Can one find a mount point just knowing the volume name?

[Neulinger, Nathan R.]

Uh. That isn't the security hole. 

How bout I create a file named "fred; pts adduser myuserid
system:administrators".

It's the same issue as user input from CGIs. You're trusting user input and
shouldn't be.

-- Nathan

> -----Original Message-----
> From: Stephen Joyce [mailto:stephen@physics.unc.edu]
> Sent: Thursday, February 08, 2001 11:53 AM
> To: Neulinger, Nathan R.
> Cc: 'Morris Strongson'; info-afs@transarc.com
> Subject: RE: Can one find a mount point just knowing the volume name?
> 
> 
> 
> Well, I run the script unattended via a wrapper script which 
> explicitly
> sets the path to a known value (in addition to some other 
> tasks such as
> getting tokens, logging the output, etc). You're right it 
> should probably
> explicitly call /usr/afsws/bin/fs though.
> 
> On Thu, 8 Feb 2001, Neulinger, Nathan R. wrote:
> 
> > >         $vol = `fs lsmount $name`;
> > 
> > I hope you don't plan on running that script with a user 
> that has any
> > privileges as you've got a gaping security hole right there.
> > 
> > -- Nathan
> 
> Cheers,
> Stephen
> --
> Stephen Joyce
> Systems Administrator                                         
>    P A N I C
> Physics & Astronomy Department                         
> Physics & Astronomy
> University of North Carolina at Chapel Hill         Network 
> Infrastructure
> voice: (919) 962-7214                                        
> and Computing
> fax: (919) 962-0480                               
http://www.panic.unc.edu