Path: csiph.com!optima2.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!usenet.stanford.edu!not-for-mail
From: Mike Frysinger <vapier@gentoo.org>
Newsgroups: gnu.bash.bug
Subject: Re: [PATCH/RFC] do not source/exec scripts on noexec mount points
Date: Mon, 14 Dec 2015 00:22:06 -0500
Lines: 51
Approved: bug-bash@gnu.org
Message-ID: <mailman.2053.1450070532.31583.bug-bash@gnu.org>
References: <1449954086-30408-1-git-send-email-vapier@gentoo.org> <20151212230510.GA7176@chaz.gmail.com>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="is+7rTG+pgz69fux"
X-Trace: usenet.stanford.edu 1450070532 26660 208.118.235.17 (14 Dec 2015 05:22:12 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: bug-bash@gnu.org
To: Stephane Chazelas <stephane.chazelas@gmail.com>
Envelope-to: bug-bash@gnu.org
Mail-Followup-To: Stephane Chazelas <stephane.chazelas@gmail.com>, bug-bash@gnu.org
Content-Disposition: inline
In-Reply-To: <20151212230510.GA7176@chaz.gmail.com>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2001:470:ea4a:1:5054:ff:fec7:86e4
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:12005


--is+7rTG+pgz69fux
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On 12 Dec 2015 23:05, Stephane Chazelas wrote:
> 2015-12-12 16:01:26 -0500, Mike Frysinger:
> [...]
> > This is not a perfect solution as it can still be worked around by
> > inlining the code itself:
> >   $ bash -c "$(cat /dev/shm/test.sh)"
> >   hi
>=20
> Or
>=20
> cat /dev/shm/test.sh | bash

right, there's no way to look through pipes

> I think this kind of hardening is better left to things like
> selinux/apparmor.

security is not an all-or-nothing proposotion.  the whole point is to
have defence in depth.
-mike

--is+7rTG+pgz69fux
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWblH+AAoJEEFjO5/oN/WB96QQAInNXN950FckUu0WltlsfqFb
2j7MiTcPymzSybasEduAkH8YJvnu9WmcJ41jYMjBiapz3ZRQSz8prpLOCEcixkas
Y1Hh80lkG73S0e6XIYwi7UXX1+P1zC5pjDzscNofw/SC0CAZpCMeVGl6DQVMgLUS
fyjJC4wK8ykKl2zAj29BN4gsHiPtI+XiKdB0P4YlKXdCahbvB5TVT4JG0PdzNo3B
M9+uFBDV0IBcmRnLpwcPbbz06sOAGDZJSHVGIOe45+m2/M18jLFljC25domJ+Yti
CHY6Cb/rAoFWlI3uuSTn3+SsOti9cH9YgYBu3fHLeAfOnE1oFSMkv66TSc10ID7v
SVSnp/Zcvm2NvHMGY9f7upcO+jKrRU+JUW66Ko+nxYcaqMltR8pS70NvH0shJRSO
ZQOFVZ01MJSCwFAPavMprRYRVMXJYImzpDNPSOxhmC1Usl2SU8eCQmHGlWVL1515
iLiCDGO9ySY7ATwCH4wYidyplZtRUwseG/3KJes+RyRCAV062/cviAHf/Hsn06fr
/60upAMa3EflW3+4xQKoRViBieSmIlqV8apgt9cIdXvLec7nGQjttqXhr04FSUiy
stwACUA0HWDmdejeIGOD0w9D6FRlNFqc9VTYgaDuKRJQ7R3RgncyMccvKV3KNhjB
4hEDLQN8N490HHKL17RU
=2UVm
-----END PGP SIGNATURE-----

--is+7rTG+pgz69fux--