This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Allowing users to change execvpâs shell?
- From: ludo at gnu dot org (Ludovic CourtÃs)
- To: libc-alpha at sourceware dot org
- Date: Sun, 16 Dec 2012 12:41:03 +0100
- Subject: Allowing users to change execvpâs shell?
Hi,
In the context of GNU Guix, Iâm pondering a change that would allow
users to change the shell used by âexecvpâ (more details about the
rationale at <http://thread.gmane.org/gmane.linux.distributions.nixos/9748>),
along these lines:
--- a/posix/execvpe.c
+++ b/posix/execvpe.c
@@ -34,7 +34,7 @@ internal_function
scripts_argv (const char *file, char *const argv[], int argc, char **new_argv)
{
/* Construct an argument list for the shell. */
- new_argv[0] = (char *) _PATH_BSHELL;
+ new_argv[0] = getenv ("GLIBC_SHELL") ? : (char *) _PATH_BSHELL;
new_argv[1] = (char *) file;
while (argc > 1)
{
I wonder what security implications it may have.
On GNU/Hurd, relying on a hard-coded /bin/sh doesnât provide any
guarantee because users are free to choose the file system root of every
process they launch. So checking for an environment variable is no worse.
On GNU/Linux, only root (or a user with CAP_SYS_CHROOT or CAP_SYS_ADMIN)
can use chroot(2) and mount(2), so /bin/sh is likely to be what the
adminâs want it to be. OTOH, tweaking $GLIBC_SHELL doesnât seem worse
than tweaking $PATH.
Thereâs the issue of setuid-root binaries. Then again, I wonder if
these should be using execvp at all in the first place.
WDYT?
Thanks,
Ludoâ.