On 8/28/07, email@hidden <email@hidden> wrote:
> As a general security consideration, privileged commands
> should do as little as possible and do highly specific
> things. This minimizes the chance a mistake or exploit
> can cause more damage than it should.
>
> In this case, you probably should resolve the glob ("*")
> first while unprivileged, and then call a sequence of
> highly specific "rm" commands with the results.
>
> The standard C library in <glob.h> (among other approaches)
> handles "*". Run "man 3 glob" in a terminal for more
> information on the glob() function.
>
> e.g. glob("test*.txt") might yield test1.txt and test2.txt.
> With those results, you could generate commands like:
> "rm test1.txt"
> "rm test2.txt"
> (or simply "rm test1.txt test2.txt").
And a malicious user could create a file named "-rf .." in the target
directory. Using your suggestion, that would turn into a privileged
execution of the command "rm -rf .." -- not as bad as the dreaded "rm
-rf /", but still quite destructive.
--
Mark Wagner
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Carbon-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/carbon-dev/email@hidden
This email sent to email@hidden
