On Fri, Jun 20, 2008 at 12:54:29AM +0800, Callan Barrett wrote:
Here's another iteration of this patch, I'm still looking for as much input as possible but this is basically what I would push to testing at this point. The script now outputs in a different format to be parsed and there is some cleanup done in pkgsubmit.php to get it working more cleanly with the script.
Unfortunately Callan and I found a way to easily defeat this tonight, the proof-of-concept is attached, the attack is based on this little bit about restricted shells (from the manpage): --- When a command that is found to be a shell script is executed (see COM- MAND EXECUTION above), rbash turns off any restrictions in the shell spawned to execute the script. --- Too bad too, real bash parsing would have been nice :/ -S