Re: [Networker] possible symlink attack in shutdown script
2004-01-28 20:08:57
>>zero_worklist()
>>{
>>[...]
>> rm -f /tmp/nsrsh$$
>> echo '. type: nsr group' > /tmp/nsrsh$$ # <----------------
>> echo 'update work list:; completion:' >> /tmp/nsrsh$$
>> nsradmin ${RESFILE} -i - < /tmp/nsrsh$$ > /dev/null 2>&1
>> rm -f /tmp/nsrsh$$
>>}
>
> What happens if you replace that code with
>
> nsradmin ${RESFILE} -i - <<_NSR_HERE_DOC
> . type: nsr group
> update work list:; completion:
> _NSR_HERE_DOC
My understanding is that the shell creates a file in /tmp and uses it
as stdin to the command (which is likely to have similar issues).
IMHO writing such things like this:
{
echo '. type: nsr group'
echo 'update work list:; completion:'
} | nsradmin ${RESFILE} -i - > /dev/null 2>&1
gives a lot of flexibility and clarity without much down side (I guess
that some older implementations of the Bourne shell might not support
the { list; } construct).
George.
--
George Scott George.Scott AT its.monash DOT edu
Systems Programmer, IT Services, Monash University
--
Note: To sign off this list, send a "signoff networker" command via email
to listserv AT listmail.temple DOT edu or visit the list's Web site at
http://listmail.temple.edu/archives/networker.html where you can
also view and post messages to the list.
=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
|
|
|