On 12/14/15 6:30 PM, up201407...@alunos.dcc.fc.up.pt wrote:
> Quoting "Stephane Chazelas" <stephane.chaze...@gmail.com>:
>
> I understand what you're saying.
> As much as we would like, there's no way of stopping all attack vectors by
> only hardening bash, not only that, but also taking away its useful features.
> Though I still believe PS4 shouldn't be imported from the environment.
Maybe if running with uid 0.
>> Should we also block SHELLOPTS=history
>> HISTFILE=/some/file like /proc/$pid/fd/$fd and
>> TZ=/proc/$pid/fd/$fd (like for your /bin/date command) as that
>> allows DoS on other processes (like where those fds are for
>> pipes).
>
> Mind explaining this one?
> I can't seem to write to HISTFILE in a non-interactive shell, or am i
> missing something?
You just need to enable history (set -o history). History is independent
of whether or not the shell is interactive; it's just enabled by default
in interactive shells.
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU c...@case.edu http://cnswww.cns.cwru.edu/~chet/
