[Linux-aus] What's the real story about Shellshock and Bash and vulnerabilities in Linux and OpenSource?
James Polley
jamezpolley at gmail.com
Sun Sep 28 15:51:26 EST 2014
On Sun, Sep 28, 2014 at 1:36 PM, Russell Coker <russell at coker.com.au> wrote:
> I'd like to have command line options specifying the names of all
> functions and environment variables that may be inherited. Bash could
> default to the current behavior but cgi-bin scripts etc could disable most
> variables etc.
>
sshd already does something similar to this - it has a whitelist of
variables and drops anything not in the whitelist.
This still means that any user with an account can execute arbitrary code
by passing a long a function with a name in the whitelist - but that's a
significantly reduced attack surface, which is a good thing.
> Or just have bash check argv [0] and if it's name is "sbash" just disable
> most such functionality.
>
I think you mean "rbash"? From "man bash":
RESTRICTED SHELL
If bash is started with the name rbash, or the -r option is supplied
at invocation, the shell becomes
restricted. A restricted shell is used to set up an environment
more controlled than the standard
shell. It behaves identically to bash with the exception that the
following are disallowed
or not performed:
Sadly "Ignore all environment variables" isn't on the list, but a few
related things are:
o setting or unsetting the values of SHELL, PATH, ENV, or
BASH_ENV
o importing function definitions from the shell environment at
startup
o parsing the value of SHELLOPTS from the shell environment at
startup
--
> Sent from my Samsung Galaxy Note 2 with K-9 Mail.
>
> _______________________________________________
> linux-aus mailing list
> linux-aus at lists.linux.org.au
> http://lists.linux.org.au/listinfo/linux-aus
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.linux.org.au/pipermail/linux-aus/attachments/20140928/a36b0ec2/attachment.htm
More information about the linux-aus
mailing list