emacs-bug-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[debbugs-tracker] bug#10498: closed (New patch fo r rm. Jesús Hernández

From: GNU bug Tracking System
Subject: [debbugs-tracker] bug#10498: closed (New patch fo r rm. Jesús Hernández Gormaz.)
Date: Sat, 14 Jan 2012 03:28:01 +0000 
Your message dated Sat, 14 Jan 2012 03:26:46 +0000
with message-id <address@hidden>
and subject line Re: bug#10498: New patch for rm. Jesús Hernández Gormaz.
has caused the debbugs.gnu.org bug report #10498,
regarding New patch for rm. Jesús Hernández Gormaz.
to be marked as done.

(If you believe you have received this mail in error, please contact
address@hidden)


-- 
10498: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=10498
GNU Bug Tracking System
Contact address@hidden with problems
--- Begin Message --- Subject: New patch for rm. Jesús Hernández Gormaz. Date: Sat, 14 Jan 2012 02:35:53 +0000 Hello, I am Jesús Hernández Gormaz.

The attachment DIFF is the patch obtained (as indicated in the HACKING file)
  with the command:
    git format-patch --stdout -1 > DIFF

Rm program using the - no-preserve-root to delete the entire root directory
  recursively, without prompting. This makes it possible to hide the command
  between the lines of a script that appears to have a useful function and need
  root permissions, eliminating the user's system without the knowledge of this.
In script_of_deception.sh can see an example, very simple and not realistic to
  serve only as an example of how you could trick the user (CAUTION: DO NOT
  RUN without a rm has already applied my patch).

Tabi included some screenshots of rm with my changes in operation, both running
  rm-fr - no-preserve-root / script_of_deception.sh running manually and in both
  cases preventing the removal of the operating system without explicit user
  confirmation.

The idea that this would be a nice change arose from the cycle classes of
  microcomputer systems and networks, studying the scripts of GNU / Linux in
  one of the practices planning to run an rm to delete the entire root directory,
  and the teacher was with superuser permissions for scripts you need. In a few
  seconds, and without prompting, the system was completely erased. Asking the
  user for confirmation nasty accidents can be avoided by running a script that
  someone wrote in a malicious way.

--
JHG.

Attachment: DIFF
Description: Binary data

Attachment: script_of_deception.sh
Description: Bourne shell script

Attachment: rm-0.png
Description: PNG image

Attachment: rm-1.png
Description: PNG image

Attachment: rm-2.png
Description: PNG image


--- End Message ---
--- Begin Message --- Subject: Re: bug#10498: New patch for rm. Jesús Hernánde z Gormaz. Date: Sat, 14 Jan 2012 03:26:46 +0000 User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20110816 Thunderbird/6.0 
tags 10498 notabug

On 01/14/2012 02:35 AM, Jesús Hernández Gormaz wrote:
> Hello, I am Jesús Hernández Gormaz.
> 
> The attachment DIFF is the patch obtained (as indicated in the HACKING file)
>   with the command:
>     git format-patch --stdout -1 > DIFF

Thanks for taking the time to do a patch.
Unfortunately I don't think this mechanism is practical.
One could always put this in a script:

  eval $(echo ZWNobyB5IHwgZXZpbF9pbnRlcmFjdGl2ZV9jb21tYW5kCg== | base64 -d)

which would be equivalent to running:

  echo y | evil_interactive_command

For many reasons the root user must be 100% sure
of all logic they're running.

cheers,
Pádraig.

--- End Message ---
reply via email to
[Prev in Thread] Current Thread [Next in Thread]