Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.bash.bug > #12002

Re: SHELLOPTS=xtrace security hardening

Path csiph.com!au2pb.net!feeder.erje.net!2.us.feeder.erje.net!news.glorb.com!usenet.stanford.edu!not-for-mail
From Stephane Chazelas <stephane.chazelas@gmail.com>
Newsgroups gnu.bash.bug
Subject Re: SHELLOPTS=xtrace security hardening
Date Sun, 13 Dec 2015 22:08:17 +0000
Lines 34
Approved bug-bash@gnu.org
Message-ID <mailman.2026.1450044506.31583.bug-bash@gnu.org> (permalink)
References <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt> <566DAFC6.4040407@case.edu>
NNTP-Posting-Host lists.gnu.org
Mime-Version 1.0
Content-Type text/plain; charset=us-ascii
X-Trace usenet.stanford.edu 1450044507 13048 208.118.235.17 (13 Dec 2015 22:08:27 GMT)
X-Complaints-To action@cs.stanford.edu
Cc up201407890@alunos.dcc.fc.up.pt, bug-bash@gnu.org
To Chet Ramey <chet.ramey@case.edu>
Envelope-to bug-bash@gnu.org
DKIM-Signature v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=GgsoRGVKQUvC26N434cpFWIzy/nf11TA7erFTIQyIZY=; b=n1AxIDZ8+Gv0yuqGLMoj11wqMkBNg0MUuA7H2JAQfMYLnyTyZXLOyl5gVVM3o7nMij 70cVix0aTgoYhU4wPR0s1GDTi1I1+e8IcKLrl5YPoSJwdMJa1WcRXgUswvGwQqpqPR3Y 3S9SBzxUV+Lf8+CEcABksyS0OGArDLPpyIyf4Wx+u4i+xXTOMm9/tx/pVe/XQA2NNvoV UQypq5J6DOT8UFy6FJpUJv2XEVn0NHzVdSvujdhc6quGT/sS8zvcDAlN4XLzvwDvpczb BMcrhZ79DjiFVCQZAoy+2QhsWHU6lylnTzJP0PwI66XGS/aoMpHuCP72wDWNxeq9qZEP kXtg==
X-Received by 10.194.178.135 with SMTP id cy7mr33302806wjc.61.1450044499820; Sun, 13 Dec 2015 14:08:19 -0800 (PST)
Content-Disposition inline
In-Reply-To <566DAFC6.4040407@case.edu>
User-Agent Mutt/1.5.21 (2010-09-15)
X-detected-operating-system by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From 2a00:1450:400c:c09::234
X-BeenThere bug-bash@gnu.org
X-Mailman-Version 2.1.14
Precedence list
List-Id Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive <http://lists.gnu.org/archive/html/bug-bash>
List-Post <mailto:bug-bash@gnu.org>
List-Help <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref csiph.com gnu.bash.bug:12002

Show key headers only | View raw

2015-12-13 12:49:58 -0500, Chet Ramey:
[...]
> I have to tell you, if I wanted to exploit a program written this poorly,
> I wouldn't mess around with SHELLOPTS.  I'd go straight to PATH.
[...]

In the (very specific) OP's test case, he had
system("/bin/date"). Since /bin/date doesn't usually execute
other commands, PATH won't help.

SHELLOPTS+PS4 is a known way to have the shell run arbitrary
commands. Before shellshock, env /bin/date='() { cmd; }' was
another one. The fix for shellshock closed that one.

I can see why one might want to close a path to easy privilege
escalation, but IMO, the fault here is not with bash but with
setuid applications invoking other applications, let alone a
shell without sanitizing the environment.

What bash could do is document what environment variables affect
its behaviour (so setuid applications know which to sanitize),
but that's mostly already done and anyway, the proper way to
sanitize the environment is not to blacklist known troublesome
env vars (what about the unknown ones?) but to clear everything
except the ones you need (and still check and sanitize their
content).

The environment is meant to be used like that. It's meant to be
trusted. Setuid applications fail their contract if they fail to
sanitize the environment before running other applications.

-- 
Stephane

Back to gnu.bash.bug | Previous | Next | Find similar

Thread

Re: SHELLOPTS=xtrace security hardening Stephane Chazelas <stephane.chazelas@gmail.com> - 2015-12-13 22:08 +0000

csiph-web