do shell script security issue
do shell script security issue
- Subject: do shell script security issue
- From: Loukas Kalenderidis <email@hidden>
- Date: Wed, 2 Apr 2003 11:30:54 +1000
When using `do shell script with administrator privileges' sudo is
executed with the -S option (from sudo(8): The -S (stdin) option causes
sudo to read the password from standard input instead of the terminal
device.). The administrator password provided (either given directly to
the do shell script call, or entered in the authentication dialog) is
passed to sudo through a pipe from an echo command.
Eg:
Running the shell script `do shell script "perl -e 'while(1){}'" with
administrator privileges', and then entering the administrator password.
ps output shows:
root 1293 72.3 0.1 1300 324 ?? R 11:24AM 0:02.90
perl -e while(1){}
loukas 1291 0.0 0.2 1828 476 ?? S 11:24AM 0:00.00 sh
-c echo '<password>' | sudo -p "" -S perl -e 'while(1){}'
(obviously i removed my password from the paste).
The result is that any user with access to run ps can access the
administrator password while a shell script is running.
----
Loukas Kalenderidis
Angier Consulting Pty Ltd
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.