Re: SHELLOPTS=xtrace security hardening

[Stephane Chazelas]

2015-12-15 00:30:16 +0100, up201407890@alunos.dcc.fc.up.pt:
[...]
> >Should we also block SHELLOPTS=history
> >HISTFILE=/some/file like /proc/$pid/fd/$fd and
> >TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that
> >allows DoS on other processes (like where those fds are for
> >pipes).
> 
> Mind explaining this one?
> I can't seem to write to HISTFILE in a non-interactive shell, or am
> i missing something?
[...]

I don't know if you can make a non-interactive bash write to the
$HISTFILE, but bash, even when non-interactive, even when called
as sh, with SHELLOPTS=history will *read* the HISTFILE.

And if HISTFILE is for instance a /proc/$pid/fd/$fd which
identifies the reading end of a pipe (like for instance the
pipes used by sshd), then you're going to have root read the
content of that pipe under the feet of the process that content
was intended to, causing at best a DoS. Same for /dev/pts/x or
some /dev/input/x. Your example had the same problem with $TZ.

sudo sanitizes $TZ (http://www.sudo.ws/alerts/tz.html) and
blocks SHELLOPTS and PS4 even when env_reset is unset.

If a bash script called in that context calls "read -e", that
allows reading arbitrary files (read -e allows executing any
command via shell-expand-line anyway).

-- 
Stephane