Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #12002
| From | Stephane Chazelas <stephane.chazelas@gmail.com> |
|---|---|
| Newsgroups | gnu.bash.bug |
| Subject | Re: SHELLOPTS=xtrace security hardening |
| Date | 2015-12-13 22:08 +0000 |
| Message-ID | <mailman.2026.1450044506.31583.bug-bash@gnu.org> (permalink) |
| References | <20151210201649.126444eionzfsam8@webmail.alunos.dcc.fc.up.pt> <566DAFC6.4040407@case.edu> |
2015-12-13 12:49:58 -0500, Chet Ramey:
[...]
> I have to tell you, if I wanted to exploit a program written this poorly,
> I wouldn't mess around with SHELLOPTS. I'd go straight to PATH.
[...]
In the (very specific) OP's test case, he had
system("/bin/date"). Since /bin/date doesn't usually execute
other commands, PATH won't help.
SHELLOPTS+PS4 is a known way to have the shell run arbitrary
commands. Before shellshock, env /bin/date='() { cmd; }' was
another one. The fix for shellshock closed that one.
I can see why one might want to close a path to easy privilege
escalation, but IMO, the fault here is not with bash but with
setuid applications invoking other applications, let alone a
shell without sanitizing the environment.
What bash could do is document what environment variables affect
its behaviour (so setuid applications know which to sanitize),
but that's mostly already done and anyway, the proper way to
sanitize the environment is not to blacklist known troublesome
env vars (what about the unknown ones?) but to clear everything
except the ones you need (and still check and sanitize their
content).
The environment is meant to be used like that. It's meant to be
trusted. Setuid applications fail their contract if they fail to
sanitize the environment before running other applications.
--
Stephane
Back to gnu.bash.bug | Previous | Next | Find similar
Re: SHELLOPTS=xtrace security hardening Stephane Chazelas <stephane.chazelas@gmail.com> - 2015-12-13 22:08 +0000
csiph-web