bug-bash
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SHELLOPTS=xtrace security hardening

From: Chet Ramey
Subject: Re: SHELLOPTS=xtrace security hardening
Date: Sun, 13 Dec 2015 12:49:58 -0500
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:38.0) Gecko/20100101 Thunderbird/38.4.0 
On 12/10/15 2:16 PM, up201407890@alunos.dcc.fc.up.pt wrote:
> Hello,
> 
> This is a suggestion for a bash security hardening patch which prevents
> xtrace from being initialized to the SHELLOPTS environment variable when a
> new shell starts.

This is far too drastic a solution to the problem you have posed.

> xtrace can be used to exploit bogus system()/popen() calls on setuid
> binaries via a specially crafted PS4 environment variable leading to
> privilege escalation, like so:

I don't really see privilege escalation here.  Your setuid root program
sets the real and effective UIDs to 0 and calls system().  There is no
way to distinguish this as the result of running a setuid program, and
any privilege escalation takes place before system() runs.

I have to tell you, if I wanted to exploit a program written this poorly,
I wouldn't mess around with SHELLOPTS.  I'd go straight to PATH.

This isn't a good reason to take xtrace out of $SHELLOPTS unconditionally.
It's not even a good enough reason to ignore SHELLOPTS if the shell is
running as uid 0.

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]