[Linux-aus] What's the real story about Shellshock and Bash and vulnerabilities in Linux and OpenSource?
Brendan O'Dea
bod at debian.org
Sun Sep 28 15:44:19 EST 2014
On 28 September 2014 13:36, Russell Coker <russell at coker.com.au> wrote:
> I'd like to have command line options specifying the names of all functions and environment variables that may be inherited. Bash could default to the current behavior but cgi-bin scripts etc could disable most variables etc.
>
> Or just have bash check argv [0] and if it's name is "sbash" just disable most such functionality.
bash appears to already have an option to suppress the loading of functions.
% env F='() { echo function; }' bash -c F
function
% env F='() { echo function; }' bash -p -c F
bash: F: command not found
They are also not loaded when running as bash -r (or rbash), or when setuid.
One of the issues which was raised was the problem with programs
invoking other programs via system or popen, but note that both of
these use /bin/sh rather than bash particularly, so systems it would
seem wise to use something simpler such as dash for that task.
--bod
More information about the linux-aus
mailing list