[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)]
From: |
Klaus Weide |
Subject: |
Re: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)] |
Date: |
Tue, 6 May 1997 23:56:33 -0500 (CDT) |
On Tue, 6 May 1997, Henri Torgemane wrote:
> Subject: LYNX-DEV [Fwd: BoS: A vulnerability in Lynx (all versions)]
>
> Here's something posted yesterday on a security mailing list.
> You may want to look at it.
Something like the appended wrapper shell script should prevent this.
[ Of course, no guarantees. Comments?? ]
It should work on Unix(-like) systems for all Lynx versions that
understand the LYNX_TEMP_SPACE environment variable - which may be
all of them.
Klaus
------------ snip -----------
#!/bin/sh
#
# This wrapper script for Lynx creates a unique subdirectory of /tmp/
# where files can be read and written only by the user, and tries to
# remove it (and any remaining files there) after Lynx exits.
# The environment variable LYNX_TEMP_SPACE is set before launching Lynx,
# so that it will use the subdirectory for temporary files instead of
# (typically) creating them directly in /tmp/.
# It intentionally fails if the subdirectory cannot be created
# (for example because it already exists).
#
# It could be used by individual users or installed system wide.
# Some things most likely need to be modified. For example use full
# paths for commands.
#
# Don't use without modification for an anonymous (captive) guest account!
#
# Name for the subdir, most important is "$$" for process id.
# After shell expansion it should only consist of "normal" filename
# characters [a-zA-Z0-9._-], nothing that would require shell, URL,
# or HTML escaping.
# *** The subdirectory will be removed on exit ***
# You have been warned...
LYNX_TEMP_SPACE=/tmp/LY$$-$USER
# We still may want to use the original umask while Lynx is running
oldumask=`umask`
umask 077 || { echo "$0: cannot change umask!"; exit 1; }
# Create subdir
mkdir $LYNX_TEMP_SPACE || {
echo "$0: cannot create $LYNX_TEMP_SPACE !"; exit 1; }
# Make sure at least one file exists
touch $LYNX_TEMP_SPACE/.created || {
echo "$0: cannot create $LYNX_TEMP_SPACE/.created !"; exit 1; }
# Just to make sure...
chmod 700 $LYNX_TEMP_SPACE || {
echo "$0: cannot chmod $LYNX_TEMP_SPACE !"; exit 1; }
umask $oldumask
# The following line may need to be modified
trap "rm -r $LYNX_TEMP_SPACE; exit \$?" EXIT INT QUIT ILL TRAP IOT KILL PIPE
TERM
export LYNX_TEMP_SPACE
# Finally, call Lynx.
# You may want to put additional flags that always should be used on
# the following line, -show_cursor and -cookies are only examples
# that work with newer versions.
# Of course, change the path!
/path/to/bin/lynx -show_cursor -cookies "$@"
;
; To UNSUBSCRIBE: Send a mail message to address@hidden
; with "unsubscribe lynx-dev" (without the
; quotation marks) on a line by itself.
;