bill@sigma.UUCP (02/06/87)
In article <552@atari.UUCP> apratt@atari.UUCP (Allan Pratt) writes: >In article <1717@hoptoad.uucp>, gnu@hoptoad.uucp (John Gilmore) says: >>In article <962@osiris.UUCP>, mjranum@osiris.UUCP (Marcus Ranum) writes: >>>What if we all agree that postings of MINIX material be in of tar format. >> Shar ... has the advantage that it is text [...] > >The problem I see with Shar is the ... Trojan Horse loophole ... When you >turn your machine over to somebody else's command script, AT YOUR OWN >COMMAND PROMPT, you're just asking for trouble. A special "unshar" script, >which only lets the shar run certain commands and put files in certain >directories, would be an appropriate patch to this. > >Makefiles also introduce this security problem.. The big problem is in safely unpacking the file. Beyond that you are on your own, as trojan horses could be placed in the makefile or the code itself. The script or C program to unpack the shar file is an excellent solution. It has already been done, albeit for (don't laugh) cp/m machines, which of course don't have 'sh', requiring that ALL commands to be recognized be built into the unshar program. This is the safest route. There should be concensus on the particular shar format to be used, to avoid the mess we currently have with the many different formats in use and complex "unshar" scripts that figure out which one was used. -- William Swan {ihnp4,decvax,allegra,...}!uw-beaver!tikal!sigma!bill chan 'eil Gaidhlig math againn /kha nel' gal'ig' mweh ag0n'/ (we do not speak good Gaelic)
rpw3@amdcad.UUCP (02/08/87)
+--------------- | There should be concensus on the particular shar format to be used, to | avoid the mess we currently have with the many different formats in use | and complex "unshar" scripts that figure out which one was used. +--------------- How about using the format produced by the Minix "shar" program? ;-} This is a C program which produces shars. It uses the "prefix everything by X" method, and uses "gres" to strip the X's when unpacking. Since we have therefore a standard format, we can write an unshar which exactly matches the shar files produced by Minix "shar". 'Nuf said? p.s. Since Unix doesn't (these days) have "gres", a suitable "gres" for unpacking such shars on Unix systems is: : gres.sh - Unix approximation of "gres" from="$1" to="$2" shift ; shift exec sed -e "s/$from/$to/" $* Rob Warnock Systems Architecture Consultant UUCP: {amdcad,fortune,sun}!redwood!rpw3 DDD: (415)572-2607 USPS: 627 26th Ave, San Mateo, CA 94403