[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] bash: add socket server support

From: Mike Frysinger
Subject: Re: [PATCH] bash: add socket server support
Date: Wed, 27 Nov 2013 02:37:02 -0500
User-agent: KMail/1.13.7 (Linux/3.12.1; KDE/4.6.5; x86_64; ; )

On Thursday 14 November 2013 00:50:33 Piotr Grzybowski wrote:
>  I can think of an attack, just provide me with ip address of the host
> :) and a root account password and login :)
>  I agree that most systems have other abilities to do the (almost)
> same, but yet, all systems (that is to say many more than have nc)
> have bash, and while roots on those will expect netcat to be able to
> open listen sockets they do not necessarily expect bash to do the
> same.
>  My main point is: this patch means that every user that has access to
> who-knows-how restricted shell can open listen sockets, and unless
> someone thought of using grsecurity to deny access to bind(2) it is
> unrestricted.

as Joel said, the functionality he is adding does not impact the attack vector 
at all.  bash already has networking functionality built into it.

>  This feature should at least be switchable, or otherwise restricted.

it already is via a configure flag: --disable-net-redirections

Attachment: signature.asc
Description: This is a digitally signed message part.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]