[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Sandbox improvements
From: |
address@hidden |
Subject: |
Sandbox improvements |
Date: |
Thu, 25 Feb 2021 16:28:34 -0800 |
Hi Arnold, thanks for fixing the issue with rewriting ARGV.
I have found another issue with users being able to break out of the
sandbox.
The @include and @load commands need to be restricted to paths within
AWKPATH, AWKLIBPATH, and the paths specified by -i or -f when sandbox is
enabled.
Currently I can read any system file by running '@include "/etc/passwd"'.
The stderr output is generally forwarded to users for debugging. This will
yield:
awk: In file included from
/data/jobs_directory/000/245/245827/configs/tmpmcswc8w8:1:
awk: /etc/passwd:1: root:x:0:0:root:/root:/bin/sh
awk: /etc/passwd:1: ^ syntax error
awk: In file included from
/data/jobs_directory/000/245/245827/configs/tmpmcswc8w8:1:
awk: /etc/passwd:2: daemon:x:1:1:daemon:/usr/sbin:/bin/sh
awk: /etc/passwd:2: ^ syntax error
awk: In file included from
/data/jobs_directory/000/245/245827/configs/tmpmcswc8w8:1:
awk: /etc/passwd:2: daemon:x:1:1:daemon:/usr/sbin:/bin/sh
awk: /etc/passwd:2: ^ syntax error
....
The @load command does not allow reading arbitrary files but prevents
restricting users to some or no libraries.
Thanks for the amazing tool!
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Sandbox improvements,
address@hidden <=