←back to thread

Do not use redirection characters in your shell prompt

(tanelpoder.com)
217 points tanelpoder | 3 comments | 17 Mar 21 14:38 UTC | HN request time: 0.233s | source
Show context
jandrese ◴[17 Mar 21 15:32 UTC] No.26492618[source]
This seems to be more of "don't paste garbage into a terminal, especially as root." With a sidenote that it might be safer if your custom application command interpreter didn't use > as the prompt character. I note that Bourne shell defaults to the safer % and # characters for the prompt. The # character for root is especially safe.
replies(6): >>26492739 #>>26492951 #>>26494723 #>>26499063 #>>26499191 #>>26501459 #
1. gnramires ◴[17 Mar 21 17:58 UTC] No.26494723[source]
What about eliminating root usage? Could sudo be used here? Or perhaps every root command should need a confirmation prompt before execution.
replies(2): >>26494893 #>>26498793 #
2. devmor ◴[17 Mar 21 18:14 UTC] No.26494893[source]
Yeah this feels like more of a cautionary tale about proper privilege and directory management.

Was there really a reason for OP to be inside the binary directory for the application in order to use it?

Why was the binary writeable in the first place?

If the binary was not normally writeable but the user was privileged, was it necessary to use a privileged user for this operation?

You could probably create a pretty extensive list of failures that led to this issue. I think the author honed in on the one that made the most sense to himself and missed the forest for the tree.

3. salawat ◴[18 Mar 21 01:16 UTC] No.26498793[source]
So if someone grabs your hair during a fight, are you going to go bald the rest of your life? Just paste it somewhere besides a terminal. I swear, security people have run away with everyone's good sense.

There's a point of diminishing returns where running with something that can cause a problem is completely practicable and justifiable. We don't need the nteenth "Shell that protects you from malicious paste" functionality. Just use root judiciously. If you can't be comfortable running as root and keeping yourself out of trouble, then you really don't know enough to use the machine safely.

You must be 10% smarter than the piece of equipment. No amount of good natured or well-intentioned "protect you from yourself" coding will obviate you of the need to know what you are doing, the limitations of the machine, and the limitations of the program you're using. In fact, all it does is increase the bar for how many things worth of minutiae you have to account for.