2015-12-13 12:49:58 -0500, Chet Ramey: [...] > I have to tell you, if I wanted to exploit a program written this poorly, > I wouldn't mess around with SHELLOPTS. I'd go straight to PATH. [...]
In the (very specific) OP's test case, he had system("/bin/date"). Since /bin/date doesn't usually execute other commands, PATH won't help. SHELLOPTS+PS4 is a known way to have the shell run arbitrary commands. Before shellshock, env /bin/date='() { cmd; }' was another one. The fix for shellshock closed that one. I can see why one might want to close a path to easy privilege escalation, but IMO, the fault here is not with bash but with setuid applications invoking other applications, let alone a shell without sanitizing the environment. What bash could do is document what environment variables affect its behaviour (so setuid applications know which to sanitize), but that's mostly already done and anyway, the proper way to sanitize the environment is not to blacklist known troublesome env vars (what about the unknown ones?) but to clear everything except the ones you need (and still check and sanitize their content). The environment is meant to be used like that. It's meant to be trusted. Setuid applications fail their contract if they fail to sanitize the environment before running other applications. -- Stephane