Zsh Mailing List Archive Messages sorted by: Reverse Date, Date, Thread, Author

Re: Restricted Mode Vuln

X-seq: zsh-workers 38692
From: Peter Stephenson <p.stephenson@xxxxxxxxxxx>
To: zsh-workers@xxxxxxx
Subject: Re: Restricted Mode Vuln
Date: Thu, 16 Jun 2016 09:45:41 +0100
In-reply-to: <CAB8Qo2QMRV8p-uSRaDtceWebg9i9U-ywX600HQgpMXAENOsWUw@mail.gmail.com>
List-help: <mailto:zsh-workers-help@zsh.org>
List-id: Zsh Workers List <zsh-workers.zsh.org>
List-post: <mailto:zsh-workers@zsh.org>
Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
Organization: Samsung Cambridge Solution Centre
References: <CAB8Qo2QMRV8p-uSRaDtceWebg9i9U-ywX600HQgpMXAENOsWUw@mail.gmail.com>

On Thu, 16 Jun 2016 03:37:26 +0000
"Duncan X. Simpson" <virtualdxs@xxxxxxxxx> wrote:
> Restricted Mode should prevent the user from changing $IFS. One example of
> an exploit:
> http://linuxshellaccount.blogspot.com/2008/05/restricted-accounts-and-vim-tricks-in.html

Seems fine to me --- the only problem is the usual one that there's no
definitive set of use cases for restricted mode, so we don't know what
people are expecting to be able do with it...  I don't think we ever
expect the completion system to work properly in restricted mode, do we?
I would generally expect that any environment involving functions other
than extremely trivial ones can't rely on restricted mode.  Comments
welcome.

I've put the restricted parameters in alphabetic order so you can find
them (which I belive is no longer against development policy...).

pws

diff --git a/Doc/Zsh/restricted.yo b/Doc/Zsh/restricted.yo
index b56b50c..6cf9b36 100644
--- a/Doc/Zsh/restricted.yo
+++ b/Doc/Zsh/restricted.yo
@@ -10,11 +10,11 @@ restricted mode:
 
 startitemize()
 itemiz(changing directories with the tt(cd) builtin)
-itemiz(changing or unsetting the tt(PATH), tt(path), tt(MODULE_PATH),
-tt(module_path), tt(SHELL), tt(HISTFILE), tt(HISTSIZE), tt(GID), tt(EGID),
-tt(UID), tt(EUID), tt(USERNAME), tt(LD_LIBRARY_PATH),
-tt(LD_AOUT_LIBRARY_PATH), tt(LD_PRELOAD) and  tt(LD_AOUT_PRELOAD)
-parameters)
+itemiz(changing or unsetting the tt(EGID), tt(EUID), tt(GID),
+tt(HISTFILE), tt(HISTSIZE), tt(IFS), tt(LD_AOUT_LIBRARY_PATH),
+tt(LD_AOUT_PRELOAD), tt(LD_LIBRARY_PATH), tt(LD_PRELOAD),
+tt(MODULE_PATH), tt(module_path), tt(PATH), tt(path), tt(SHELL),
+tt(UID) and tt(USERNAME) parameters)
 itemiz(specifying command names containing tt(/))
 itemiz(specifying command pathnames using tt(hash))
 itemiz(redirecting output to files)
diff --git a/Src/params.c b/Src/params.c
index ae958ab..e7a7365 100644
--- a/Src/params.c
+++ b/Src/params.c
@@ -284,7 +284,7 @@ IPDEF2("HOME", home_gsu, PM_UNSET),
 IPDEF2("TERM", term_gsu, PM_UNSET),
 IPDEF2("TERMINFO", terminfo_gsu, PM_UNSET),
 IPDEF2("WORDCHARS", wordchars_gsu, 0),
-IPDEF2("IFS", ifs_gsu, PM_DONTIMPORT),
+IPDEF2("IFS", ifs_gsu, PM_DONTIMPORT | PM_RESTRICTED),
 IPDEF2("_", underscore_gsu, PM_DONTIMPORT),
 IPDEF2("KEYBOARD_HACK", keyboard_hack_gsu, PM_DONTIMPORT),
 IPDEF2("0", argzero_gsu, 0),

References:
- Restricted Mode Vuln
  - From: Duncan X. Simpson

Messages sorted by: Reverse Date, Date, Thread, Author