Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #12019
| From | Chet Ramey <chet.ramey@case.edu> |
|---|---|
| Newsgroups | gnu.bash.bug |
| Subject | Re: SHELLOPTS=xtrace security hardening |
| Date | 2015-12-15 09:01 -0500 |
| Message-ID | <mailman.2151.1450188082.31583.bug-bash@gnu.org> (permalink) |
| References | (1 earlier) <566DAFC6.4040407@case.edu> <20151213220817.GC7138@chaz.gmail.com> <20151214180113.169546iutu72yw9k@webmail.alunos.dcc.fc.up.pt> <20151214173231.GA6524@chaz.gmail.com> <20151215003016.598611ow5f3lw4qo@webmail.alunos.dcc.fc.up.pt> |
On 12/14/15 6:30 PM, up201407890@alunos.dcc.fc.up.pt wrote: > Quoting "Stephane Chazelas" <stephane.chazelas@gmail.com>: > > I understand what you're saying. > As much as we would like, there's no way of stopping all attack vectors by > only hardening bash, not only that, but also taking away its useful features. > Though I still believe PS4 shouldn't be imported from the environment. Maybe if running with uid 0. >> Should we also block SHELLOPTS=history >> HISTFILE=/some/file like /proc/$pid/fd/$fd and >> TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that >> allows DoS on other processes (like where those fds are for >> pipes). > > Mind explaining this one? > I can't seem to write to HISTFILE in a non-interactive shell, or am i > missing something? You just need to enable history (set -o history). History is independent of whether or not the shell is interactive; it's just enabled by default in interactive shells. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/
Back to gnu.bash.bug | Previous | Next | Find similar
Re: SHELLOPTS=xtrace security hardening Chet Ramey <chet.ramey@case.edu> - 2015-12-15 09:01 -0500
csiph-web