Path: csiph.com!optima2.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!usenet.stanford.edu!not-for-mail
From: konsolebox <konsolebox@gmail.com>
Newsgroups: gnu.bash.bug
Subject: Re: [PATCH/RFC] do not source/exec scripts on noexec mount points
Date: Tue, 15 Dec 2015 06:47:55 +0800
Lines: 77
Approved: bug-bash@gnu.org
Message-ID: <mailman.2112.1450133280.31583.bug-bash@gnu.org>
References: <1449954086-30408-1-git-send-email-vapier@gentoo.org> <CAJnmqwZcZOTjXAVJO7vixSEQf2eEUuZocBzMKdpK08zAphzbLQ@mail.gmail.com> <20151214051712.GS11489@vapier.lan>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-Trace: usenet.stanford.edu 1450133280 29060 208.118.235.17 (14 Dec 2015 22:48:00 GMT)
X-Complaints-To: action@cs.stanford.edu
To: konsolebox <konsolebox@gmail.com>, bug-bash <bug-bash@gnu.org>
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=ryIgPGtP6Szs8xU5/x1oBvTx61Q5IihamXMu0OLntdU=; b=BUY92HQG0+0SayLaMx4/OFUE5otf3de5aj3iu8VDKrpBX0/u+M65zaVY6367JxNWe5 xZa9rk9tnxntBhrbqmsdwhe1qwMplos7WZhRrcRZkOxHmdtbkx0z3OsuBJgwkyrnw0Um z72U1enACCGrT8uj2Ki4z4j9TZtmREvf9Y7e9Iy1cr6UzMua0OyQaeF32w3D9qeKc+er ZHLLA7F+lrvo8qFoyMDJ4Om72AYQCfNUm3Zq6K9uRgRuQZYZ3mp+vUwDacxlcMFK+7bD T1mexMx+/NRUhO8kf33RJdhOZadkIHxeIpy64nAGxj+CyCM77ZC+akbYv/bISXXqM9Lm Ro0g==
X-Received: by 10.28.3.131 with SMTP id 125mr660017wmd.64.1450133276004; Mon, 14 Dec 2015 14:47:56 -0800 (PST)
In-Reply-To: <20151214051712.GS11489@vapier.lan>
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2a00:1450:400c:c09::230
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:12014

t On Mon, Dec 14, 2015 at 1:17 PM, Mike Frysinger <vapier@gentoo.org> wrote:
> On 13 Dec 2015 16:50, konsolebox wrote:
>> On Sun, Dec 13, 2015 at 5:01 AM, Mike Frysinger wrote:
>> > Today, if you have a script that lives on a noexec mount point, the
>> > kernel will reject attempts to run it directly:
>> >   $ printf '#!/bin/sh\necho hi\n' > /dev/shm/test.sh
>> >   $ chmod a+rx /dev/shm/test.sh
>> >   $ /dev/shm/test.sh
>> >   bash: /dev/shm/test.sh: Permission denied
>> >
>> > But bash itself has no problem running this file:
>> >   $ bash /dev/shm/test.sh
>> >   hi
>> > Or with letting other scripts run this file:
>> >   $ bash -c '. /dev/shm/test.sh'
>> >   hi
>> > Or with reading the script from stdin:
>> >   $ bash </dev/shm/test.sh
>> >   hi
>> >
>> > This detracts from the security of the overall system.  People writing
>> > scripts sometimes want to save/restore state (s) and will
>> > restore the content from a noexec point using the aforementioned source
>> > command without realizing that it executes code too.  Of course their
>> > code is wrong, but it would be nice if the system would catch & reject
>> > it explicitly to stave of inadvertent usage.
>> >
>> > This is not a perfect solution as it can still be worked around by
>> > inlining the code itself:
>> >   $ bash -c "$(cat /dev/shm/test.sh)"
>> >   hi
>> >
>> > But this makes things a bit harder for malicious attackers (depending
>> > how exactly they've managed to escalate), but it also helps developers
>> > from getting it wrong in the first place.
>>
>> Application-level based security on an environment where people using
>> the application has direct control over the environment for me is not
>> so sensible, and is a dirty hack.  A shell is also not meant for that.
>> If you want such feature perhaps you should add it on a restricted
>> shell, granting it really makes sense adding it.  But forcing that
>> feature to be default on every user (like me who doesn't want its
>> inconsistency) is wrong.  A shell reads and executes and is something
>> not in the scope of `noexec`, not in the scope of kernel-land
>> security, so we have to deal with it.
>
> (1) the examples i already provided do not involve the user at all, and
>     include systems where the user has no direct access to the shell.

And the one that made the code execute remotely through for example an
exploit is not a user? Also consider use of `source` or `eval` may it
be in a subshell or not.

eval "$(cat /path/script.sh)"
source <(cat /path/script.sh)

> (2) choice over runtime functionality is by the sysadmin, not the user.

Doesn't matter to me. And I'm referring to the real user or the
person, and not the account. I don't want an inconsistent
functionality running in my bash whether I'm using a privileged
account or not.

> (3) i disagree over the scope of noexec.  i think this is in-scope.

Being a little forgiving, I could say that scripts with #! headers
-perhaps- are still in the scope of `noexec` since they are respected
by the kernel as executables, even though they are not real
instructions running within the processor's transistors themselves
(they are just read and -virtually- executed where the shell acts on
behalf of them), but how about those scripts without #! headers?
Clearly they're no longer -executables-.  And clearly you're just
wanting bash to restrict things based on the conceptual purpose of
`noexec`, even though it is not exactly or strictly in the scope of
`noexec`.  I'm a purist and I don't like that, and I don't want to
have that inconsistency in default bash.