Mark Benedetto King <bking@answerfriend.com> writes:
> > > and will eventuall call, as uid=svn:
> > >
> > > EDITOR="/path/to/editor foo" svn commit
> > >
> > > Let's not try to understand *why* the administrator might
> > > want to do this, just that it is possible. :-)
> >
> > Here, the problem is not with svn using system(). Instead, the
> > problem is with the setuid program mycommit building a command line
> > from user input without proper quoting. A big no-no in any setuid
>
> The problem is not with mycommit or with system(). It's with
> the way they're (hypothetically) interacting. mycommit is
> expecting execl() semantics and system() doesn't give those
> semantics. This has bitten many programmers many times.
No it isn't. Expecting execl() semantics would be expecting svn to
execute the binary "editor foo" (with a space in the filename) in the
directory "/path/to", because that's what execl() would have done.
> It might be a "can't win, don't use system()" type scenario,
> though. Look at gets(). It's so evil, that it has been
> thoroughly deprecrated. Is gets() secure? Sure, if it never
> runs with elevated privileges or if the stdin has been sufficient
> constrained so as to ensure that lines will always be short enough.
> Most people have decided, at least for gets(), that the answer
> is "don't use gets()".
Now you're confusing things. There is a perfectly good reason for not
using gets(): Using gets() will cause your program to crash on some
input. That is undesirable even if you are not concerned about
security aspects.
> > need to reset $EDITOR regardless. It doesn't take any "craftily
> > constructed $EDITOR variables" to exploit a setuid program that calls
> > $EDITOR. You can even leave it set to "emacs", just do M-x shell when
>
> Sure it does, if it the user expects execl() semantics
> and gets system() semantics.
If the program uses a $EDITOR entirely provided by the user, then
nothing crafty is needed to exploit it. If the program tries to
construct a $EDITOR using user input for some kind of argument, then
it isn't expecting execl() semantics, as that would not allow for any
arguments at all.
// Marcus
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Mon Apr 29 20:42:30 2002