On Tue, 30 Sep 2014, Thorsten Glaser wrote:
> On Fri, 26 Sep 2014, Matthias Urlichs wrote:
> > In any case, adding "-p" to any #!/bin/bash shebang line looks like a very
> > good idea. Shall we add a Lintian check for this?
>
> ***ABSOLUTELY NOT***
>
> The -p option is for the shell to *not* drop
Hi,
Thorsten Glaser:
> On Fri, 26 Sep 2014, Matthias Urlichs wrote:
>
> > In any case, adding "-p" to any #!/bin/bash shebang line looks like a very
> > good idea. Shall we add a Lintian check for this?
>
> ***ABSOLUTELY NOT***
>
> The -p option is for the shell to *not* drop privileges when
>
On Fri, 26 Sep 2014, Matthias Urlichs wrote:
> In any case, adding "-p" to any #!/bin/bash shebang line looks like a very
> good idea. Shall we add a Lintian check for this?
***ABSOLUTELY NOT***
The -p option is for the shell to *not* drop privileges when
called setuid.
bye,
//mirabilos
--
Som
Hi,
Raphael Geissert:
> On Friday 26 September 2014 18:48:37 Matthias Urlichs wrote:
> [...]
> > In any case, adding "-p" to any #!/bin/bash shebang line looks like a very
> > good idea. Shall we add a Lintian check for this?
>
> No.
>
… and why not?
Importing random functions from the environ
On Friday 26 September 2014 18:48:37 Matthias Urlichs wrote:
[...]
> In any case, adding "-p" to any #!/bin/bash shebang line looks like a very
> good idea. Shall we add a Lintian check for this?
No.
Cheers,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--
To UNSUBSCR
Hi,
shawn wilson:
> > Maybe we should add the patched version, with an appropriate NEWS entry,
> > to backports?
> >
>
> Maybe?
"Maybe we" as a shorthand for "IMHO, the maintainer of bash should".
Better? :-)
Also, '-p' (privileged mode, i.e. ignore functions in the environment, as
well as a b
On Sep 25, 2014 3:18 PM, "Matthias Urlichs" wrote:
>
> Hi,
>
> Samuel Thibault:
> > Sounds crazy to me.
> >
> Definitely. This is now out in the wild; exploits which simply replace
> echo or cat-without-/bin are going to happen. :-/
>
Actually, what I've seen reported in the wild have been wget a
On 2014-09-26 10:33:20 +0200, Josselin Mouette wrote:
> Brian May wrote:
> No, I don't think that is the case. I believe sudo interprets
> those assignments itself (as also shown in man page), and the
> error I got clearly shows this to be the case.
>
> b
On 2014-09-26 09:19:17 +0200, Samuel Thibault wrote:
> Nikolaus Rath, le Thu 25 Sep 2014 17:26:40 -0700, a écrit :
> > Wasn't there some web server that used to put query script variables
> > into the environment of the CGI script?
>
> Well, that ought to have been fixed a long time ago already,
>
Brian May wrote:
On 26 September 2014 14:15, Russ Allbery wrote:
That would surprise me. In one case, you're setting an
environment
variable and then running sudo. In the other case,
you're telling sudo to
Brian May, le Fri 26 Sep 2014 11:40:00 +1000, a écrit :
> On 26 September 2014 10:26, Nikolaus Rath <[1]nikol...@rath.org> wrote:
>
> Wasn't there some web server that used to put query script variables
> into the environment of the CGI script? Or am I confusing that with
> PHP's evil
Nikolaus Rath, le Thu 25 Sep 2014 17:26:40 -0700, a écrit :
> Samuel Thibault writes:
> > Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit :
> >> Samuel Thibault:
> >> > Sounds crazy to me.
> >> >
> >> Definitely. This is now out in the wild; exploits which simply replace
> >> echo or
Hi,
Martin Uecker:
> While everybody is looking at bash, isn't this the real the
> injection part? Why are there still programs which copy stuff
> from the network into environment without proper sanitation?
Probably either sheer laziness, or for the usual, misguided-these-days
(IMHO) "be lenien
Brian May writes:
> No, I don't think that is the case. I believe sudo interprets those
> assignments itself (as also shown in man page), and the error I got
> clearly shows this to be the case.
