tech-userlevel archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: Adding a simple editor to the base system
On Thu, Feb 12, 2009 at 11:48 AM, D'Arcy J.M. Cain <darcy%druid.net@localhost>
wrote:
> ------------ File: /usr/bin/edit -----------
> #! /bin/sh
> exec ${EDITOR:-/usr/bin/vi}
> --------------------------------------------
>
This looks like the "alternatives" sub-system Debian had for at least
14years[0], except that your proposal can be exploited very easily:
1) make ${EDITOR} point to an evil binary
2) make the user become root (using su(1))
3) tell him to edit a file
4) evil 1 - user 0
- Arnaud
[0]: not less if I trust the copyright notice of `/usr/sbin/update-alternatives'
Home |
Main Index |
Thread Index |
Old Index