[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Detecting invocation as /bin/sh ?
From: |
Alexandre Ferrieux |
Subject: |
Re: Detecting invocation as /bin/sh ? |
Date: |
Mon, 29 Sep 2014 16:53:42 -0700 (PDT) |
User-agent: |
G2/1.0 |
On Tuesday, September 30, 2014 1:40:55 AM UTC+2, Chet Ramey wrote:
>
> > Forget about posix mode then: bash -p (privileged) offers a lean-and-mean
> > variant which pretty much satisfies anybody needing "just sh". However,
> > there is no way to store an option in a symbolic link, so all distributions
> > doing "sh -> bash" are bound to perpetuate the danger (of
> > "eval-from-the-env"). So it would seem normal for some of them to move away
> > from bash as the default sh.
>
> Are we talking about the same thing?
> Privileged mode is intended for use when bash might run setuid (a bad idea
> in any case). It affects what bash will use from the environment -- yes,
> including shell functions -- and inhibits setting the euid to the ruid.
> It doesn't have any other effect. It certainly doesn't turn off any bash
> features.
It *does* disable that embarrassing nightmare of a misfeature that is function
import:
if (privmode == 0 && ... && STREQN ("() {", string, 4))
...
parse_and_execute(...)
So, from the perspective of a "just the sh, Ma'am" goal, it is a pretty good
contender. Regardless of the faith one can have in the recent patches, shunning
that 'parse_and_execute(environment)' altogether sounds orders of magnitude
safer.
-Alex
- Detecting invocation as /bin/sh ?, Alexandre Ferrieux, 2014/09/26
- Re: Detecting invocation as /bin/sh ?, Andreas Schwab, 2014/09/26
- Re: Detecting invocation as /bin/sh ?, Greg Wooledge, 2014/09/26
- Message not available
- Re: Detecting invocation as /bin/sh ?, Alexandre Ferrieux, 2014/09/26
- Re: Detecting invocation as /bin/sh ?, Chet Ramey, 2014/09/29
- Message not available
- Re: Detecting invocation as /bin/sh ?, Alexandre Ferrieux, 2014/09/29
- Re: Detecting invocation as /bin/sh ?, Chet Ramey, 2014/09/29
- Message not available
- Re: Detecting invocation as /bin/sh ?,
Alexandre Ferrieux <=
- Re: Detecting invocation as /bin/sh ?, Chet Ramey, 2014/09/29
- Message not available
- Re: Detecting invocation as /bin/sh ?, Alexandre Ferrieux, 2014/09/30
Message not available