Re: rbash escape vulnerability
On 12/21/17 2:03 PM, Drew Parker wrote: > Bash Version: 4.4 > Patch Level: 12 > Release Status: release > > Description: > In rbash v4.4.12 it is possible to escape the restricted shell by > running a program in the current directory > by setting the BASH_CMDS variable. This had currently been patched to > exclude "/" > characters. However, if the file is flagged as executable, no slash > needs to be > included, and the file with be executed. `rbash' isn't especially useful in isolation. I'd argue that the game was over when you ran `cp /bin/sh .', since that implies that PATH wasn't sanitized (and may include `.', which would defeat the entire effort). What's your proposed solution? I can see how verifying that the value assigned is found in $PATH could fix a portion of the issue. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/
simple function causes BASH to exit when -e in effect
The bug happens to me on
GNU bash, version 4.1.2(2)-release (x86_64-redhat-linux-gnu)
and
GNU bash, version 4.4.12(1)-release (x86_64-apple-darwin16.4.0)
The script is attached, but the function in question is this:
function debug1 {
[ "$debug" ] && echo "$(date "+%Y-%m-%d %H:%M:%S"): $@"
}
If it is defined like this then no problem exists:
function debug1 {
if [ "$debug" ]; then
echo "$(date "+%Y-%m-%d %H:%M:%S"): $@"
fi
}
nor if it is defined like this:
function debug1 {
[ "$debug" ] && echo "$(date "+%Y-%m-%d %H:%M:%S"): $@"
:
}
When I run the script I see this output:
BEFORE test 2
AFTER test 2
BEFORE test 1
but I expected to see
BEFORE test 2
AFTER test 2
BEFORE test 1
AFTER test 1
It took me hours of work to distill this down from a very large and long
running script.
foo.sh is attached.
foo.sh
Description: Bourne shell script
Re: simple function causes BASH to exit when -e in effect
On Fri, Dec 22, 2017 at 1:39 PM, Kevin Layer wrote:
> The bug happens to me on
> GNU bash, version 4.1.2(2)-release (x86_64-redhat-linux-gnu)
> and
> GNU bash, version 4.4.12(1)-release (x86_64-apple-darwin16.4.0)
>
> The script is attached, but the function in question is this:
>
> function debug1 {
> [ "$debug" ] && echo "$(date "+%Y-%m-%d %H:%M:%S"): $@"
> }
>
>
This is expected behavior. When "$debug" is empty, the [ command exits 1.
That means the && isn't
run, and the whole function returns with the status of the last run
command, which is still 1 at this point.
http://mywiki.wooledge.org/BashFAQ/105
Re: simple function causes BASH to exit when -e in effect
The man page says:
The shell does not exit if the command that fails is part of the
command list immediately following a while or until keyword,
part of the test following the if or elif reserved words,
part of any command executed in a && or || list except the
command following the final && or ||, any command in a
pipeline but the last, or if the command's return value is being
inverted with !.
The fact that [ exits with 1 seems to be covered by the above passage for
-e.
On Fri, Dec 22, 2017 at 10:50 AM, DJ Mills wrote:
>
>
> On Fri, Dec 22, 2017 at 1:39 PM, Kevin Layer wrote:
>
>> The bug happens to me on
>> GNU bash, version 4.1.2(2)-release (x86_64-redhat-linux-gnu)
>> and
>> GNU bash, version 4.4.12(1)-release (x86_64-apple-darwin16.4.0)
>>
>> The script is attached, but the function in question is this:
>>
>> function debug1 {
>> [ "$debug" ] && echo "$(date "+%Y-%m-%d %H:%M:%S"): $@"
>> }
>>
>>
> This is expected behavior. When "$debug" is empty, the [ command exits 1.
> That means the && isn't
> run, and the whole function returns with the status of the last run
> command, which is still 1 at this point.
>
> http://mywiki.wooledge.org/BashFAQ/105
>
Re: simple function causes BASH to exit when -e in effect
On 12/22/17 1:56 PM, Kevin Layer wrote: > The man page says: > > The shell does not exit if the command that fails is part of the > command list immediately following a while or until keyword, > part of the test following the if or elif reserved words, > part of any command executed in a && or || list except the > command following the final && or ||, any command in a > pipeline but the last, or if the command's return value is being > inverted with !. > > The fact that [ exits with 1 seems to be covered by the above passage for > -e. It doesn't exit because that command fails. It exits because the simple command that is the function call fails, since a function returns the status of the last command exited in the function body. That's why it doesn't fail when the last command in the body is `:'. -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/
Re: simple function causes BASH to exit when -e in effect
On Fri, Dec 22, 2017 at 10:56:18AM -0800, Kevin Layer wrote: > The man page says: > > The shell does not exit if the command that fails is part of the > command list immediately following a while or until keyword, > part of the test following the if or elif reserved words, > part of any command executed in a && or || list except the > command following the final && or ||, any command in a > pipeline but the last, or if the command's return value is being > inverted with !. > > The fact that [ exits with 1 seems to be covered by the above passage for > -e. [ exits 1, but this doesn't trip -e because it's part of a compound command. However, debug1 also exits 1, and THAT trips -e, because debug1 is a simple command. debug2 does not exit 1 because "if" has completely different rules compared to compound commands strung together with &&. wooledg:~$ if false; then echo hi; fi wooledg:~$ echo $? 0 wooledg:~$ false && echo hi; echo $? 1
