[File] /usr/bin and /bin

Christos Zoulas christos at zoulas.com
Thu May 27 18:09:51 UTC 2021


It is all done in softmagic.c and it is fairly elaborate. I recently had to
fix a bug where #! /bin/sh matched #! /bin/shot because it did not do
"word" matching so I added a flag for that. We could use a regex I
guess so we end up with fewer entries.

christos

> On May 27, 2021, at 2:04 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> 
> Hello,
> 
> On Thursday, May 27, 2021 1:26:53 PM EDT Christos Zoulas wrote:
>> Hi, I am annoyed by that too (but not yet to the level that I have sat down
>> to think how to fix it :-)
> 
> I was thinking that maybe if the first 2 characters are #!, then try matching
> against the variation in dirnames. If there is a match, replace the start
> with $Shebang or whatever token/name is agreeable. Then used this new string
> to start matching against the magic db. Seperately, the magic db text files
> gets fixed up to use the token/name. After compilation, both pieces can match.
> I'd consider looking into this, but not sure which source file does the
> initial parsing of the target file.
> 
> Best Regards,
> -Steve
> 
>>> On May 27, 2021, at 12:55 PM, Steve Grubb <sgrubb at redhat.com> wrote:
>>> 
>>> Hello,
>>> 
>>> I was wondering something. There are distributions that have /bin and
>>> /sbin symlinked to /usr/bin and /usr/sbin respectively. Because files
>>> could be in either place, there are tests like:
>>> 
>>> #!/bin/sh
>>> echo DEFANGED.2
>>> exit
>>> #!\ /bin/bash
>>> #!\ /usr/bin/bash
>>> #!\ /usr/local/bash
>>> #!\ /usr/local/bin/bash
>>> 
>>> and the same would apply to any other script with a shebang. Could this
>>> be
>>> solved programmatically rather than having to do this throughout the
>>> magic db for every script? I'm thinking this could make the magic db
>>> smaller and lower the maintenance associated.
>>> 
>>> Best Regards,
>>> -Steve
>>> 
>>> 
>>> --
>>> File mailing list
>>> File at astron.com
>>> https://mailman.astron.com/mailman/listinfo/file
>>> 
>>> 
>>> --
>>> This message has been 'sanitized'.  This means that potentially
>>> dangerous content has been rewritten or removed.  The following
>>> log describes which actions were taken.
>>> 
>>> Sanitizer (start="1622134559"):
>>> SanitizeFile (filename="unnamed.txt", mimetype="text/plain"):
>>>   Match (names="unnamed.txt", rule="9"):
>>>     Enforced policy: accept
>>> 
>>> Defanged UNIX shell script(s).
>>> Total modifications so far: 1
>>> 
>>> Anomy 0.0.0 : Sanitizer.pm
>>> $Id: Sanitizer.pm,v 1.94 2006/01/02 16:43:10 bre Exp $
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 235 bytes
Desc: Message signed with OpenPGP
URL: <https://mailman.astron.com/pipermail/file/attachments/20210527/86a25821/attachment-0001.asc>


More information about the File mailing list