[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-users] jk_lsh: problem with single quotes / requested execu
From: |
Leo |
Subject: |
Re: [Jailkit-users] jk_lsh: problem with single quotes / requested executable not found |
Date: |
Thu, 05 May 2011 12:42:42 +0200 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10 |
On 05/03/2011 12:52 PM, Olivier Sessink wrote:
>> Thanks for your reply. Unfortunately it is not possible to fix the web
>> application. It is a out-of-the-box CMS system. But wouldn't it make
>> sense to patch the jailkit shell that it strips the quotes? Then it will
>> behave like other (standard) shells. This is what people would expect I
>> think.
> there are many ways in which jk_lsh does not behave like any other shell.
> Right now the code is very simple and thus easy to keep it very secure.
>
> Functions like this are an easy source of bugs and thus for insecurity.
> That's why I'm very reluctant to start supporting such features.
>
> Olivier
>
Good point. Security is more important than functionality and each new
function is a security risk. That's ok.
At the moment I have to copy a standard shell to the chroot directory to
work around the problem. This is a big security risk too.
Perhaps you can put it on your list of feature requests or keep it in
mind next time you are working on jk_lsh ;-)
Thanks,
Leo