Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.1 X-AuditID: cbfec7f4-f796c6d000001486-75-57626738df23 Date: Thu, 16 Jun 2016 09:45:41 +0100 From: Peter Stephenson To: zsh-workers@zsh.org Subject: Re: Restricted Mode Vuln Message-id: <20160616094541.67d1d5a4@pwslap01u.europe.root.pri> In-reply-to: References: Organization: Samsung Cambridge Solution Centre X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.0; i386-redhat-linux-gnu) MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrPLMWRmVeSWpSXmKPExsVy+t/xa7oW6UnhBkt7WCwONj9kcmD0WHXw A1MAYxSXTUpqTmZZapG+XQJXxoOV2xgLLghVrD1m28DYIdDFyMkhIWAiMfFjPzOELSZx4d56 ti5GLg4hgaWMEhuerWWFcGYwSRxrb2GGcM4xSrxceQfKOcso8ebxenaQfhYBVYlZx7rZQGw2 AUOJqZtmM4LYIgLiEmfXnmcBsYUFFCV+X94Bto9XwF7iZfdOpi5GDg5OgWCJN7+yQcJCAgES 1/vbwcbwC+hLXP37iQniPHuJmVfOMEK0Ckr8mHwPbCSzgJbE5m1NrBC2vMTmNW+ZIeaoS9y4 u5t9AqPwLCQts5C0zELSsoCReRWjaGppckFxUnquoV5xYm5xaV66XnJ+7iZGSDB/2cG4+JjV IUYBDkYlHl6B9YnhQqyJZcWVuYcYJTiYlUR401OTwoV4UxIrq1KL8uOLSnNSiw8xSnOwKInz zt31PkRIID2xJDU7NbUgtQgmy8TBKdXAuNJs/iLR0iurYp/tEX6f2PCZsSlZMs1idWal57xZ D7jfva5efGK7dSPjdwHpQNfZPqxJCzO+J0/saH2znvnUm/nvFCofim7z05j97ZqhaBBfzO+C C6IrOT5PvK3E5Pom14SxVeUvw5GnkTGm2SWyjb807kbNiyld9PBW7YaPfctn2UXNqp39X4ml OCPRUIu5qDgRADcXShBiAgAA X-Seq: zsh-workers 38692 On Thu, 16 Jun 2016 03:37:26 +0000 "Duncan X. Simpson" wrote: > Restricted Mode should prevent the user from changing $IFS. One example of > an exploit: > http://linuxshellaccount.blogspot.com/2008/05/restricted-accounts-and-vim-tricks-in.html Seems fine to me --- the only problem is the usual one that there's no definitive set of use cases for restricted mode, so we don't know what people are expecting to be able do with it... I don't think we ever expect the completion system to work properly in restricted mode, do we? I would generally expect that any environment involving functions other than extremely trivial ones can't rely on restricted mode. Comments welcome. I've put the restricted parameters in alphabetic order so you can find them (which I belive is no longer against development policy...). pws diff --git a/Doc/Zsh/restricted.yo b/Doc/Zsh/restricted.yo index b56b50c..6cf9b36 100644 --- a/Doc/Zsh/restricted.yo +++ b/Doc/Zsh/restricted.yo @@ -10,11 +10,11 @@ restricted mode: startitemize() itemiz(changing directories with the tt(cd) builtin) -itemiz(changing or unsetting the tt(PATH), tt(path), tt(MODULE_PATH), -tt(module_path), tt(SHELL), tt(HISTFILE), tt(HISTSIZE), tt(GID), tt(EGID), -tt(UID), tt(EUID), tt(USERNAME), tt(LD_LIBRARY_PATH), -tt(LD_AOUT_LIBRARY_PATH), tt(LD_PRELOAD) and tt(LD_AOUT_PRELOAD) -parameters) +itemiz(changing or unsetting the tt(EGID), tt(EUID), tt(GID), +tt(HISTFILE), tt(HISTSIZE), tt(IFS), tt(LD_AOUT_LIBRARY_PATH), +tt(LD_AOUT_PRELOAD), tt(LD_LIBRARY_PATH), tt(LD_PRELOAD), +tt(MODULE_PATH), tt(module_path), tt(PATH), tt(path), tt(SHELL), +tt(UID) and tt(USERNAME) parameters) itemiz(specifying command names containing tt(/)) itemiz(specifying command pathnames using tt(hash)) itemiz(redirecting output to files) diff --git a/Src/params.c b/Src/params.c index ae958ab..e7a7365 100644 --- a/Src/params.c +++ b/Src/params.c @@ -284,7 +284,7 @@ IPDEF2("HOME", home_gsu, PM_UNSET), IPDEF2("TERM", term_gsu, PM_UNSET), IPDEF2("TERMINFO", terminfo_gsu, PM_UNSET), IPDEF2("WORDCHARS", wordchars_gsu, 0), -IPDEF2("IFS", ifs_gsu, PM_DONTIMPORT), +IPDEF2("IFS", ifs_gsu, PM_DONTIMPORT | PM_RESTRICTED), IPDEF2("_", underscore_gsu, PM_DONTIMPORT), IPDEF2("KEYBOARD_HACK", keyboard_hack_gsu, PM_DONTIMPORT), IPDEF2("0", argzero_gsu, 0),