[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SHELLOPTS=xtrace security hardening
From: |
Chet Ramey |
Subject: |
Re: SHELLOPTS=xtrace security hardening |
Date: |
Tue, 15 Dec 2015 09:01:05 -0500 |
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 |
On 12/14/15 6:30 PM, up201407890@alunos.dcc.fc.up.pt wrote:
> Quoting "Stephane Chazelas" <stephane.chazelas@gmail.com>:
>
> I understand what you're saying.
> As much as we would like, there's no way of stopping all attack vectors by
> only hardening bash, not only that, but also taking away its useful features.
> Though I still believe PS4 shouldn't be imported from the environment.
Maybe if running with uid 0.
>> Should we also block SHELLOPTS=history
>> HISTFILE=/some/file like /proc/$pid/fd/$fd and
>> TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that
>> allows DoS on other processes (like where those fds are for
>> pipes).
>
> Mind explaining this one?
> I can't seem to write to HISTFILE in a non-interactive shell, or am i
> missing something?
You just need to enable history (set -o history). History is independent
of whether or not the shell is interactive; it's just enabled by default
in interactive shells.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/
- Re: SHELLOPTS=xtrace security hardening, (continued)
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/13
- Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/13
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/14
- Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/14
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/14
- Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, Chet Ramey, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, Chet Ramey, 2015/12/16
- Re: SHELLOPTS=xtrace security hardening,
Chet Ramey <=
- Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, Chet Ramey, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, Stephane Chazelas, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, Chet Ramey, 2015/12/15
- Re: SHELLOPTS=xtrace security hardening, up201407890, 2015/12/16