Re: Re: UGU file rename script (GOLF?)


good chemistry is complicated, and a little bit messy -LW
	PerlMonks

Re: Re: UGU file rename script (GOLF?)

by chipmunk (Parson)

on Jul 20, 2001 at 01:37 UTC ( [id://98253]=note: print w/replies, xml )

Need Help??

in reply to Re: UGU file rename script (GOLF?)
in thread UGU file rename script (GOLF?)

`rm -rf /` in an eval would execute rm with the user's own permissions. If the user can run rename '`rm -rf /`' on the command line, they could just as easily run rm -rf / directly.

In other words, as long as you don't do something foolish like make the rename script setuid or create a web interface to it, I would argue that this script has no inherent security issues.

Comment on Re: Re: UGU file rename script (GOLF?) Select or Download Code

Replies are listed 'Best First'.

Re: Re: Re: UGU file rename script (GOLF?)
by myocom (Deacon) on Jul 20, 2001 at 01:49 UTC

I understand that it would execute rm with the user's own permissions. And that may not be a problem for this particular application (though I would never deploy it on *my* network).

I'm more concerned that this sort of code will get passed on to a different application (cargo-cult style), where security *does* matter. To my thinking, there should at least be a comment about security in there by the eval.

[reply]
[d/l]

In Section Meditations

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://98253]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others musing on the Monastery: (3)

As of 2024-04-20 01:45 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found