> brian@aquitard:~$ sudo echo='() { /bin/echo bar; id; }' ./test.sh
> sudo: sorry, you are not allow
On Fri, Sep 26, 2014 at 01:37:48PM +1000, Brian May wrote:
> On 26 September 2014 12:08, Russ Allbery wrote:
> >
> > > brian@aquitard:~$ sudo echo='() { /bin/echo bar; }' bash
> > > root@aquitard:/home/brian# echo hello
> > > bar
> >
> > I think you have that backwards, don't you? Shouldn't that
On 26 September 2014 14:15, Russ Allbery wrote:
> That would surprise me. In one case, you're setting an environment
> variable and then running sudo. In the other case, you're telling sudo to
> run the command "echo='() { /bin/echo bar; }' echo foo" via a shell.
>
> No, I don't think that is t
Brian May writes:
> On 26 September 2014 12:08, Russ Allbery wrote:
>>
>> I think you have that backwards, don't you? Shouldn't that be:
>>
>> echo='() { /bin/echo bar; }' sudo bash
> I think sudo treats both as the same/similar thing.
That would surprise me. In one case, you're setting a
On 26 September 2014 12:08, Russ Allbery wrote:
>
> > brian@aquitard:~$ sudo echo='() { /bin/echo bar; }' bash
> > root@aquitard:/home/brian# echo hello
> > bar
>
> I think you have that backwards, don't you? Shouldn't that be:
>
> echo='() { /bin/echo bar; }' sudo bash
>
I think sudo treat
On Thu, Sep 25, 2014 at 04:29:05PM +0100, Ian Jackson wrote:
> Package: bash
> Version: 4.1-3
>
> I have prepared bash packages which do not honour any shell functions
> they find in the environment. IMO that is a crazy feature, which
> ought to be disabled. (I'm running this on chiark now and n
Russ Allbery :
> Martin Uecker writes:
>
> > While everybody is looking at bash, isn't this the real the injection
> > part? Why are there still programs which copy stuff from the network
> > into environment without proper sanitation?
>
> The previous sanitization for environment variables most
Martin Uecker writes:
> While everybody is looking at bash, isn't this the real the injection
> part? Why are there still programs which copy stuff from the network
> into environment without proper sanitation?
The previous sanitization for environment variables mostly focused on not
letting the
Brian May writes:
> I thought sudo was suppose to be ok, sure doesn't look ok to me.
> brian@aquitard:~$ sudo echo='() { /bin/echo bar; }' bash
> root@aquitard:/home/brian# echo hello
> bar
I think you have that backwards, don't you? Shouldn't that be:
echo='() { /bin/echo bar; }' sudo b
On 26 September 2014 10:26, Nikolaus Rath wrote:
> Wasn't there some web server that used to put query script variables
> into the environment of the CGI script? Or am I confusing that with
> PHP's evil register_globals?
>
CGI is just one avenue for attack.
There are other avenues. e.g. the ssh
Samuel Thibault:
> Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit :
> > Samuel Thibault:
> > > Sounds crazy to me.
> > >
> > Definitely. This is now out in the wild; exploits which simply replace
> > echo or cat-without-/bin are going to happen. :-/
>
> That's not so easy to exploi
Samuel Thibault writes:
> Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit :
>> Samuel Thibault:
>> > Sounds crazy to me.
>> >
>> Definitely. This is now out in the wild; exploits which simply replace
>> echo or cat-without-/bin are going to happen. :-/
>
> That's not so easy to explo
Matthias Urlichs, le Thu 25 Sep 2014 21:17:58 +0200, a écrit :
> Samuel Thibault:
> > Sounds crazy to me.
> >
> Definitely. This is now out in the wild; exploits which simply replace
> echo or cat-without-/bin are going to happen. :-/
That's not so easy to exploit. You have to manage to inject th
Hi,
Samuel Thibault:
> Sounds crazy to me.
>
Definitely. This is now out in the wild; exploits which simply replace
echo or cat-without-/bin are going to happen. :-/
Maybe we should add the patched version, with an appropriate NEWS entry,
to backports?
--
-- Matthias Urlichs
signature.asc
De
Ian Jackson, le Thu 25 Sep 2014 16:29:05 +0100, a écrit :
> I have prepared bash packages which do not honour any shell functions
> they find in the environment. IMO that is a crazy feature, which
> ought to be disabled. (I'm running this on chiark now and nothing has
> visibly broken yet.)
Yes.
28 matches
Mail list logo
