<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Sun, Sep 28, 2014 at 1:36 PM, Russell Coker <span dir="ltr"><<a href="mailto:russell@coker.com.au" target="_blank">russell@coker.com.au</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">I'd like to have command line options specifying the names of all functions and environment variables that may be inherited. Bash could default to the current behavior but cgi-bin scripts etc could disable most variables etc.<br></blockquote><div><br></div><div>sshd already does something similar to this - it has a whitelist of variables and drops anything not in the whitelist.<br><br>This still means that any user with an account can execute arbitrary code by passing a long a function with a name in the whitelist - but that's a significantly reduced attack surface, which is a good thing.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
Or just have bash check argv [0] and if it's name is "sbash" just disable most such functionality.<br></blockquote><div><br></div><div>I think you mean "rbash"? From "man bash":</div><div><br></div><div>RESTRICTED SHELL</div><div> If bash is started with the name rbash, or the -r option is supplied at invocation, the shell becomes</div><div> restricted. A restricted shell is used to set up an environment more controlled than the standard </div><div> shell. It behaves identically to bash with the exception that the following are disallowed</div><div> or not performed: </div><div><br></div><div>Sadly "Ignore all environment variables" isn't on the list, but a few related things are:<br><br> o setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV</div><div><div> o importing function definitions from the shell environment at startup</div><div> o parsing the value of SHELLOPTS from the shell environment at startup</div></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<span class=""><font color="#888888">--<br>
Sent from my Samsung Galaxy Note 2 with K-9 Mail.<br>
</font></span><div class=""><div class="h5"><br>
_______________________________________________<br>
linux-aus mailing list<br>
<a href="mailto:linux-aus@lists.linux.org.au">linux-aus@lists.linux.org.au</a><br>
<a href="http://lists.linux.org.au/listinfo/linux-aus" target="_blank">http://lists.linux.org.au/listinfo/linux-aus</a><br>
</div></div></blockquote></div><br></div></div>