[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-users] jk_lsh: problem with single quotes / requested execu
Re: [Jailkit-users] jk_lsh: problem with single quotes / requested executable not found
Thu, 05 May 2011 12:42:42 +0200
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:184.108.40.206) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10
On 05/03/2011 12:52 PM, Olivier Sessink wrote:
>> Thanks for your reply. Unfortunately it is not possible to fix the web
>> application. It is a out-of-the-box CMS system. But wouldn't it make
>> sense to patch the jailkit shell that it strips the quotes? Then it will
>> behave like other (standard) shells. This is what people would expect I
> there are many ways in which jk_lsh does not behave like any other shell.
> Right now the code is very simple and thus easy to keep it very secure.
> Functions like this are an easy source of bugs and thus for insecurity.
> That's why I'm very reluctant to start supporting such features.
Good point. Security is more important than functionality and each new
function is a security risk. That's ok.
At the moment I have to copy a standard shell to the chroot directory to
work around the problem. This is a big security risk too.
Perhaps you can put it on your list of feature requests or keep it in
mind next time you are working on jk_lsh ;-)