Re: The Python Registrar

To: debian-python@lists.debian.org
Subject: Re: The Python Registrar
From: abo@minkirri.apana.org.au (Donovan Baarda)
Date: Mon, 25 Feb 2002 12:30:32 +1100
Message-id: <[🔎] 20020225013032.GC25561@minkirri.apana.org.au>
In-reply-to: <[🔎] 20020224173825.A714@animus.fel.iae.nl>
References: <[🔎] 20020209194131.GB11850@polya> <[🔎] 20020211102850.GA30240@ap-lnx-bastiank> <[🔎] 20020211230522.GB13867@ap-lnx-bastiank> <[🔎] 20020222233816.GA18840@minkirri.apana.org.au> <[🔎] 20020224043446.GA28897@minkirri.apana.org.au> <[🔎] 20020224173825.A714@animus.fel.iae.nl>

On Sun, Feb 24, 2002 at 05:38:25PM +0100, Carel Fellinger wrote:
> On Sun, Feb 24, 2002 at 03:34:46PM +1100, Donovan Baarda wrote:
> ...
> > OK, I got creative and figured out a way the python-central could work
> > without using an emac's style registry, instead just using the existing dpkg
> > "Depends:" information.
> 
> > Comments welcome. This one is a bit more tested than the last.
> 
> Great, way to go and all that.  But please, could you be more carefull
> not to introduce security hassels?

This was my first rough cut, so any comments are good :-)

> I haven't looked very carefull, besides I don't know enough of shell
> scripting to really get out all the security things, but the following
> seemed to obvious even for me to overlook.
> 
> >     for p in `dpkg -S /usr/lib/python/site-packages 2>/dev/null | sed 's#,\|:.*$##g'`; do
> >         if dpkg -s $p | egrep "^Depends:.* $PYTHONXY([ ,]|$)" >/dev/null 2>&1; then
> 
> Are you sure all package names are sane?  Or could some joker distribute a
> (non official ofcourse) python package with a name just waiting to exploit
> this unsanitized use of its name in a script running as root?

I'm trying to think of a way this could be exploited and can't. Surely any
package name suffiently structured to try and take advantage of this would
be so screwed as to be rejected by dpkg, long before it could get into the
dpkg database of installed packages? 

Would the following make you happier?

     for p in `dpkg -S /usr/lib/python/site-packages 2>/dev/null | \
         sed 's#[,$\'\\]\|:.*$##g'`; do
         if dpkg -s "$p" | egrep "^Depends:.* $PYTHONXY([ ,]|$)" >/dev/null 2>&1; then

This should strip any characters that have special meaning within double
quotes for extra protection, and I've put quotes around $p.

> > # get_versions <package name>
> > # return installed versions of python supported by the python package
> > get_versions () {
> >     DEPENDS=`dpkg -s $1 | grep "^Depends:" | cut -d: -f2`
> 
> And here again $1 is not sanitized:(

OK, I've whacked it in quotes... is that enough?

> Maybe I'm overreacting, but I prefer debian to be rock solid and
> secure by default.

Fary-nuff.

Any extra hints on securing shell scripts are welcome...

-- 
----------------------------------------------------------------------
ABO: finger abo@minkirri.apana.org.au for more info, including pgp key
----------------------------------------------------------------------

Reply to:

References:
- policy 2.3 para 2
  - From: Julian Gilbey <J.D.Gilbey@qmul.ac.uk>
- Re: policy 2.3 para 2
  - From: Bastian Kleineidam <bastian.kleineidam@triplex.de>
- The Python Registrar
  - From: Bastian Kleineidam <bastian.kleineidam@triplex.de>
- Re: The Python Registrar
  - From: abo@minkirri.apana.org.au (Donovan Baarda)
- Re: The Python Registrar
  - From: abo@minkirri.apana.org.au (Donovan Baarda)
- Re: The Python Registrar
  - From: Carel Fellinger <cfelling@iae.nl>

Prev by Date: Re: The Python Registrar
Next by Date: Re: The Python Registrar
Previous by thread: Re: The Python Registrar
Next by thread: Re: The Python Registrar
Index(es):
- Date
- Thread