Path: csiph.com!au2pb.net!feeder.erje.net!2.us.feeder.erje.net!news.glorb.com!usenet.stanford.edu!not-for-mail
From: Stephane Chazelas <stephane.chazelas@gmail.com>
Newsgroups: gnu.bash.bug
Subject: Re: SHELLOPTS=xtrace security hardening
Date: Sun, 13 Dec 2015 22:08:17 +0000
Lines: 34
Approved: bug-bash@gnu.org
Message-ID: <mailman.2026.1450044506.31583.bug-bash@gnu.org>
References: <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt> <566DAFC6.4040407@case.edu>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: usenet.stanford.edu 1450044507 13048 208.118.235.17 (13 Dec 2015 22:08:27 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: up201407890@alunos.dcc.fc.up.pt, bug-bash@gnu.org
To: Chet Ramey <chet.ramey@case.edu>
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=GgsoRGVKQUvC26N434cpFWIzy/nf11TA7erFTIQyIZY=; b=n1AxIDZ8+Gv0yuqGLMoj11wqMkBNg0MUuA7H2JAQfMYLnyTyZXLOyl5gVVM3o7nMij 70cVix0aTgoYhU4wPR0s1GDTi1I1+e8IcKLrl5YPoSJwdMJa1WcRXgUswvGwQqpqPR3Y 3S9SBzxUV+Lf8+CEcABksyS0OGArDLPpyIyf4Wx+u4i+xXTOMm9/tx/pVe/XQA2NNvoV UQypq5J6DOT8UFy6FJpUJv2XEVn0NHzVdSvujdhc6quGT/sS8zvcDAlN4XLzvwDvpczb BMcrhZ79DjiFVCQZAoy+2QhsWHU6lylnTzJP0PwI66XGS/aoMpHuCP72wDWNxeq9qZEP kXtg==
X-Received: by 10.194.178.135 with SMTP id cy7mr33302806wjc.61.1450044499820; Sun, 13 Dec 2015 14:08:19 -0800 (PST)
Content-Disposition: inline
In-Reply-To: <566DAFC6.4040407@case.edu>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2a00:1450:400c:c09::234
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:12002

2015-12-13 12:49:58 -0500, Chet Ramey:
[...]
> I have to tell you, if I wanted to exploit a program written this poorly,
> I wouldn't mess around with SHELLOPTS.  I'd go straight to PATH.
[...]

In the (very specific) OP's test case, he had
system("/bin/date"). Since /bin/date doesn't usually execute
other commands, PATH won't help.

SHELLOPTS+PS4 is a known way to have the shell run arbitrary
commands. Before shellshock, env /bin/date='() { cmd; }' was
another one. The fix for shellshock closed that one.

I can see why one might want to close a path to easy privilege
escalation, but IMO, the fault here is not with bash but with
setuid applications invoking other applications, let alone a
shell without sanitizing the environment.

What bash could do is document what environment variables affect
its behaviour (so setuid applications know which to sanitize),
but that's mostly already done and anyway, the proper way to
sanitize the environment is not to blacklist known troublesome
env vars (what about the unknown ones?) but to clear everything
except the ones you need (and still check and sanitize their
content).

The environment is meant to be used like that. It's meant to be
trusted. Setuid applications fail their contract if they fail to
sanitize the environment before running other applications.

-- 
Stephane