Path: csiph.com!optima2.xanadu-bbs.net!xanadu-bbs.net!news.glorb.com!usenet.stanford.edu!not-for-mail
From: Stephane Chazelas <stephane.chazelas@gmail.com>
Newsgroups: gnu.bash.bug
Subject: Re: SHELLOPTS=xtrace security hardening
Date: Tue, 15 Dec 2015 11:16:27 +0000
Lines: 34
Approved: bug-bash@gnu.org
Message-ID: <mailman.2146.1450178195.31583.bug-bash@gnu.org>
References: <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt> <566DAFC6.4040407@case.edu> <20151213220817.GC7138@chaz.gmail.com> <20151214180113.169546iutu72yw9k@webmail.alunos.dcc.fc.up.pt> <20151214173231.GA6524@chaz.gmail.com> <20151215003016.598611ow5f3lw4qo@webmail.alunos.dcc.fc.up.pt>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: usenet.stanford.edu 1450178196 22953 208.118.235.17 (15 Dec 2015 11:16:36 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: bug-bash@gnu.org, Chet Ramey <chet.ramey@case.edu>
To: up201407890@alunos.dcc.fc.up.pt
Envelope-to: bug-bash@gnu.org
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=S9zX9koAo2s5npsEaISnJ5BZqvSraJ/oY8zd3hdhpb8=; b=mwYyROxJzZZXg4RmdJgGfZTT5TcVj2YqUXz/K4HpGERG7u5sUdEkJAEYMTWZm5AZK5 IlUtxygUSFrgqUV6KH47Q81DUDJ1oJ6rD1eFaF8EXzl5Nu4SPV8cVsAvcLAEMytznGMh IIi9RbnddtnyZY7EpcroFS8g9Y7b6yx3PYFNOphm1l5hsgc34Cw53dcGR4cZPcczBwOw PDD6GQpJptS6H6Akj98cJz6EggT7pGbNMBNtTsQBL70KzK9Ca+Vo7X479cPxRPPdLOAa Myu6Mrpjd95DEnOfnzIz68iKJc13q03P5J5aUuqJ9YuKW4P6ti7DLh2eIeZdUu6Yyjvu 1iRA==
X-Received: by 10.28.102.8 with SMTP id a8mr4313778wmc.67.1450178189314; Tue, 15 Dec 2015 03:16:29 -0800 (PST)
Content-Disposition: inline
In-Reply-To: <20151215003016.598611ow5f3lw4qo@webmail.alunos.dcc.fc.up.pt>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic]
X-Received-From: 2a00:1450:400c:c09::230
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref: csiph.com gnu.bash.bug:12018

2015-12-15 00:30:16 +0100, up201407890@alunos.dcc.fc.up.pt:
[...]
> >Should we also block SHELLOPTS=history
> >HISTFILE=/some/file like /proc/$pid/fd/$fd and
> >TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that
> >allows DoS on other processes (like where those fds are for
> >pipes).
> 
> Mind explaining this one?
> I can't seem to write to HISTFILE in a non-interactive shell, or am
> i missing something?
[...]

I don't know if you can make a non-interactive bash write to the
$HISTFILE, but bash, even when non-interactive, even when called
as sh, with SHELLOPTS=history will *read* the HISTFILE.

And if HISTFILE is for instance a /proc/$pid/fd/$fd which
identifies the reading end of a pipe (like for instance the
pipes used by sshd), then you're going to have root read the
content of that pipe under the feet of the process that content
was intended to, causing at best a DoS. Same for /dev/pts/x or
some /dev/input/x. Your example had the same problem with $TZ.

sudo sanitizes $TZ (http://www.sudo.ws/alerts/tz.html) and
blocks SHELLOPTS and PS4 even when env_reset is unset.

If a bash script called in that context calls "read -e", that
allows reading arbitrary files (read -e allows executing any
command via shell-expand-line anyway).

-- 
Stephane