Unshocking the shell (deconstructing the Bash mess)
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
EDIT: I am not really sure why they differ.
EDIT2: Since the manual test reports it as vulnerable I would say this test is more reliable than the one posted on the previous post.
Last edited by moisespedro; 10-02-2014 at 08:58 PM.
EDIT: I am not really sure why they differ.
EDIT2: Since the manual test reports it as vulnerable I would say this test is more reliable than the one posted on the previous post.
Red Hat yesterday disclosed two out-of-bounds memory issues it discovered that apparently affect Bash back to 3.2 or earlier. They've
been designated CVE-2014-7186 and CVE-2014-7187.
Yes I saw it, but I still fail to see why a programmer would write a script like this (with all those EOFs)
And if it was an attacker and was able to execute bash code, he could do worst things than make his script segfaulting.
I understood the security breach using bash env to execute code. But why a programming language would be considered vulnerable because a script is segfaulting using bad code?
Also, Florian's patch effectively ended the security relevance of all the other bugs to the point where you'd be protected even if you skipped all the other patches. As Chet points out, if an attacker controls the *name* of an environment variable across a security boundary it's a security problem with whatever is misusing the shell. I don't think there's any shell that could secure against such usage since the attacker could set LD_LIBRARY_PATH or play an infinite number of other games.
What concerns me is that on a system where /bin/sh is bash there will now be additional environment variables to sanitise that would be harmless on a system where /bin/sh isn't provided by bash. SGID/SUID executables would be the 'security boundary' and unless the programmers took a whitelisting rather than blacklisting approach to the environment sanitisation I can see potential for issues in this area.
What I don't understand is why everyone is so eager to point their fingers at Bash. It is amazing that Bash developers had a fix on such a short notice, and a convincing testimony to how professional they are. Do they really deserve ANY flac? Here's what I don't get: it's been known for years that Bash parses and/or executes code found in the environment variables. It was a feature. So why did Web servers decide it was a good idea to copy Web user input and paste it into the environment? All I see now is the Bash devs making Bash robust enough to handle direct input from the Web (a considerable stretch of its original design goals), while the fault for the security breach belongs squarely to the folks who gave the Web users access to the Bash environment. In a way, Bash is stepping up to fix a giant %@$*-up by multiple other parties because Bash finds itself in the best position to protect the users of these crappy Web, DHCP, and SSH servers.
it's been known for years that Bash parses and/or executes code found in the environment variables.
Has it? I wasn't aware of it and I've been using linux 20 years, UNIX somewhat longer, and would consider myself fairly knowledgeable (though I only know what I know and not everything). It came as a surprise to me, and I suspect it did to a lot of others.
Unless anyone has studied the bash man-page and happened to notice that 'export' has a non-standard '-f' flag and read up on it they're not likely to know.
I'm not bashing the bash developers, especially the current ones whose effort to address this is much appreciated. Their response to these issues has been excellent, but I do feel that its a case of "can't see the wood for all of the trees" and that this 'feature' was just a bad idea from the start: which might go some way to explaining why no other shell does it.
Serious question: Would anyone be upset if they ripped this dubious feature out, or at least disabled it by default? Is there anything that actually uses this function definition exporting/importing for a legitimate purpose? And if you really wanted to make your definitions available in other shell invocations, why wouldn't you just stick them in a file and use either $BASH_ENV or 'source' to load them? It's a lot more reliable and wouldn't waste system resource by unnecessarily enlarging the process environment.
What is needed is for one of the current bash developers to be brave enough to stick their head above the parapet and say; "This long-standing feature was a mistake. Apologies to anyone who is making use of it, but there are better/safer ways to achieve what you need, and for the greater good this needs to be disabled by default."
As always, that just my opinion and YMMV. I'm done pontificating on this now.
It is definitely a dubious feature that very few know about. Don't try to pass it off as if you knew about it. Yes the bash devs need some bashing because there is no reason for this feature and it is insecure by design. For that they need bashing, for the other things obviously not.
When here and in other forums and mailing lists, discussing even with old Unix users and developers, from my total ignorance and using pure common sense I use supposedly "off-topic", "non technical", "insulting" phrases like:
"Think carefully about what you really need."
"Nowadays all is bloated."
"Don't encourage the fake 'easy to use' adding layers and layers of the same reinvented wheel."
"Don't encourage the 'adding features to the infinite' creating unified monolithic monsters."
"Stop constructing!"
Even in front of the facts, some insists in calling the KISS approach zealotry. Other in mistaking it for laziness. Lately Linus Torvalds called it a "mindset". They indeed "bash" themselves (directly and recursively :-)). And everybody suffers the consequences.
I've migrated just about all my user accounts to zsh, but I still leave core script functions to bash respectively. I redid all my system scripts and boot scripts to call /bin/bash directly rather than /bin/sh as /bin/sh points to zsh now.
Nothing is broken, everything works, and life continues onward.
You know what they say... If you want something doing...
We've had a couple of rainy days here so I spent a little time coming up with a patch for bash to make it work the way I want it to. In short, I've added a new configure option that can be used to set whether function loading is done by default, and added command-line arguments to override whatever default you set on the configure.
On the off-chance that anyone is still interested, here are the patches to be used against the 4.3.27 in -current.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.