Path: csiph.com!xmission!news.glorb.com!usenet.stanford.edu!not-for-mail From: up201407890@alunos.dcc.fc.up.pt Newsgroups: gnu.bash.bug Subject: Re: SHELLOPTS=xtrace security hardening Date: Mon, 14 Dec 2015 18:01:13 +0100 Lines: 60 Approved: bug-bash@gnu.org Message-ID: References: <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt> <566DAFC6.4040407@case.edu> <20151213220817.GC7138@chaz.gmail.com> NNTP-Posting-Host: lists.gnu.org Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; DelSp="Yes"; format="flowed" Content-Transfer-Encoding: quoted-printable X-Trace: usenet.stanford.edu 1450112494 16613 208.118.235.17 (14 Dec 2015 17:01:34 GMT) X-Complaints-To: action@cs.stanford.edu Cc: bug-bash@gnu.org, Chet Ramey To: "Stephane Chazelas" Envelope-to: bug-bash@gnu.org In-Reply-To: <20151213220817.GC7138@chaz.gmail.com> Content-Disposition: inline User-Agent: Internet Messaging Program (IMP) H3 (4.2) X-Virus-Scanned: amavisd-new at alunos.dcc.fc.up.pt X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 193.136.39.109 X-BeenThere: bug-bash@gnu.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Bug reports for the GNU Bourne Again SHell List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Xref: csiph.com gnu.bash.bug:12011 Quoting "Stephane Chazelas" : > SHELLOPTS+PS4 is a known way to have the shell run arbitrary > commands. Before shellshock, env /bin/date=3D'() { cmd; }' was > another one. The fix for shellshock closed that one. Yes, exporting a function was a better known attack against this. > I can see why one might want to close a path to easy privilege > escalation, but IMO, the fault here is not with bash but with > setuid applications invoking other applications, let alone a > shell without sanitizing the environment. Obviously it's always the applications fault. The thing is that a simple patch in bash can stop most of these =20 applicaions from getting exploited. It would be easier hardening bash than securing those applications one by on= e. Also, if you haven't read my previous email, my new suggestion of =20 initialiing $PS4 with it's default value "+ ", and not importing it =20 from the environment would be a much better solution. This way xtrace can still be used, and the prompt would be it's default "+ "= . $ diff -Naur bash-4.2.53 bash-4.2.53.patch/ diff -Naur bash-4.2.53/variables.c bash-4.2.53.patch/variables.c --- bash-4.2.53/variables.c 2014-10-01 20:54:55.000000000 +0100 +++ bash-4.2.53.patch/variables.c 2015-12-13 21:51:38.926476398 +0000 @@ -465,7 +465,10 @@ #endif set_if_not ("PS2", secondary_prompt); } - set_if_not ("PS4", "+ "); + /* Don't allow PS4 to be imported from the environment. + Specially crafted SHELLOPTS+PS4 could be used to exploit + bogus system(3)/popen(3) calls in setuid executables. */ + bind_variable ("PS4", "+ ", 0); /* Don't allow IFS to be imported from the environment. */ temp_var =3D bind_variable ("IFS", " \t\n", 0); # rm /bin/bash # cp ./bash /bin/bash # exit $ env -i SHELLOPTS=3Dxtrace PS4=3D'$(id)' ./a.out + /bin/date Sun Dec 13 21:56:38 WET 2015 Thoughts? ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.