Re: do shell script security issue
Re: do shell script security issue
- Subject: Re: do shell script security issue
- From: Paul Skinner <email@hidden>
- Date: Wed, 2 Apr 2003 11:20:18 -0500
On Tuesday, April 1, 2003, at 08:30 PM, Loukas Kalenderidis wrote:
When using `do shell script with administrator privileges' sudo is
executed with the -S option (from sudo(8): The -S (stdin) option
causes sudo to read the password from standard input instead of the
terminal device.). The administrator password provided (either given
directly to the do shell script call, or entered in the authentication
dialog) is passed to sudo through a pipe from an echo command.
Eg:
Running the shell script `do shell script "perl -e 'while(1){}'" with
administrator privileges', and then entering the administrator
password.
ps output shows:
root 1293 72.3 0.1 1300 324 ?? R 11:24AM 0:02.90
perl -e while(1){}
loukas 1291 0.0 0.2 1828 476 ?? S 11:24AM 0:00.00 sh
-c echo '<password>' | sudo -p "" -S perl -e 'while(1){}'
(obviously i removed my password from the paste).
The result is that any user with access to run ps can access the
administrator password while a shell script is running.
----
Loukas Kalenderidis
Angier Consulting Pty Ltd
I can see the obvious undesirability of that, but I'm trying to
understand what the real risks are.
I know that Unix is an inherently shared environment. So who would this
'user with access to run ps ' be?
Let's say I'm on a LAN at work or home running OSX. Who would actually
be able to do this? Could any user with an account on my box do this
assuming default settings?
Paul Skinner
_______________________________________________
applescript-users mailing list | email@hidden
Help/Unsubscribe/Archives:
http://www.lists.apple.com/mailman/listinfo/applescript-users
Do not post admin requests to the list. They will be ignored.