[illumos-Advocates] RTI for bug 864: at(1) should not popen /usr/bin/pwd

Gordon Ross gordon.w.ross at gmail.com
Sun May 15 15:31:17 PDT 2011 

I'm happy to  act as approver on this, but just wanted to clarify:
Albert, are you a happy reviewer, or do you want the nit fixed?

Thanks,
Gordon

On Sun, May 15, 2011 at 3:20 PM, Gary Mills <mills at cc.umanitoba.ca> wrote:
> I'm attaching the `hg export' output and mail_msg from a nightly run
> with lint.
>
> Here's outgoing:
>
>    $ hg outgoing -v
>    running ssh anonhg at hg.illumos.org "hg -R illumos-gate serve --stdio"
>    remote: Not trusting file /export/illumos/hgrepos/illumos-gate/.hg/hgrc from untrusted user hg, group hg
>    comparing with ssh://anonhg@hg.illumos.org/illumos-gate
>    searching for changes
>
>    changeset:   13370:018413a6185b
>    tag:         tip
>    user:        Gary Mills <mills at cc.umanitoba.ca>
>    date:        Sun May 15 13:49:21 2011 -0500
>
>    description:
>        864 at(1) should not popen /usr/bin/pwd
>        Reviewed by: Garrett D'Amore
>
>    modified:
>       usr/src/cmd/cron/at.c
>
>    remote: Not trusting file /export/illumos/hgrepos/illumos-gate/.hg/hgrc from untrusted user hg, group hg
>
> This is a test under OI 148, with the newly-built executable installed
> setuid root in /usr/local/bin:
>
>    $ /usr/local/bin/at now+1min
>    at> echo "This is the fixed at"
>    at> <EOT>
>    commands will be executed using /bin/ksh
>    job 1305319632.a at Fri May 13 15:47:12 2011
>    $ /usr/local/bin/at -l
>    user = mills          1305319632.a      Fri May 13 15:47:12 2011
>
> This is a test with the OI 148 executable run on Solaris 10.  In this
> case, it was done from a restricted directory (700 permissions) that
> was NFS-mounted with autofs.  Root was unable to run `pwd' in this
> directory:
>
>    $ /opt/bin/at now+1min
>    at> echo "This is in the restricted directory"
>    at> pwd
>    at> <EOT>
>    commands will be executed using /bin/ksh
>    job 1305460807.a at Sun May 15 07:00:07 2011
>    $ /opt/bin/at -l
>    1305460807.a       Sun May 15 07:00:07 2011
>
> The e-mail message said:
>
>    Your "at" job on eltanin
>    "/var/spool/cron/atjobs/1305460807.a"
>
>    produced the following output:
>
>    This is in the restricted directory
>    /home/uadmin/mills/restrict
>
>
> --
> -Gary Mills-        -Unix Group-        -Computer and Network Services-
>
> _______________________________________________
> Advocates mailing list
> Advocates at lists.illumos.org
> http://lists.illumos.org/m/listinfo/advocates
>
>

More information about the Advocates mailing list