From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 10583 invoked by alias); 13 May 2015 16:48:53 -0000 Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm Precedence: bulk X-No-Archive: yes List-Id: Zsh Workers List List-Post: List-Help: X-Seq: 35110 Received: (qmail 3672 invoked from network); 13 May 2015 16:48:50 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on f.primenet.com.au X-Spam-Level: X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_HI, SPF_HELO_PASS autolearn=ham version=3.3.2 X-AuditID: cbfec7f5-f794b6d000001495-64-55537e12280c Date: Wed, 13 May 2015 17:38:39 +0100 From: Peter Stephenson To: zsh-workers@zsh.org Subject: Re: Failure of "typeset" and exit status Message-id: <20150513173839.06cc8988@pwslap01u.europe.root.pri> In-reply-to: <150513084827.ZM15168@torch.brasslantern.com> References: <150511194320.ZM12928@torch.brasslantern.com> <150512215919.ZM13985@torch.brasslantern.com> <20150513093945.749366aa@pwslap01u.europe.root.pri> <150513084827.ZM15168@torch.brasslantern.com> Organization: Samsung Cambridge Solution Centre X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.0; i386-redhat-linux-gnu) MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7bit X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFjrILMWRmVeSWpSXmKPExsVy+t/xK7pCdcGhBl/WmlscbH7I5MDoserg B6YAxigum5TUnMyy1CJ9uwSujKkfT7AXbJKteNGxlK2B8YR4FyMnh4SAicSjk2dYIGwxiQv3 1rOB2EICSxkl9pxO72LkArJnMElc+nCDFSKxjVHi8M3gLkYODhYBVYmJHxJBwmwChhJTN81m BLFFBMQlzq49DzZTGCi+anUXG0g5r4C9xJH7QSBhTgEriae/jzBCjD/PKNEz9xRYL7+AvsTV v5+YIO6xl5h55QxYnFdAUOLH5HtgM5kFtCQ2b2tihbDlJTavecsMcZq6xI27u9knMArNQtIy C0nLLCQtCxiZVzGKppYmFxQnpeca6RUn5haX5qXrJefnbmKEBOzXHYxLj1kdYhTgYFTi4eUw DA4VYk0sK67MPcQowcGsJMKrVw4U4k1JrKxKLcqPLyrNSS0+xCjNwaIkzjtz1/sQIYH0xJLU 7NTUgtQimCwTB6dUA6OjRdnxjrBvvz0ldl/2cHweIDZr/r8Y7tPLOe9Nlc66Vfd/0/9Z91aH q358drDqJMsHt2OsGzXybRtUah12l7N0pggZpohUGrb+nZFoMMOI95+zL+fukP+yxsG/V4jc 612+72fbzOe7mifnhO07OPtRfOVkBrtH8bout1xeCLk92XJBZsIXz0NKLMUZiYZazEXFiQDG 1yPOVAIAAA== On Wed, 13 May 2015 08:48:27 -0700 Bart Schaefer wrote: > It appears that the real problem is that UID is typed as an integer, > so "local UID" implicitly assigns zero. That means that for a process > that IS allowed to change UID, merely declaring it local causes that > process to assume root privilege. That's clearly both wrong and a > potential security issue. How about this? It's not so clear it's needed for HISTSIZE and SAVEHIST, but it's not obviously stupid, and having a set of paranoia-inducing variables separate from the restricted set looks like overkill. What about non-integer restricted variables? They seem to be less problematic. pws diff --git a/Doc/Zsh/params.yo b/Doc/Zsh/params.yo index 44df07c..eb3eb36 100644 --- a/Doc/Zsh/params.yo +++ b/Doc/Zsh/params.yo @@ -642,6 +642,9 @@ privileges, you may change the effective group ID of the shell process by assigning to this parameter. Also (assuming sufficient privileges), you may start a single command with a different effective group ID by `tt(LPAR()EGID=)var(gid)tt(; command+RPAR())' + +If this is made local, it is not implicitly set to 0, but may be +explicitly set locally. ) vindex(EUID) item(tt(EUID) )( @@ -650,6 +653,9 @@ privileges, you may change the effective user ID of the shell process by assigning to this parameter. Also (assuming sufficient privileges), you may start a single command with a different effective user ID by `tt(LPAR()EUID=)var(uid)tt(; command+RPAR())' + +If this is made local, it is not implicitly set to 0, but may be +explicitly set locally. ) vindex(ERRNO) item(tt(ERRNO) )( @@ -666,6 +672,9 @@ you may change the group ID of the shell process by assigning to this parameter. Also (assuming sufficient privileges), you may start a single command under a different group ID by `tt(LPAR()GID=)var(gid)tt(; command+RPAR())' + +If this is made local, it is not implicitly set to 0, but may be +explicitly set locally. ) vindex(HISTCMD) item(tt(HISTCMD))( @@ -801,6 +810,9 @@ you may change the user ID of the shell by assigning to this parameter. Also (assuming sufficient privileges), you may start a single command under a different user ID by `tt(LPAR()UID=)var(uid)tt(; command+RPAR())' + +If this is made local, it is not implicitly set to 0, but may be +explicitly set locally. ) vindex(USERNAME) item(tt(USERNAME) )( @@ -1098,6 +1110,9 @@ The maximum number of events stored in the internal history list. If you use the tt(HIST_EXPIRE_DUPS_FIRST) option, setting this value larger than the tt(SAVEHIST) size will give you the difference as a cushion for saving duplicated history events. + +If this is made local, it is not implicitly set to 0, but may be +explicitly set locally. ) vindex(HOME) item(tt(HOME) )( @@ -1392,6 +1407,9 @@ It is expanded in the same way as tt(PS2). vindex(SAVEHIST) item(tt(SAVEHIST))( The maximum number of history events to save in the history file. + +If this is made local, it is not implicitly set to 0, but may be +explicitly set locally. ) vindex(SPROMPT) item(tt(SPROMPT) )( diff --git a/Src/builtin.c b/Src/builtin.c index 70e75ff..95537a9 100644 --- a/Src/builtin.c +++ b/Src/builtin.c @@ -2344,7 +2344,12 @@ typeset_single(char *cname, char *pname, Param pm, UNUSED(int func), pm->gsu.s->setfn(pm, ztrdup("")); break; case PM_INTEGER: - pm->gsu.i->setfn(pm, 0); + /* + * Restricted integers are dangerous to inialize to 0, + * so don't do that. + */ + if (!(pm->old->node.flags & PM_RESTRICTED)) + pm->gsu.i->setfn(pm, 0); break; case PM_EFLOAT: case PM_FFLOAT: