[packages/grep] - move from GREP_OPTIONS environmental variable to alias due to its obsolescence
Tomasz Pala
gotar at polanet.pl
Fri Jan 2 11:06:05 CET 2015
On Wed, Dec 10, 2014 at 13:50:37 +0100, Jacek Konieczny wrote:
> Implementing any such non-standard behaviour in the distribution is a
> very bad idea. Not only we make the shell load ages to initialize
> features most users don't even know about, but we may find great
1. Having zsh one can precompile shell scripts using zcompile (builtin).
2. How about colorls.sh from coreutils? I see this commit more harmful:
http://git.pld-linux.org/gitweb.cgi?p=packages/coreutils.git;a=commitdiff;h=e8b91122bfecdc518241fc478b8123d0501a9318
3. WTF is that?! It alternates entire output!
alias which='alias | /usr/bin/which --tty-only --read-alias --show-dot --show-tilde'
$ which ls
ls='ls --color=tty'
/bin/ls
$ \which ls
ls: aliased to ls --color=tty
Especially --show-dot and --show-tilde are potentially dangerous (noone
should put directory starting with a dot into PATH and noone should see
automated relative paths to binaries, which copy&pasted into some script
might become something entirely different). This comes from which
manpage, but apparently it's author ignores security implications.
(and another zsh hint: one get path by prepending binary with =)
> fuck-ups years later, like this one:
>
> http://seclists.org/fulldisclosure/2014/Nov/74
There is no fuckup, otherwise you should consider a bug in every
tool aggregating application helpers (mailcap, mc, firefox) and every
raw terminal output (cat). This is not a bit less secure than calling
these tools directly (if someone wants to see contents of cab file, he
will end up calling cabextract anyway), it might be more secure as it
eventually pipes output to less (which might prevent some control
characters from executing malicious code using invoking terminal).
What next, removing xdg-open and entire desktop-entry? Auditing every
image on a web page and every PDF to read before rendering contents?
This is not a way to go, if someone is paranoid he should not run ANY
tool on not-sandboxed environment, after all he might be targetted by
NSA with some 0-days. Breaking application handlers stream won't help in
any way, having some "ancient and obscure" compressed file one WANTS to
see won't make him magically write his own parser, audit appropriate
tool or any other action increasing security, unless we remove these
tools from repo. The solution similar to removing firefox and telling
people to use wget+more to read web pages.
--
Tomasz Pala <gotar at pld-linux.org>
More information about the pld-devel-en
mailing list