View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
00005351003.1(2008)/Issue 7Shell and Utilitiespublic2012-01-11 12:552012-02-09 16:19
Reportermarko Assigned Toajosey  
PrioritynormalSeverityObjectionTypeEnhancement Request
Status ClosedResolutionRejected 
NameMarko Schütz-Schmuck
Organization
User Reference
Section2.9.5, 3.10
Page Numbern/a
Line Numbern/a
Interp Status---
Final Accepted Text
Summary0000535: require support for path separator in function and alias names
DescriptionAlias names and function names are may contain path separator characters as an extension.

Using path separators in alias and/or function names is a way to change the execution environment (e.g. the compilation environment) without requiring privileges. For example, a developer may define a function named /usr/bin/cc to hook into executions of the compiler without affecting other users and without requiring administrator privileges.
Desired ActionRequire conforming shells to support <slash> in function and alias names.
TagsNo tags attached.

Activities

eblake

2012-01-12 17:11

manager   bugnote:0001092

Making this change would open up a security hole, since existing scripts count on the use of <slash> to bypass any alias or function names in order to ensure they are executing the intended binary. Additionally, the use of such a function name would not propagate to child processes that directly execute the path name that had been intended to be covered by the function.

marko

2012-01-15 17:30

reporter   bugnote:0001095

A complying shell may currently allow <slash> in function as well as in alias names. A portable script should not assume <slash> to bypass function and alias names. The assumption that a <slash> acts as a by-pass should be seen as the cause for the security hole of such scripts.

Whether or not such names propagate to child processes is a different issue. Depending on the implementation different methods may be used to achieve this, e.g. using a file of definitions that gets read on each shell invocation.

eblake

2012-02-09 16:17

manager   bugnote:0001117

On Jan 15, Jilles Tjoelker sent this response in email:
A shell may allow defining such a function, but shall not allow calling
it. In XCU 2.9.1.1 Command Search and Execution, if the command name
contains a <slash>, the shell shall perform actions equivalent to
calling execve(); functions and shell builtins apply only if the command
name does not contain a <slash>.

Allowing a <slash> in an alias name looks like a valid extension.

Although allowing propagation gives more flexibility, it also makes the
execution environment less predictable.

Instead, the called script can source the definitions again, or the
called script can be sourced (possibly in a subshell environment so it
cannot modify the parent environment).


On that basis, the Austin Group still believes that mandating the use of <slash> is not appropriate for the standard, but implementations may still offer it as an extension for aliases, and that it makes no sense for functions.

Issue History

Date Modified Username Field Change
2012-01-11 12:55 marko New Issue
2012-01-11 12:55 marko Status New => Under Review
2012-01-11 12:55 marko Assigned To => ajosey
2012-01-11 12:55 marko Name => Marko Schütz-Schmuck
2012-01-11 12:55 marko Section => 2.9.5, 3.10
2012-01-11 12:55 marko Page Number => n/a
2012-01-11 12:55 marko Line Number => n/a
2012-01-12 17:11 eblake Interp Status => ---
2012-01-12 17:11 eblake Note Added: 0001092
2012-01-12 17:11 eblake Status Under Review => Closed
2012-01-12 17:11 eblake Resolution Open => Rejected
2012-01-15 17:30 marko Note Added: 0001095
2012-01-15 17:30 marko Status Closed => Under Review
2012-01-15 17:30 marko Resolution Rejected => Reopened
2012-02-09 16:17 eblake Note Added: 0001117
2012-02-09 16:18 eblake Resolution Reopened => Rejected
2012-02-09 16:19 eblake Status Under Review => Closed