2015-12-14 18:01:13 +0100, up201407...@alunos.dcc.fc.up.pt: [...] > Obviously it's always the applications fault. > The thing is that a simple patch in bash can stop most of these > applicaions from getting exploited. [...]
Should we also stop importing BASH_ENV in case some suid application executes a bash script after having done a setuid(0)? Should we also block SHELLOPTS=history HISTFILE=/some/file like /proc/$pid/fd/$fd and TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that allows DoS on other processes (like where those fds are for pipes). Shall we have bash stop importing BASHOPTS and SHELLOPTS actually as most options would affect the behaviour of bash (and sh on those systems where sh is bash) scripts called by those broken applications, or CDPATH? Shall we have python stop importing PYTHONPATH, perl PERL5LIB as that would also allow ACE for python/perl scripts called by those broken applications? My /bin/date is a zsh wrapper script around GNU date, should we have zsh stop using $HOME and $ZDOTDIR to lookup its ~/.zshenv? -- Stephane
