Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #12000
| From | Chet Ramey <chet.ramey@case.edu> |
|---|---|
| Newsgroups | gnu.bash.bug |
| Subject | Re: SHELLOPTS=xtrace security hardening |
| Date | 2015-12-13 12:49 -0500 |
| Organization | ITS, Case Western Reserve University |
| Message-ID | <mailman.1990.1450029011.31583.bug-bash@gnu.org> (permalink) |
| References | <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt> |
On 12/10/15 2:16 PM, up201407890@alunos.dcc.fc.up.pt wrote: > Hello, > > This is a suggestion for a bash security hardening patch which prevents > xtrace from being initialized to the SHELLOPTS environment variable when a > new shell starts. This is far too drastic a solution to the problem you have posed. > xtrace can be used to exploit bogus system()/popen() calls on setuid > binaries via a specially crafted PS4 environment variable leading to > privilege escalation, like so: I don't really see privilege escalation here. Your setuid root program sets the real and effective UIDs to 0 and calls system(). There is no way to distinguish this as the result of running a setuid program, and any privilege escalation takes place before system() runs. I have to tell you, if I wanted to exploit a program written this poorly, I wouldn't mess around with SHELLOPTS. I'd go straight to PATH. This isn't a good reason to take xtrace out of $SHELLOPTS unconditionally. It's not even a good enough reason to ignore SHELLOPTS if the shell is running as uid 0. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/
Back to gnu.bash.bug | Previous | Next | Find similar
Re: SHELLOPTS=xtrace security hardening Chet Ramey <chet.ramey@case.edu> - 2015-12-13 12:49 -0500
csiph-web