Assignment 4, due Feb 21

Part of the homework for 22C:169, Spring 2011
by Douglas W. Jones
THE UNIVERSITY OF IOWA Department of Computer Science

Always, on every assignment, please write your name legibly as it appears on your University ID and on the class list! All assignments will be due at the start of class on the day indicated (usually a Friday), and unless there is what insurance companies call "an act of God" - something outside your control; the only exceptions to this rule will be by advance arrangement.

  1. Background: Here is a shell script that was given at the end of Friday's lecture:
    # shellscript args
    # a shell script to echo its args
    # create tempfile
    /bin/echo > tempfile
    set argc = $#argv
    @ count = 1
    while ($count <= $argc)
    	/bin/echo argv[ ${count} ] = $argv[$count] >> tempfile
    	@ count = $count + 1
    #output tempfile
    cat tempfile
    rm -f tempfile

    Notes: The > operator creates a file and directs standard output of the command to that file. The >> operator appends the output of the command to the indicated file. The quote marks 'text' suppress all interpretation of the quoted text. The quote marks "text" permit $ substitution within the quoted text. The quote marks `text` cause the indicated text to be executed as a shell command with the output of the command replacing the indicated string. The shell variable $$ is the current process ID. Each time you launch a new shell, $$ takes on a new value local to that shell. The shell command eval evaluates its arguments as a shell command.

    a) Can yhou find any vulnerabilities in this version of the script? (0.5 points)

    b) This script poses a possible threat to its users because of its use of a fixed file name, tempfile. How would the threat change if it used tempfile$$? (Would the threat be eliminated? If not, would the threat be reduced?) (0.5 points)

    c) Suppose you changed $argv[$count] to `echo $argv[$count]`. Does this create any vulnerabilities? (Experiment!) (0.5 points)

    d) Suppose you changed $[$count] to `eval echo $argv[$count]`. Why is this different from your answer to part c? (Experiment!) (0.5 points)

  2. Background: Here is another shell script, one that is somewhat more sophisticated:
    # foreachfile command
    # a shell script to apply command to each file in the current directory
    set ListOfFiles = `ls`
    set Count = 1
    set ListLength = $#ListOfFiles
    while ($Count <= $ListLength)
            $argv $ListOfFiles[$Count]
            @ Count = $Count + 1

    For example foreachfile echo will list each file name, one per line, and foreachfile ls -dl will do almost the same thing as the ls -l command, but with rather poorer formatting. Variations on this script could be useful for such things as making backups and many other things, but there are several severe problems with this script.

    a) This script does not work correctly when file names contain blanks. What is the problem? (0.5 points)

    b) What is the difference between foreachfile echo and foreachfile eval echo? Does this say anything about the vulnerability of this script to shell injection attacks? (0.5 points)

    c) Suppose your directory has a file names that are also Unix shell command names such as date and ls. Can you make this script execute those commands? If you can, this becomes another possible path for an injection attack. (0.5 points)

  3. Background: In answering the parts of problem 2, you no-doubt found several vulnerabilities in the shell script given in that problem. Fix them using the tools outlined in Friday's lecture. In the event that a problem is found, your modified script should echo an error message to standard error using echo errmsg >/dev/stderr (NOTE: The former version of this assignment said to use 1>&2 -- a mechanism that only works in the bash shell. Having output the error message, your modified shell should exit using the exit command. (1.5 points)