Menu
▾
▴
Re: disabling 'insecure' parts of gnuplot file
|
From: Ethan M. <merritt@u.washington.edu> - 2004-08-31 19:30:47
|
On Tuesday 31 August 2004 11:50 am, Edward Peschko wrote: > And is the above the only dangerous behaviour that is possible from gnuplot? No. Not by a long shot. Consider: set output "~/.login" # trash the user's login file print `dd if=/bin/zero of=/somewhere/bad` # abuse the back-tic syntax plot '< rm -rf .' #abuse the pipe mechanism sh "bad command" # abuse the shell escape mechanism You'd have to disable all of these, and probably a few more that I'm not thinking of at the moment. Disabling shell escapes and back-tics would not harm most applications. But disabling pipes, in particular, would drastically cripple gnuplot's flexibility and ability to work with other programs. That's probably a deal-breaker right there; you could disable pipes, but the program you were left with wouldn't be very useful. And what could you possibly do to limit "set output <foo>"? I think the only possible mechanism would be to create a wrapper script that set the UID/EID to a non-privileged user with no permission to write outside of a captive directory tree. -- Ethan A Merritt merritt@u.washington.edu Biomolecular Structure Center Mailstop 357742 University of Washington, Seattle, WA 98195 |
