From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 11496 invoked from network); 29 Aug 2022 20:43:46 -0000 Received: from zero.zsh.org (2a02:898:31:0:48:4558:7a:7368) by inbox.vuxu.org with ESMTPUTF8; 29 Aug 2022 20:43:46 -0000 ARC-Seal: i=1; cv=none; a=rsa-sha256; d=zsh.org; s=rsa-20210803; t=1661805826; b=K//zINtB5e/sKuytaTL7VpA1ewA6CsDNVhRitNvfchvFsO2FYkuhxDQmeRFAPs2N+IHwpLlQHu Tit2ZXmF6XkzW8j1C2EXWH4mi2MKx6xyBUKrzb6NZoTXmL8aU8xQYlwp8M7DEF3BCjynMv8Z9i NcuWzXn6cfLmgCCwj/v8hnu91kn3uolRNR5XGIQt6sCgGyliIjxYY1YelLYdTGck5wnUxvUhYQ DUj+xuRX1dZEXnrn4SusYgPTIuR6pAZnsGfXM9ajfJE24O+VV0gNf80DvUdl+W7FzBeJj3owQK zdRn11BmmbbDftVFJxlYdtZHBsa8Qb+l+pVRQ9nZHM6tlQ==; ARC-Authentication-Results: i=1; zsh.org; iprev=pass (mail-vk1-f169.google.com) smtp.remote-ip=209.85.221.169; dkim=pass header.d=gmail.com header.s=20210112 header.a=rsa-sha256; dmarc=pass header.from=gmail.com; arc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed; d=zsh.org; s=rsa-20210803; t=1661805826; bh=lpeqMQCYIBooWQMysVnVYfJOXEVkrJFFxFT2i/mjOz8=; h=List-Archive:List-Owner:List-Post:List-Unsubscribe:List-Subscribe:List-Help: List-Id:Sender:Content-Type:Cc:To:Subject:Message-ID:Date:From:In-Reply-To: References:MIME-Version:DKIM-Signature:DKIM-Signature; b=IoGFNzCj1Uff3Mr0ABPYkmrx6qdL16SFAB/G8vEfpeh7ndye2d9vN5UAnvmCAvuOKUiLDgOYhP hXngKwAVfbrx+QmPkHXFJ1pzjCV0NY7yreNB8QXoo8CuVE/oeyLpmXOf36L0DemXOl8QIwQhyE wCEPdUqNy+OydAYddlg6/jVyvAQdm+HC6iB+eZSIsbWu5TfMhZ7y/s5vzvq6gbaGbYESOZ3PjO 5eEaRFaB1DZoJHNHealMABkuWOasuQP4kDRUrQu3YLzo8I0tUEO/SYArAg2UN2y2tqSa4uIays G1WzvvcbkBz2WQjuQD4OSKlKIaoUrdyiDZ+unNYI068bSQ==; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=zsh.org; s=rsa-20210803; h=List-Archive:List-Owner:List-Post:List-Unsubscribe: List-Subscribe:List-Help:List-Id:Sender:Content-Type:Cc:To:Subject:Message-ID :Date:From:In-Reply-To:References:MIME-Version:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID; bh=nBxfv8YBPPbwc35Ad8uImNOyWTgtdZkKMBPCt/5wEbU=; b=f5rVMQDlWXFPR/Wq6J6VsyolY4 wTaJQF8jL0AiwN+4ofAYHDSX5XoU6/BCxBgoRROLZdr6kpaFzGk63jP0ysg4W/I9eZaa5lTycGS80 Vo7Lm0mCCilfiXxCvlylEsaOfyrF4VTRSnddloeg0TL4H7SfF4KM5S7oy5R1lbiS8cOd9rjtJ937K zU7BUYAhllzPwQfcRt8eeXQBkWRn4+IhlBIhQNHxK4o8czl6X23GAYvPMZykvamxasWyltGb0/r12 UoHsPt801AJRUkghlR6vOlt7t6cfY2h8cM8JvS0OepXkD3B98uP7//qx5zmNkf9N7XezWGv7NpU3R 9IlZagWw==; Received: from authenticated user by zero.zsh.org with local id 1oSlbk-000NdG-5c; Mon, 29 Aug 2022 20:43:44 +0000 Authentication-Results: zsh.org; iprev=pass (mail-vk1-f169.google.com) smtp.remote-ip=209.85.221.169; dkim=pass header.d=gmail.com header.s=20210112 header.a=rsa-sha256; dmarc=pass header.from=gmail.com; arc=none Received: from mail-vk1-f169.google.com ([209.85.221.169]:47100) by zero.zsh.org with esmtps (TLS1.3:TLS_AES_128_GCM_SHA256:128) id 1oSlab-000Mxy-1V; Mon, 29 Aug 2022 20:42:34 +0000 Received: by mail-vk1-f169.google.com with SMTP id g185so4320192vkb.13 for ; Mon, 29 Aug 2022 13:42:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=nBxfv8YBPPbwc35Ad8uImNOyWTgtdZkKMBPCt/5wEbU=; b=VoVpLihQxPYoDmpiXykfs++JNh9jK8Cb95Y14DLlvGHyDYQ3N9MtfCvJp9AlcuMMBj GfHVN86+JuuptVfnZ+JL196+SSq20p3CLR9nkO5nyveSmawzpRIS/FxHsZ+ijXYjJE/V 5w+1eXoQFJXA5XOA3GnpjB5p/3ahFzvcwWZAF+6u9F3xPJIZ3wkQ4ViR5o+4QWYN5Tgx MlSkhu7WlgsTnnlnGPb9hcpkStiKbu6Mhp5tDrALgKqx57inrQQ4zwz+tSRExnjs64c5 ktHFsZwgaTxq/4uFhoAKehDQ1AUx27k6lphMaznA+rQFmvmenAjsKSMuXkylvtKVFtSI MFYQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=nBxfv8YBPPbwc35Ad8uImNOyWTgtdZkKMBPCt/5wEbU=; b=uQFW/66AZRudOHu0FlObFRjsb7Y9Kbh4h5lkzb4lSMQ8fSCJr4GYkyTjLEC6t3sv7k