jamessan / vim-gnupg

This script implements transparent editing of gpg encrypted files.
http://www.vim.org/scripts/script.php?script_id=3645
729 stars 73 forks source link

Problem when /bin/sh doesn't exist #80

Open Neo-Oli opened 7 years ago

Neo-Oli commented 7 years ago

I'm trying to get this to run on Termux. /bin/sh doesn't exist on this system. I had to change Line 361 to let s:shell = 'sh' to get it to work. Perhaps this should be the default, or at least be a fallback if /bin/shdoesn't exist

jamessan commented 7 years ago

Thanks for the report! That sounds like a reasonable change.

jamessan commented 7 years ago

@Neo-Oli Hmm, it's fairly common to hard-code well known paths like /bin/sh, especially when you want to reduce the chances of running arbitrary executables. Is Termux really expecting all software that gets run in that environment to have to change? There are over 200,000 matches for /bin/sh on Debian's code search.

Neo-Oli commented 7 years ago

@jamessan Those 200'000 matches are mostly shebangs, which can be easily dealt with (termux-fix-shebang in Termux). The problem is when /bin/sh or similar gets executed directly from the script. Also this is not a Problem of Termux. It's a problem of Android. Android doesn't have a /bin/ directory (It has /system/bin/). So code like this can't run on Android. But it's not just Termux that this problem occurs on. All Prefixed systems, like Gentoo Prefix, likely suffer from the same problem. That's why most modern software tries to avoid hard-coding paths. Checking if /bin/sh is executable is a good idea anyway, since the error messages it gives lead one to conclude that gpg is somehow broken. I implore you to at least use the sh that's in the $PATH if /bin/sh is not executable.

jamessan commented 7 years ago

That's why most modern software tries to avoid hard-coding paths.

I get that, but there are trade-offs to that choice. Allowing any arbitrary executable in $PATH which happens to be named sh to run increases the potential risk of exposing the user's sensitive information. Although, I guess that argument doesn't really hold water given that the plugin is not using a qualified path for gpg itself.

Checking if /bin/sh is executable is a good idea anyway, since the error messages it gives lead one to conclude that gpg is somehow broken.

Completely agree with this point.