2015-12-15 00:30:16 +0100, up201407...@alunos.dcc.fc.up.pt: [...] > >Should we also block SHELLOPTS=history > >HISTFILE=/some/file like /proc/$pid/fd/$fd and > >TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that > >allows DoS on other processes (like where those fds are for > >pipes). > > Mind explaining this one? > I can't seem to write to HISTFILE in a non-interactive shell, or am > i missing something? [...]
I don't know if you can make a non-interactive bash write to the $HISTFILE, but bash, even when non-interactive, even when called as sh, with SHELLOPTS=history will *read* the HISTFILE. And if HISTFILE is for instance a /proc/$pid/fd/$fd which identifies the reading end of a pipe (like for instance the pipes used by sshd), then you're going to have root read the content of that pipe under the feet of the process that content was intended to, causing at best a DoS. Same for /dev/pts/x or some /dev/input/x. Your example had the same problem with $TZ. sudo sanitizes $TZ (http://www.sudo.ws/alerts/tz.html) and blocks SHELLOPTS and PS4 even when env_reset is unset. If a bash script called in that context calls "read -e", that allows reading arbitrary files (read -e allows executing any command via shell-expand-line anyway). -- Stephane
