From: Zach Riggle <zachriggle@gmail.com>
To: Bart Schaefer <schaefer@brasslantern.com>
Cc: zsh-users@zsh.org
Subject: Re: Overriding "builtin"
Date: Mon, 29 Aug 2022 15:42:20 -0500 [thread overview]
Message-ID: <CAMP9c5n1bAGmeLcv6aoVZVZOiCKqSd7h3TrbEOcFcE0rRgkrJg@mail.gmail.com> (raw)
In-Reply-To: <CAH+w=7Ywsq=9dcqwWBXQvajnb9NsCe_OBfV8PurkaG+idnSgdg@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1766 bytes --]
Following up on this a bit, it seems that if your Zsh code is executing in
a malicious environment (e.g. has done "function /usr/bin/sudo() { echo lol
}") is to use a non-qualified path with the "=" prefix.
$ function /usr/bin/sudo { echo lol }
$ /usr/bin/sudo whoami
lol
$ =/usr/bin/sudo whoami
lol
$ =sudo whoami
root
Why does "=sudo" do the correct thing (assuming a sane $PATH, and executes
/usr/bin/sudo), but "=/usr/bin/sudo" does the wrong thing (i.e., execute
the function)?
Assume "builtin", "command", "exec", etc. have all been overwritten with
functions.
Since the environment is malicious, $PATH also cannot be trusted -- I
thought "=" might be a way to guarantee that an executable at a specific
absolute path does get executed instead of something else (alias, function,
autoloadable, etc) but it doesn't work when specifying the full path.
*Zach Riggle*
On Fri, Aug 12, 2022 at 3:54 PM Bart Schaefer <schaefer@brasslantern.com>
wrote:
> On Fri, Aug 12, 2022 at 12:33 PM Zach Riggle <zachriggle@gmail.com> wrote:
> >
> > It would be nice if we could add a feature such that the "builtin"
> identifier cannot be overloaded.
>
> This isn't really feasible, given that we have e.g. "disable builtin"
> and "alias builtin=...".
>
> That does point out that another approach to bypassing the function is
> disable -f builtin
> which is pretty nice in that it leaves the function defined but
> inaccessible. Of course one can still "disable disable" as well.
>
> I can't imagine why anyone would do this, but of course
>
> disable -rm \*
> disable -m \*
>
> leaves the shell able to only to execute pipelines built from external
> commands. Preceded with a few "alias -g" of separators, you end up
> limited to simple external commands.
>
[-- Attachment #2: Type: text/html, Size: 2992 bytes --]
next prev parent reply other threads:[~2022-08-29 20:43 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-08-12 1:18 Zach Riggle
2022-08-12 2:24 ` Đoàn Trần Công Danh
2022-08-12 7:12 ` Daniel Shahaf
2022-08-12 7:57 ` Stephane Chazelas
2022-08-12 18:42 ` Lawrence Velázquez
2022-08-12 19:33 ` Zach Riggle
2022-08-12 20:35 ` Lawrence Velázquez
2022-08-12 20:54 ` Bart Schaefer
2022-08-29 20:42 ` Zach Riggle [this message]
2022-08-30 1:31 ` Bart Schaefer
2022-08-30 1:41 ` Bart Schaefer
2022-08-12 13:54 ` Thomas Lauer
2022-08-12 15:41 ` Bart Schaefer
2022-08-12 16:07 ` Thomas Lauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAMP9c5n1bAGmeLcv6aoVZVZOiCKqSd7h3TrbEOcFcE0rRgkrJg@mail.gmail.com \
--to=zachriggle@gmail.com \
--cc=schaefer@brasslantern.com \
--cc=zsh-users@zsh.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).