Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

do shell script security issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

do shell script security issue

Subject: do shell script security issue
From: Loukas Kalenderidis <email@hidden>
Date: Wed, 2 Apr 2003 11:30:54 +1000

When using `do shell script with administrator privileges' sudo is executed with the -S option (from sudo(8): The -S (stdin) option causes sudo to read the password from standard input instead of the terminal device.). The administrator password provided (either given directly to the do shell script call, or entered in the authentication dialog) is passed to sudo through a pipe from an echo command.

Eg:
Running the shell script `do shell script "perl -e 'while(1){}'" with administrator privileges', and then entering the administrator password.

ps output shows:
root 1293 72.3 0.1 1300 324 ?? R 11:24AM 0:02.90 perl -e while(1){}
loukas 1291 0.0 0.2 1828 476 ?? S 11:24AM 0:00.00 sh -c echo '<password>' | sudo -p "" -S perl -e 'while(1){}'

(obviously i removed my password from the paste).

The result is that any user with access to run ps can access the administrator password while a shell script is running.

----

Loukas Kalenderidis
Angier Consulting Pty Ltd
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.

Prev by Date: Re: Occasional missing value from Finder command
Next by Date: Re: Occasional missing value from Finder command
Previous by thread: Re: Occasional missing value from Finder command
Next by thread: Re: do shell script security issue
Index(es):
- Date
- Thread