OpenBSD Journal

Extending stsh to work with CVS

Contributed by grey on from the welcome improvements dept.

Thanks to Jose Nazario for pointing out that Olivier Cherrier has made some improvements to stsh in order to get it to work in conjunction with CVS. His page detailing this as well as links to his updated tarball may be found here:

http://www.symacx.com/data/software/stsh/

Olivier kindly requested that we double-check to make sure that he didn't introduce any security bugs into the wrapper before announcing it, but I'm not sure I'm the best person for that, so hopefully some of our readers may be able to assist in that respect. :)

(Comments are closed)


  1. By Anonymous Coward (81.64.227.144) on

    main(int argc, char *argv[])
    
    [...]
    
    char *args[64];
    
    [...]
    
    for ( i = 2; i <= argc; i++ ) {
        args[i] = argv[i];
    
    
    would be great that malicious users won't send 65 args ...

    1. By Anonymous Coward (81.64.227.144) on

      hu, and by the way, "snprintf(s, sizeof(s), args[2]);" should be format protected (or better, replaced by strlcpy(3)), since we get args[2] straigth from userland. Didn't read the code that far until I posted last comment ;)

    2. By oc (213.41.162.220) on

      Yes, right. The mistake is gone.

  2. By Anonymous Coward (129.10.116.200) on

    uh, or better yet just use Dugsong's original stsh which doesn't have any of these stupid bugs and actually works, he posted it to tech@openbsd.org a few years ago. I don't know why Jose would release a broken ripoff of it without credit anyhow.

      1. By SH (82.182.103.172) on

        He refers to the post by Dug Song describing some of his systrace setup, including a systraced shell that does copy arguments.

        Last time I played with systrace, I modified Jose's stsh to include copying of command line arguments from Dug Song's stsh. I did not try to use it with cvs, but it worked fine for stuff like "ssh nobody@somewhere ls -la /etc".

    1. By jose (192.5.109.49) foobar@thefoo.com on http://monkey.org/~jose/

      from my web page for stsh:
      acknowledgements
      niels provos, dug song, eric jackson for ideas, systrace support, and patches. gustavo's help with the login.conf(5) installation method. can acar and justin heesemann for bugreports and testing. jeff nathan for some help in getting 0.3 out the door.
      i acknowledge dug and his code, that has long since been there. at the time i initially wrote stsh, i wanted a few things: to demonstrate for the openbsd book i was writing at the time on way to accomplish a fully systraced user, to explore it for myself, and to do so without relying on the (at the time) unreleased systrace shell from dug and the other monkey.org admins. sure, i ripped off the concept (i am, after all, a monkey.org user), but i also contributed something to the community and gave dug the credit due to him for it.

      as far as i can tell, oliver has kept my name on the sources where it belongs and acknowledges his additions as his own. i'm fine with that, the license allows it, and i'm no longer maintaining stsh. it met my needs. as the original author of my code, shouldn't that be enough?

      1. By Anonymous Coward (67.102.173.11) on

        No, because Olivier keeps telling everybody he 'wrote' stsh, this is NOT acceptable.

        1. By Brad (204.101.180.70) brad at comstyle dot com on

          Oliver clearly credits Jose and the website says right at the top "Here is a modified version of the stsh sytraced shell.", notice it says modified. You really need to learn how to read.

  3. By Anonymous Coward (67.102.173.11) on

    Olivier Cherrier stole the work from Jose Nazario, I know him personally, he can not be trusted, and his code stinks really bad.

    1. By Bradley (146.186.107.112) on

      Says an Anonymous Coward. Sorry, I don't trust you either unless you provide solid evidence which proves what you're saying.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]