Re: [PATCH/RFC] do not source/exec scripts on noexec mount points

2015-12-14 Thread Mike Frysinger
On 15 Dec 2015 06:47, konsolebox wrote: > t On Mon, Dec 14, 2015 at 1:17 PM, Mike Frysinger wrote: > > On 13 Dec 2015 16:50, konsolebox wrote: > >> On Sun, Dec 13, 2015 at 5:01 AM, Mike Frysinger wrote: > >> > Today, if you have a script that lives on a noexec mount point, the > >> > kernel will r

Re: SHELLOPTS=xtrace security hardening

2015-12-14 Thread up201407890
Quoting "Stephane Chazelas" : I understand what you're saying. As much as we would like, there's no way of stopping all attack vectors by only hardening bash, not only that, but also taking away its useful features. Though I still believe PS4 shouldn't be imported from the environment. Sho

Re: [PATCH/RFC] do not source/exec scripts on noexec mount points

2015-12-14 Thread konsolebox
t On Mon, Dec 14, 2015 at 1:17 PM, Mike Frysinger wrote: > On 13 Dec 2015 16:50, konsolebox wrote: >> On Sun, Dec 13, 2015 at 5:01 AM, Mike Frysinger wrote: >> > Today, if you have a script that lives on a noexec mount point, the >> > kernel will reject attempts to run it directly: >> > $ printf

Re: [PATCH] Support configurable mode strings in prompt

2015-12-14 Thread Chet Ramey
On 12/6/15 10:34 PM, Dylan Cali wrote: > > On Sun, Nov 16, 2014 at 9:48 PM, Chet Ramey > wrote: > > Most of this will be in the next release of bash. I added some things and > left out the \m prompt expansion for now. > > > Hi Chet, > > I finally had a cha

Re: SHELLOPTS=xtrace security hardening

2015-12-14 Thread Stephane Chazelas
2015-12-14 18:01:13 +0100, up201407...@alunos.dcc.fc.up.pt: [...] > Obviously it's always the applications fault. > The thing is that a simple patch in bash can stop most of these > applicaions from getting exploited. [...] Should we also stop importing BASH_ENV in case some suid application execu

Re: SHELLOPTS=xtrace security hardening

2015-12-14 Thread up201407890
Quoting "Stephane Chazelas" : SHELLOPTS+PS4 is a known way to have the shell run arbitrary commands. Before shellshock, env /bin/date='() { cmd; }' was another one. The fix for shellshock closed that one. Yes, exporting a function was a better known attack against this. I can see why one mi

Re: Ruler

2015-12-14 Thread Greg Wooledge
On Fri, Dec 11, 2015 at 08:41:26PM -0700, valkrem wrote: > Assume I have a file named "test" and has three variables > > Id Date length > > 123 20150518 2750 > 125 20140324 3500 > > When I invoke the command -ruler ( or the script name) I will see the > following > > bash$ rul

Re: Out of bounds heap read in function rl_tilde_expand

2015-12-14 Thread Hanno Böck
On Sat, 5 Dec 2015 16:19:55 -0500 Chet Ramey wrote: > > I've seen there was a new bash 4.3 patchlevel, but this one didn't > > get fixed. Hope it wasn't forgotten. > > The fix is in the devel branch. Okay. I assume it'll be some time till the devel branch becomes a new release, so I had hoped

[patch] uniform bash loging

2015-12-14 Thread Piotr Grzybowski
Hi All, for some time I had been struggling with the logging system in my scripts. I wanted it to automatically detect the status of last executed command, print the customizable time stamp, work from within functions, and so on. For me it took a couple of lines of echo, output redirection, and i