18462SApril.Chin@Sun.COM######################################################################## 28462SApril.Chin@Sun.COM# # 38462SApril.Chin@Sun.COM# This software is part of the ast package # 4*12068SRoger.Faulkner@Oracle.COM# Copyright (c) 1982-2010 AT&T Intellectual Property # 58462SApril.Chin@Sun.COM# and is licensed under the # 68462SApril.Chin@Sun.COM# Common Public License, Version 1.0 # 78462SApril.Chin@Sun.COM# by AT&T Intellectual Property # 88462SApril.Chin@Sun.COM# # 98462SApril.Chin@Sun.COM# A copy of the License is available at # 108462SApril.Chin@Sun.COM# http://www.opensource.org/licenses/cpl1.0.txt # 118462SApril.Chin@Sun.COM# (with md5 checksum 059e8cd6165cb4c31e351f2b69388fd9) # 128462SApril.Chin@Sun.COM# # 138462SApril.Chin@Sun.COM# Information and Software Systems Research # 148462SApril.Chin@Sun.COM# AT&T Research # 158462SApril.Chin@Sun.COM# Florham Park NJ # 168462SApril.Chin@Sun.COM# # 178462SApril.Chin@Sun.COM# David Korn <dgk@research.att.com> # 188462SApril.Chin@Sun.COM# # 198462SApril.Chin@Sun.COM######################################################################## 208462SApril.Chin@Sun.COMfunction err_exit 218462SApril.Chin@Sun.COM{ 228462SApril.Chin@Sun.COM print -u2 -n "\t" 238462SApril.Chin@Sun.COM print -u2 -r ${Command}[$1]: "${@:2}" 248462SApril.Chin@Sun.COM let Errors+=1 258462SApril.Chin@Sun.COM} 268462SApril.Chin@Sun.COMalias err_exit='err_exit $LINENO' 278462SApril.Chin@Sun.COM 288462SApril.Chin@Sun.COMCommand=${0##*/} 298462SApril.Chin@Sun.COMinteger Errors=0 3010898Sroland.mainz@nrubsig.org 3110898Sroland.mainz@nrubsig.orgtmp=$(mktemp -dt) || { err_exit mktemp -dt failed; exit 1; } 3210898Sroland.mainz@nrubsig.orgtrap "cd /; rm -rf $tmp" EXIT 3310898Sroland.mainz@nrubsig.org 3410898Sroland.mainz@nrubsig.org# test restricted shell 358462SApril.Chin@Sun.COMpwd=$PWD 368462SApril.Chin@Sun.COMcase $SHELL in 378462SApril.Chin@Sun.COM/*) ;; 388462SApril.Chin@Sun.COM*/*) SHELL=$pwd/$SHELL;; 398462SApril.Chin@Sun.COM*) SHELL=$(whence "$SHELL");; 408462SApril.Chin@Sun.COMesac 418462SApril.Chin@Sun.COMfunction check_restricted 428462SApril.Chin@Sun.COM{ 438462SApril.Chin@Sun.COM rm -f out 448462SApril.Chin@Sun.COM rksh -c "$@" 2> out > /dev/null 4510898Sroland.mainz@nrubsig.org grep restricted out > /dev/null 2>&1 468462SApril.Chin@Sun.COM} 478462SApril.Chin@Sun.COM 488462SApril.Chin@Sun.COM[[ $SHELL != /* ]] && SHELL=$pwd/$SHELL 4910898Sroland.mainz@nrubsig.orgcd $tmp || err_exit "cd $tmp failed" 508462SApril.Chin@Sun.COMln -s $SHELL rksh 518462SApril.Chin@Sun.COMPATH=$PWD:$PATH 5210898Sroland.mainz@nrubsig.orgrksh -c '[[ -o restricted ]]' || err_exit 'restricted option not set' 538462SApril.Chin@Sun.COM[[ $(rksh -c 'print hello') == hello ]] || err_exit 'unable to run print' 548462SApril.Chin@Sun.COMcheck_restricted /bin/echo || err_exit '/bin/echo not resticted' 558462SApril.Chin@Sun.COMcheck_restricted ./echo || err_exit './echo not resticted' 568462SApril.Chin@Sun.COMcheck_restricted 'SHELL=ksh' || err_exit 'SHELL asignment not resticted' 578462SApril.Chin@Sun.COMcheck_restricted 'PATH=/bin' || err_exit 'PATH asignment not resticted' 588462SApril.Chin@Sun.COMcheck_restricted 'FPATH=/bin' || err_exit 'FPATH asignment not resticted' 598462SApril.Chin@Sun.COMcheck_restricted 'ENV=/bin' || err_exit 'ENV asignment not resticted' 608462SApril.Chin@Sun.COMcheck_restricted 'print > file' || err_exit '> file not restricted' 618462SApril.Chin@Sun.COM> empty 628462SApril.Chin@Sun.COMcheck_restricted 'print <> empty' || err_exit '<> file not restricted' 638462SApril.Chin@Sun.COMprint 'echo hello' > script 648462SApril.Chin@Sun.COMchmod +x ./script 658462SApril.Chin@Sun.COM! check_restricted script || err_exit 'script without builtins should run in restricted mode' 668462SApril.Chin@Sun.COMcheck_restricted ./script || err_exit 'script with / in name should not run in restricted mode' 678462SApril.Chin@Sun.COMprint '/bin/echo hello' > script 688462SApril.Chin@Sun.COM! check_restricted script || err_exit 'script with pathnames should run in restricted mode' 698462SApril.Chin@Sun.COMprint 'echo hello> file' > script 708462SApril.Chin@Sun.COM! check_restricted script || err_exit 'script with output redirection should run in restricted mode' 718462SApril.Chin@Sun.COMprint 'PATH=/bin' > script 728462SApril.Chin@Sun.COM! check_restricted script || err_exit 'script with PATH assignment should run in restricted mode' 738462SApril.Chin@Sun.COMcat > script <<! 748462SApril.Chin@Sun.COM#! $SHELL 758462SApril.Chin@Sun.COMprint hello 768462SApril.Chin@Sun.COM! 778462SApril.Chin@Sun.COM! check_restricted 'script;:' || err_exit 'script with #! pathname should run in restricted mode' 788462SApril.Chin@Sun.COM! check_restricted 'script' || err_exit 'script with #! pathname should run in restricted mode even if last command in script' 7910898Sroland.mainz@nrubsig.orgfor i in PATH ENV FPATH 8010898Sroland.mainz@nrubsig.orgdo check_restricted "function foo { typeset $i=foobar;};foo" || err_exit "$i can be changed in function by using typeset" 8110898Sroland.mainz@nrubsig.orgdone 828462SApril.Chin@Sun.COMexit $((Errors)) 83