[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Sandbox improvements
|
From: |
arnold |
|
Subject: |
Re: Sandbox improvements |
|
Date: |
Mon, 01 Mar 2021 03:33:17 -0700 |
|
User-agent: |
Heirloom mailx 12.5 7/5/10 |
Hi.
Thanks for the note.
"innovate.invent@gmail.com" <innovate.invent@gmail.com> wrote:
> Hi Arnold, thanks for fixing the issue with rewriting ARGV.
You're welcome.
> I have found another issue with users being able to break out of the
> sandbox.
>
> The @include and @load commands need to be restricted to paths within
> AWKPATH, AWKLIBPATH, and the paths specified by -i or -f when sandbox is
> enabled.
I don't think this is a bug. The sandbox option limits the runtime
environment. But the program logic, and the choice to use the sandbox
option, are in the hands of the person writing and running the program,
and should not be limited.
> Currently I can read any system file by running '@include "/etc/passwd"'.
Then, don't put that into your script. Normal *nix permissions still
apply, no matter what.
In short, I don't see a real issue here.
Thanks,
Arnold
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- Re: Sandbox improvements,
arnold <=