Sandbox improvements

bug-gawk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Sandbox improvements

From:	address@hidden
Subject:	Sandbox improvements
Date:	Thu, 25 Feb 2021 16:28:34 -0800

Hi Arnold, thanks for fixing the issue with rewriting ARGV.
I have found another issue with users being able to break out of the
sandbox.

The @include and @load commands need to be restricted to paths within
AWKPATH, AWKLIBPATH, and the paths specified by -i or -f when sandbox is
enabled.

Currently I can read any system file by running '@include "/etc/passwd"'.
The stderr output is generally forwarded to users for debugging. This will
yield:

awk: In file included from
/data/jobs_directory/000/245/245827/configs/tmpmcswc8w8:1:
awk: /etc/passwd:1: root:x:0:0:root:/root:/bin/sh
awk: /etc/passwd:1:     ^ syntax error
awk: In file included from
/data/jobs_directory/000/245/245827/configs/tmpmcswc8w8:1:
awk: /etc/passwd:2: daemon:x:1:1:daemon:/usr/sbin:/bin/sh
awk: /etc/passwd:2:       ^ syntax error
awk: In file included from
/data/jobs_directory/000/245/245827/configs/tmpmcswc8w8:1:
awk: /etc/passwd:2: daemon:x:1:1:daemon:/usr/sbin:/bin/sh
awk: /etc/passwd:2:                              ^ syntax error
....


The @load command does not allow reading arbitrary files but prevents
restricting users to some or no libraries.

Thanks for the amazing tool!

[Prev in Thread]

Current Thread

[Next in Thread]

Sandbox improvements, address@hidden <=

Prev by Date: Re: Building on Msys2
Previous by thread: Building on Msys2
Index(es):
- Date
- Thread