String expansion and securely running programs on Unix
July 22, 2011
One of the corollaries of how to securely run programs on Unix is that a general purpose, generic string expansion system is a bad fit with securely running programs. The problem is that there is a fundamental clash of goals between the two systems: a generic string expansion system wants to treat everything as a generic string to be expanded (regardless of what it actually is), and a secure system for running programs wants to tokenize everything using simple rules.
At this point I am going to pick on Exim for illustrative examples. Unfortunately, Exim tries to have it both ways at once and thus is a great source for showing the problems that this causes, no matter how much I like it otherwise. Please note that the problems here are generic; any program that takes either approach (or both at once as Exim does) will have the same issues.
First up is Exim's
If you are concerned about arbitrary characters appearing in
Since tokenization is expansion-blind, this fails because all the string
expansion evaluator winds up seeing is '
(The documentation does not quite put it the way that I have here.)
A side effect of tokenization before expansion is that a single string
expansion can only ever expand to a single argument. (You may or may not
be able to expand to nothing instead of a
What this points out is that command line tokenization and string
expansion need to be aware of each other. Once the dust settles,
either string expansion needs to be able to mark hard token boundaries
(I have opinions on the answer here, but this entry is already long enough as it is.)
PS: if you want to be secure with minimal effort, it's clear that you need to do tokenization before expansion and provide some sort of 'quoting' mechanism to glue a string expansion expression into a single token. This is secure while being merely inconvenient and annoying to people writing configuration files. Simple expansion before tokenization cannot be made secure at all, as previously discussed.
Written on 22 July 2011.
* * *
Atom feeds are available; see the bottom of most pages.