Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #12015
| From | up201407890@alunos.dcc.fc.up.pt |
|---|---|
| Newsgroups | gnu.bash.bug |
| Subject | Re: SHELLOPTS=xtrace security hardening |
| Date | 2015-12-15 00:30 +0100 |
| Message-ID | <mailman.2115.1450135831.31583.bug-bash@gnu.org> (permalink) |
| References | <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt> <566DAFC6.4040407@case.edu> <20151213220817.GC7138@chaz.gmail.com> <20151214180113.169546iutu72yw9k@webmail.alunos.dcc.fc.up.pt> <20151214173231.GA6524@chaz.gmail.com> |
Quoting "Stephane Chazelas" <stephane.chazelas@gmail.com>: I understand what you're saying. As much as we would like, there's no way of stopping all attack vectors by only hardening bash, not only that, but also taking away its useful features. Though I still believe PS4 shouldn't be imported from the environment. > Should we also block SHELLOPTS=history > HISTFILE=/some/file like /proc/$pid/fd/$fd and > TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that > allows DoS on other processes (like where those fds are for > pipes). Mind explaining this one? I can't seem to write to HISTFILE in a non-interactive shell, or am i missing something? Thanks. ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Back to gnu.bash.bug | Previous | Next | Find similar
Re: SHELLOPTS=xtrace security hardening up201407890@alunos.dcc.fc.up.pt - 2015-12-15 00:30 +0100
csiph-web