You do realise that if you allow an untrusted script to run at root, having it modify itself is the least of your concerns. There are *so* many ways an untrusted script can cause a problem that do not require your self-modifying script and for which your proposed mitigation will do nothing. What's the point in protecting against the 0.000001% case if you have done nothing to protect yourself against system administrators executing untrusted scripts as root?
On Sun, 7 Apr 2024 at 14:18, <ad...@osrc.rip> wrote: > Hello everyone! > > I've attached a minimal script which shows the issue, and my recommended > solution. > > Affected for sure: > System1: 64 bit Ubuntu 22.04.4 LTS - Bash: 5.1.16(1)-release - Hardware: > HP Pavilion 14-ec0013nq (Ryzen 5 5500u, 32GB RAM, Radeon grapics, nvme > SSD.) > System2: 64 bit Ubuntu 20.10 (No longer supported.) - Bash: > 5.0.17(1)-release - Hardware: DIY (AMD A10-5800k, 32GB RAM, Radeon > graphics, several SATA drives) > and probably a lot more... > > Not sure whether or not this is a know issue, truth be told I discovered > it years ago (back around 2016) as I was learning bash scripting, and > accidentally appended a command to the running script, which got > executed immediately after the script but back then I didn't find it > important to report since I considered myself a noob. I figured someone > more experienced will probably find and fix it, or there must be a > reason for it. I forgotű it. Now watching a video about clever use of > shell in XZ stuff I remembered, tested it again and found it still > unpatched. :S So now I'm reporting it and hope it helps! > > Read the code, test it, fix it. More explanation in the comments. > > Since it's very old I'd recommend a silent fix before announcement, > especially since I also found a potentially easy fix. > > Kind regards > Tibor