eYnKGJrFuN0g3vlNRopt5+XCHYTbgd1eoj3KbFGdRXWu8+I18q3leQHgQmE/MBxr+hY1 jPK7rrf+AHkk/RSgf6hD6teedTezt7c7Yf0KULBahyQLuSnXVNsTm+C9nq/IpAa31xDr xaADIWAvpzGtzIrt84HB2ASLfavJLSW0B1UggyAqfhy0mq9aUKqI0zNVxGdk8K2wTbwU GF0McszigwXpwyUklFBoYotgtNnRUbSLuEcK1HPLdsOJgk4bfBBWnpqaDaZjHm2rWjzV vVaQ== X-Gm-Message-State: ACgBeo1Y0Mo7CjWV4JWCx2DPXQ12NssW3whZogjJHAeVAVlqYrXkFIIK zqrCJ3uID/IFbAkI9E7pdfoI1CgTIHIudPPtmpY= X-Google-Smtp-Source: AA6agR6DfszaAvOr4mwc+nkuom2Io/SkeBFis/olirR1RZQ2GPtifq4zpJ3HYzfSWIPLqfCnBnpAl1vLbj3GtGfyA78= X-Received: by 2002:a1f:2306:0:b0:379:387:2ae8 with SMTP id j6-20020a1f2306000000b0037903872ae8mr3981721vkj.13.1661805751592; Mon, 29 Aug 2022 13:42:31 -0700 (PDT) MIME-Version: 1.0 References: <64b57144-d4af-4708-983b-0bd202557bbd@www.fastmail.com> <4369c556-7ccb-4866-8e69-9d829afc81c3@www.fastmail.com> In-Reply-To: From: Zach Riggle Date: Mon, 29 Aug 2022 15:42:20 -0500 Message-ID: Subject: Re: Overriding "builtin" To: Bart Schaefer Cc: zsh-users@zsh.org Content-Type: multipart/alternative; boundary="000000000000826e2705e7674d76" X-Seq: 28007 Archived-At: X-Loop: zsh-users@zsh.org Errors-To: zsh-users-owner@zsh.org Precedence: list Precedence: bulk Sender: zsh-users-request@zsh.org X-no-archive: yes List-Id: List-Help: List-Subscribe: List-Unsubscribe: List-Post: List-Owner: List-Archive: --000000000000826e2705e7674d76 Content-Type: text/plain; charset="UTF-8" Following up on this a bit, it seems that if your Zsh code is executing in a malicious environment (e.g. has done "function /usr/bin/sudo() { echo lol }") is to use a non-qualified path with the "=" prefix. $ function /usr/bin/sudo { echo lol } $ /usr/bin/sudo whoami lol $ =/usr/bin/sudo whoami lol $ =sudo whoami root Why does "=sudo" do the correct thing (assuming a sane $PATH, and executes /usr/bin/sudo), but "=/usr/bin/sudo" does the wrong thing (i.e., execute the function)? Assume "builtin", "command", "exec", etc. have all been overwritten with functions. Since the environment is malicious, $PATH also cannot be trusted -- I thought "=" might be a way to guarantee that an executable at a specific absolute path does get executed instead of something else (alias, function, autoloadable, etc) but it doesn't work when specifying the full path. *Zach Riggle* On Fri, Aug 12, 2022 at 3:54 PM Bart Schaefer wrote: > On Fri, Aug 12, 2022 at 12:33 PM Zach Riggle wrote: > > > > It would be nice if we could add a feature such that the "builtin" > identifier cannot be overloaded. > > This isn't really feasible, given that we have e.g. "disable builtin" > and "alias builtin=...". > > That does point out that another approach to bypassing the function is > disable -f builtin > which is pretty nice in that it leaves the function defined but > inaccessible. Of course one can still "disable disable" as well. > > I can't imagine why anyone would do this, but of course > > disable -rm \* > disable -m \* > > leaves the shell able to only to execute pipelines built from external > commands. Preceded with a few "alias -g" of separators, you end up > limited to simple external commands. > --000000000000826e2705e7674d76 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Following up on this a bit, it seems that if your Zsh code= is executing in a malicious environment (e.g. has done "function /usr= /bin/sudo() { echo lol }") is to use a non-qualified path with the &qu= ot;=3D" prefix.

