> The biggest problem is its failure to check the sanity of the input > parameters - that a particular argument actually exists before > referencing it.
Do you mean that evil Bob can substitue Alice's script between stat() and execve() calls? Yes, I've missed this point. We can use realpath and check if all nodes are writable only by file owner or by root. Yes, that's a big limitation, but in most common tasks it would be acceptable. And it saves from race conditions, am I right? And there are another ways but more slowly or complex - own sub-wrapper for each interpreter with passes script as file descriptor as you wrote at beginning; hardlink or copy files to safe directory; fork child and ptrace him for watching if the files it opens are really the same. Too confusing. But if the first way is ok, maybe it'sbetter to stay on it. > Other issues I noticed: > - strncpy() is virtually always the wrong function. You already do > validation so you could just use strcpy() ok. i've replace to memcpy as len is already known > - strncpy(penvd + penvsz, "=", 1); could be penvd[penvsz] = '='; sure, it was done only for hold in one style all string operations > - No error if number of environment variables too great. fixed _______________________________________________ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
