[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SHELLOPTS=xtrace security hardening
From: |
Chet Ramey |
Subject: |
Re: SHELLOPTS=xtrace security hardening |
Date: |
Sun, 13 Dec 2015 12:49:58 -0500 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 |
On 12/10/15 2:16 PM, up201407890@alunos.dcc.fc.up.pt wrote:
> Hello,
>
> This is a suggestion for a bash security hardening patch which prevents
> xtrace from being initialized to the SHELLOPTS environment variable when a
> new shell starts.
This is far too drastic a solution to the problem you have posed.
> xtrace can be used to exploit bogus system()/popen() calls on setuid
> binaries via a specially crafted PS4 environment variable leading to
> privilege escalation, like so:
I don't really see privilege escalation here. Your setuid root program
sets the real and effective UIDs to 0 and calls system(). There is no
way to distinguish this as the result of running a setuid program, and
any privilege escalation takes place before system() runs.
I have to tell you, if I wanted to exploit a program written this poorly,
I wouldn't mess around with SHELLOPTS. I'd go straight to PATH.
This isn't a good reason to take xtrace out of $SHELLOPTS unconditionally.
It's not even a good enough reason to ignore SHELLOPTS if the shell is
running as uid 0.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/
- SHELLOPTS=xtrace security hardening, up201407890, 2015/12/10
- Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/10
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/11
- Re: SHELLOPTS=xtrace security hardening,
Chet Ramey <=
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/13
- Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/13
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/14
- Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/14
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/14
- Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, Chet Ramey, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, Chet Ramey, 2015/12/16