[5753] in bugtraq
Re: Buggy /usr/bin shell scripts
daemon@ATHENA.MIT.EDU (Casper Dik)
Sun Dec 7 11:35:35 1997
Date: Sun, 7 Dec 1997 11:56:41 +0100
Reply-To: Casper Dik <casper@HOLLAND.SUN.COM>
From: Casper Dik <casper@HOLLAND.SUN.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Sat, 06 Dec 1997 13:31:01 +0100."
<Pine.LNX.3.95.971206133011.31466B-100000@vic20.dzp.se>
>This is old news, but it seem to be around still.
>
>Solaris 2.5.1 and 2.6:
>
>$ ln -s /usr/bin/true /tmp/e
>$ PATH=/tmp IFS=x /usr/bin/false
>$ echo $?
>0
>
>This combined with the habit of giving non-login accounts /bin/false
>as a shell feels dangerous.
Whether this is a bug or a (mis)feature is open for some debate, the
shell imports all variables so why not import IFS? $PATH also influences
shell scripts.
Solaris 2.x login will filter IFS and other environment variables, but
"su" and other don't filter it, so using /bin/false as only protective
measure is not sufficient for denying local attacks.
Solaris 2.next /bin/sh will no longer import IFS from the environment.
Casper
