[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] jk_lsh: problem with single quotes / requested execu

From: Leo
Subject: Re: [Jailkit-users] jk_lsh: problem with single quotes / requested executable not found
Date: Thu, 05 May 2011 12:42:42 +0200
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10

On 05/03/2011 12:52 PM, Olivier Sessink wrote:
>> Thanks for your reply. Unfortunately it is not possible to fix the web
>> application. It is a out-of-the-box CMS system. But wouldn't it make
>> sense to patch the jailkit shell that it strips the quotes? Then it will
>> behave like other (standard) shells. This is what people would expect I
>> think.
> there are many ways in which jk_lsh does not behave like any other shell.
> Right now the code is very simple and thus easy to keep it very secure.
> Functions like this are an easy source of bugs and thus for insecurity.
> That's why I'm very reluctant to start supporting such features.
> Olivier

Good point. Security is more important than functionality and each new
function is a security risk. That's ok.
At the moment I have to copy a standard shell to the chroot directory to
work around the problem. This is a big security risk too.
Perhaps you can put it on your list of feature requests or keep it in
mind next time you are working on jk_lsh ;-)


reply via email to

[Prev in Thread] Current Thread [Next in Thread]