Assignment 4, due Feb 21
Part of
the homework for 22C:169, Spring 2011
|
Always, on every assignment, please write your name legibly as it appears on your University ID and on the class list! All assignments will be due at the start of class on the day indicated (usually a Friday), and unless there is what insurance companies call "an act of God" - something outside your control; the only exceptions to this rule will be by advance arrangement.
#!/bin/tcsh # shellscript args # a shell script to echo its args # create tempfile /bin/echo > tempfile set argc = $#argv @ count = 1 while ($count <= $argc) /bin/echo argv[ ${count} ] = $argv[$count] >> tempfile @ count = $count + 1 end #output tempfile cat tempfile rm -f tempfile
Notes: The > operator creates a file and directs standard output of the command to that file. The >> operator appends the output of the command to the indicated file. The quote marks 'text' suppress all interpretation of the quoted text. The quote marks "text" permit $ substitution within the quoted text. The quote marks `text` cause the indicated text to be executed as a shell command with the output of the command replacing the indicated string. The shell variable $$ is the current process ID. Each time you launch a new shell, $$ takes on a new value local to that shell. The shell command eval evaluates its arguments as a shell command.
a) Can yhou find any vulnerabilities in this version of the script? (0.5 points)
b) This script poses a possible threat to its users because of its use of a fixed file name, tempfile. How would the threat change if it used tempfile$$? (Would the threat be eliminated? If not, would the threat be reduced?) (0.5 points)
c) Suppose you changed $argv[$count] to `echo $argv[$count]`. Does this create any vulnerabilities? (Experiment!) (0.5 points)
d) Suppose you changed $[$count] to `eval echo $argv[$count]`. Why is this different from your answer to part c? (Experiment!) (0.5 points)
#!/bin/tcsh # foreachfile command # a shell script to apply command to each file in the current directory set ListOfFiles = `ls` set Count = 1 set ListLength = $#ListOfFiles while ($Count <= $ListLength) $argv $ListOfFiles[$Count] @ Count = $Count + 1 end
For example foreachfile echo will list each file name, one per line, and foreachfile ls -dl will do almost the same thing as the ls -l command, but with rather poorer formatting. Variations on this script could be useful for such things as making backups and many other things, but there are several severe problems with this script.
a) This script does not work correctly when file names contain blanks. What is the problem? (0.5 points)
b) What is the difference between foreachfile echo and foreachfile eval echo? Does this say anything about the vulnerability of this script to shell injection attacks? (0.5 points)
c) Suppose your directory has a file names that are also Unix shell command names such as date and ls. Can you make this script execute those commands? If you can, this becomes another possible path for an injection attack. (0.5 points)