Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > gnu.bash.bug > #12019

Re: SHELLOPTS=xtrace security hardening

Path csiph.com!xmission!news.glorb.com!usenet.stanford.edu!not-for-mail
From Chet Ramey <chet.ramey@case.edu>
Newsgroups gnu.bash.bug
Subject Re: SHELLOPTS=xtrace security hardening
Date Tue, 15 Dec 2015 09:01:05 -0500
Lines 29
Approved bug-bash@gnu.org
Message-ID <mailman.2151.1450188082.31583.bug-bash@gnu.org> (permalink)
References <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt> <566DAFC6.4040407@case.edu> <20151213220817.GC7138@chaz.gmail.com> <20151214180113.169546iutu72yw9k@webmail.alunos.dcc.fc.up.pt> <20151214173231.GA6524@chaz.gmail.com> <20151215003016.598611ow5f3lw4qo@webmail.alunos.dcc.fc.up.pt>
Reply-To chet.ramey@case.edu
NNTP-Posting-Host lists.gnu.org
Mime-Version 1.0
Content-Type text/plain; charset=utf-8
Content-Transfer-Encoding 7bit
X-Trace usenet.stanford.edu 1450188082 27599 208.118.235.17 (15 Dec 2015 14:01:22 GMT)
X-Complaints-To action@cs.stanford.edu
Cc bug-bash@gnu.org, chet.ramey@case.edu
To up201407890@alunos.dcc.fc.up.pt, Stephane Chazelas <stephane.chazelas@gmail.com>
Envelope-to bug-bash@gnu.org
User-Agent Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.4.0
In-Reply-To <20151215003016.598611ow5f3lw4qo@webmail.alunos.dcc.fc.up.pt>
X-Mirapoint-Virus-RAPID-Raw score=unknown(0), refid=str=0001.0A020202.56701D22.0224, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=0.0.0.0, so=2015-08-12 04:07:17, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id 8b2b8409a0c3d95f9ae82e1c165e9db3
X-Junkmail-Whitelist YES (by domain whitelist at mpv1-2015.case.edu)
X-Mirapoint-Virus-RAPID-Raw score=unknown(0), refid=str=0001.0A020206.56701D22.0342,ss=1,re=0.000,fgs=0, ip=0.0.0.0, so=2015-08-12 04:07:17, dmn=2011-05-27 18:58:46
X-Mirapoint-Loop-Id fffd45d70d96a5c41f4b60fd543004a5
X-detected-operating-system by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] [fuzzy]
X-Received-From 129.22.103.226
X-BeenThere bug-bash@gnu.org
X-Mailman-Version 2.1.14
Precedence list
List-Id Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive <http://lists.gnu.org/archive/html/bug-bash>
List-Post <mailto:bug-bash@gnu.org>
List-Help <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
Xref csiph.com gnu.bash.bug:12019

Show key headers only | View raw

On 12/14/15 6:30 PM, up201407890@alunos.dcc.fc.up.pt wrote:
> Quoting "Stephane Chazelas" <stephane.chazelas@gmail.com>:
> 
> I understand what you're saying.
> As much as we would like, there's no way of stopping all attack vectors by
> only hardening bash, not only that, but also taking away its useful features.
> Though I still believe PS4 shouldn't be imported from the environment.

Maybe if running with uid 0.

>> Should we also block SHELLOPTS=history
>> HISTFILE=/some/file like /proc/$pid/fd/$fd and
>> TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that
>> allows DoS on other processes (like where those fds are for
>> pipes).
> 
> Mind explaining this one?
> I can't seem to write to HISTFILE in a non-interactive shell, or am i
> missing something?

You just need to enable history (set -o history).  History is independent
of whether or not the shell is interactive; it's just enabled by default
in interactive shells.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/

Back to gnu.bash.bug | Previous | Next | Find similar

Thread

Re: SHELLOPTS=xtrace security hardening Chet Ramey <chet.ramey@case.edu> - 2015-12-15 09:01 -0500

csiph-web