On 4/30/20 2:22 PM, Diffie wrote:
> Bash Version: 5.0
> Patch Level: 11
> Release Status: release
>
> *Description:*
> It is possible to write/append arbitrary content to files from a restricted
> bash shell (with the privileges of the current user context) by tweaking the
> HISTFILE variable, or by specifying a filename to "history -[a][w]". This
> does not necessarily lead to a restriction bypass in all configurations, but
> does in a few that come to mind:
>
> * If the user can write to their home directory they can append arbitrary
> code to .bashrc/other shell files. These shell files will execute the code
> without restrictions on subsequent runs of rbash (assuming rbash is not being
> run in posix mode, and that --norc is not being passed)
> * If the user is root they can trivially get an unrestricted shell by
> modifying /etc/passwd, etc.
> * If the cwd contains an executable script that the user can write to, they
> can append to the script with arbitrary code, then invoke this code from
> rbash: "hash -p executable_script mal_command ; mal_command" (this could be
> possible with an executable binary too, although would be a little more
> complex)
> * SSH authorized keys, various other configs.
These all fall under the category of "poorly configured restricted shell."
But it's not a bad idea to restrict history -arnw and make HISTFILE
readonly. Thanks for the report.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU [email protected] http://tiswww.cwru.edu/~chet/
