From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-26400-mason-zsh=primenet.com.au@sunsite.dk>
Received: (qmail 6095 invoked from network); 21 Jan 2009 18:05:30 -0000
X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on f.primenet.com.au
X-Spam-Level: 
X-Spam-Status: No, score=-2.3 required=5.0 tests=AWL,BAYES_00 autolearn=ham
	version=3.2.5
Received: from news.dotsrc.org (HELO a.mx.sunsite.dk) (130.225.247.88)
  by ns1.primenet.com.au with SMTP; 21 Jan 2009 18:05:30 -0000
Received-SPF: none (ns1.primenet.com.au: domain at sunsite.dk does not designate permitted sender hosts)
Received: (qmail 27345 invoked from network); 21 Jan 2009 18:05:26 -0000
Received: from sunsite.dk (130.225.247.90)
  by a.mx.sunsite.dk with SMTP; 21 Jan 2009 18:05:26 -0000
Received: (qmail 28602 invoked by alias); 21 Jan 2009 18:05:21 -0000
Mailing-List: contact zsh-workers-help@sunsite.dk; run by ezmlm
Precedence: bulk
X-No-Archive: yes
X-Seq: 26400
Received: (qmail 28593 invoked from network); 21 Jan 2009 18:05:20 -0000
Received: from bifrost.dotsrc.org (130.225.254.106)
  by sunsite.dk with SMTP; 21 Jan 2009 18:05:20 -0000
Received: from cluster-d.mailcontrol.com (cluster-d.mailcontrol.com [85.115.60.190])
	by bifrost.dotsrc.org (Postfix) with ESMTPS id 19F3580271F0
	for <zsh-workers@sunsite.dk>; Wed, 21 Jan 2009 19:05:13 +0100 (CET)
Received: from cameurexb01.EUROPE.ROOT.PRI ([193.128.72.68])
	by rly39d.srv.mailcontrol.com (MailControl) with ESMTP id n0LI4wu8009897
	for <zsh-workers@sunsite.dk>; Wed, 21 Jan 2009 18:04:58 GMT
Received: from news01.csr.com ([10.103.143.38]) by cameurexb01.EUROPE.ROOT.PRI with Microsoft SMTPSVC(6.0.3790.3959);
	 Wed, 21 Jan 2009 18:04:57 +0000
Received: from news01.csr.com (localhost.localdomain [127.0.0.1])
	by news01.csr.com (8.14.2/8.13.4) with ESMTP id n0LI4qUX011163
	for <zsh-workers@sunsite.dk>; Wed, 21 Jan 2009 18:04:52 GMT
Received: from csr.com (pws@localhost)
	by news01.csr.com (8.14.2/8.14.2/Submit) with ESMTP id n0LI4qKY011159
	for <zsh-workers@sunsite.dk>; Wed, 21 Jan 2009 18:04:52 GMT
Message-Id: <200901211804.n0LI4qKY011159@news01.csr.com>
X-Authentication-Warning: news01.csr.com: pws owned process doing -bs
To: Zsh Workers <zsh-workers@sunsite.dk>
Subject: Re: Security hole in history handling for root
In-reply-to: <2d460de70901210954w4d9872aek950cd5dc7e3c3f5e@mail.gmail.com>
References: <2d460de70901010632q3f2c1156x36a8d1e8a4445dd4@mail.gmail.com> <2d460de70901210854w1c68e79lbf0847b700822eff@mail.gmail.com> <200901211718.n0LHIj0S010726@news01.csr.com> <2d460de70901210954w4d9872aek950cd5dc7e3c3f5e@mail.gmail.com>
Comments: In-reply-to Richard Hartmann <richih.mailinglist@gmail.com>
   message dated "Wed, 21 Jan 2009 18:54:54 +0100."
Date: Wed, 21 Jan 2009 18:04:52 +0000
From: Peter Stephenson <pws@csr.com>
X-OriginalArrivalTime: 21 Jan 2009 18:04:57.0657 (UTC) FILETIME=[C5246A90:01C97BF2]
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.68.0.149
X-Virus-Scanned: ClamAV 0.92.1/8884/Wed Jan 21 14:15:32 2009 on bifrost
X-Virus-Status: Clean

Richard Hartmann wrote:
> On Wed, Jan 21, 2009 at 18:18, Peter Stephenson <pws@csr.com> wrote:
> 
> > If I can be convinced there is something specific in this case, as
> > opposed to a general security hole that needs much more thinking about,
> > it can be dealt with, but I haven't seen why yet.
> 
> In that case, don't bother. As the RC files are checked, I assumed you
> wanted to get a report for everything which goes in that direction.

The only files checked are the completion ones.  I think the feeling
there was that with a sprawling and unfamiliar system where the test
could easily be added at the function level it was worthwhile.  I am not
aware of any security tests for any files used by the main shell.

Obviously a shell is powerful enough that you can dig a huge hole for
yourself; I'm interested in clearing up zsh-specific things where we've
let users in for some new form of attack, but not for solving the
general problem of shell security, which needs to be done by security
experts.

> Would it help you or anyone if there was a bug tracker? SF.net offers
> one or I could set one up, if you want me to.

It would help a great deal if someone *maintained* the SF bug tracker.
This is quite a big job in its own right.  Obviously this would involve
following the lists pretty closely and soliciting opinions, but it
wouldn't need any programming knowledge.  We could probably limit its
use to things that didn't get fixed within a day or so, since there's
often quite a lot of turnover.

-- 
Peter Stephenson <pws@csr.com>                  Software Engineer
CSR PLC, Churchill House, Cambridge Business Park, Cowley Road
Cambridge, CB4 0WZ, UK                          Tel: +44 (0)1223 692070