Re: SHELLOPTS=xtrace security hardening

[Stephane Chazelas]

2015-12-14 18:01:13 +0100, up201407890@alunos.dcc.fc.up.pt:
[...]
> Obviously it's always the applications fault.
> The thing is that a simple patch in bash can stop most of these
> applicaions from getting exploited.
[...]

Should we also stop importing BASH_ENV in case some suid
application executes a bash script after having done a
setuid(0)? Should we also block SHELLOPTS=history
HISTFILE=/some/file like /proc/$pid/fd/$fd and
TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that
allows DoS on other processes (like where those fds are for
pipes).

Shall we have bash stop importing BASHOPTS and SHELLOPTS
actually as most options would affect the behaviour of bash (and
sh on those systems where sh is bash) scripts called by those
broken applications, or CDPATH?

Shall we have python stop importing PYTHONPATH, perl PERL5LIB as
that would also allow ACE for python/perl scripts called by
those broken applications?

My /bin/date is a zsh wrapper script around GNU date, should we
have zsh stop using $HOME and $ZDOTDIR to lookup its ~/.zshenv?

-- 
Stephane