$ function /usr/bin/sudo { echo lol }

$ /usr/bin/sudo whoami
lol
<= div>
$ =3D/usr/bin/sudo whoami
lol

=
= $ =3Dsudo whoami
root

Why d= oes "=3Dsudo" do the correct thing (assuming a sane $PATH, and ex= ecutes /usr/bin/sudo), but "=3D/usr/bin/sudo" does the wrong thin= g (i.e., execute the function)?

Assume "builtin", "co= mmand", "exec", etc. have all been overwritten with function= s.

Since the environment is malicious, $PATH also = cannot be trusted -- I thought "=3D" might be a way to guarantee = that an executable at a specific absolute path does get executed instead of= something else (alias, function, autoloadable, etc) but it doesn't wor= k when specifying the full path.
=
Zach Riggle


On Fri, Aug 12, 2022 at 3:54 PM Bart Schaefer= <schaefer@brasslantern.com= > wrote:
= On Fri, Aug 12, 2022 at 12:33 PM Zach Riggle <zachriggle@gmail.com> wrote:
>
> It would be nice if we could add a feature such that the "builtin= " identifier cannot be overloaded.

This isn't really feasible, given that we have e.g. "disable built= in"
and "alias builtin=3D...".

That does point out that another approach to bypassing the function is
=C2=A0disable -f builtin
which is pretty nice in that it leaves the function defined but
inaccessible.=C2=A0 Of course one can still "disable disable" as = well.

I can't imagine why anyone would do this, but of course

disable -rm \*
disable -m \*

leaves the shell able to only to execute pipelines built from external
commands.=C2=A0 Preceded with a few "alias -g" of separators, you= end up
limited to simple external commands.
--000000000000826e2705e7674d76--