Re: SHELLOPTS=xtrace security hardening

[Chet Ramey]

On 12/14/15 6:30 PM, up201407890@alunos.dcc.fc.up.pt wrote:
> Quoting "Stephane Chazelas" <stephane.chazelas@gmail.com>:
> 
> I understand what you're saying.
> As much as we would like, there's no way of stopping all attack vectors by
> only hardening bash, not only that, but also taking away its useful features.
> Though I still believe PS4 shouldn't be imported from the environment.

Maybe if running with uid 0.

>> Should we also block SHELLOPTS=history
>> HISTFILE=/some/file like /proc/$pid/fd/$fd and
>> TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that
>> allows DoS on other processes (like where those fds are for
>> pipes).
> 
> Mind explaining this one?
> I can't seem to write to HISTFILE in a non-interactive shell, or am i
> missing something?

You just need to enable history (set -o history).  History is independent
of whether or not the shell is interactive; it's just enabled by default
in interactive shells.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/