and-execute-command) as the s


From: Eduardo Bustamante
Subject: read -e allows execution of commands (edit-and-execute-command) as the shell's process user
Date: Mon, 8 May 2017 12:31:42 -0500

I think `edit-and-execute-command' shouldn't be allowed under `read -e'.

address@hidden:~$ cat prompt.sh
#!/bin/bash
declare -p UID EUID
read -p '> ' -e
declare -p REPLY

address@hidden:~$ id -u
1000
address@hidden:~$ sudo ./prompt.sh
declare -ir UID="0"
declare -ir EUID="0"
>
id -u
0
> bye
declare -- REPLY="bye"

The user can protect against this specific problem with:

address@hidden:~$ cat prompt.sh
#!/bin/bash
declare -p UID EUID
VISUAL=: read -p '> ' -e
declare -p REPLY

Although I'm not sure. Perhaps it's better to just discourage the use
of `read -e' if the input cannot be trusted. Since there are other
problems inherent to this approach (enumerate files with
glob-expand-word).

The particular case where I think this could be a problem is in the
situation where a system administrator allows a user to run a specific
script (and that script only) with elevated privileges using sudo, and
a malicious user abuses `edit-and-execute-command' to workaround the
restriction.



reply via email to

[Prev in Thread] Current Thread [Next in Thread]