** Changed in: bash (Ubuntu)
Milestone: later = None
** Changed in: bash (Ubuntu)
Status: In Progress = Won't Fix
** Changed in: bash (Ubuntu)
Assignee: Kees Cook (kees) = (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
** Changed in: bash (Ubuntu Natty)
Milestone: ubuntu-11.04-beta-1 = None
** Changed in: bash (Ubuntu)
Milestone: ubuntu-11.04-beta-1 = later
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: bash (Ubuntu Natty)
Assignee: Matthias Klose (doko) = Kees Cook (kees)
** Changed in: bash (Ubuntu Natty)
Status: Confirmed = In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Well, as much as the shell is a separate class of execution environment,
it seems the trouble is mostly with strict AppArmor profile writing.
Metacharacter vulnerabilities would allow the execution of other tools
that do allow networking (nc, perl, python, awk). The only kind of
attack that would
** Changed in: bash (Ubuntu Natty)
Milestone: natty-alpha-3 = ubuntu-11.04-beta-1
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/712662
Title:
network redirection has been enabled
--
Shouldn't you instead add an ability to confine network access instead
of deleting support for network access from an interpreter? Don't you
have the same issue with other interpreters?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
To Phillip,
AppArmor mediates networking (albeit in a coarse-grained fashion). For
an application that doesn't require network access, there is no issue
with profiling, because the profile for the application wouldn't allow
network access, so any attempt to use bash' network redirection would be
** Changed in: bash (Ubuntu Natty)
Assignee: (unassigned) = Matthias Klose (doko)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/712662
Title:
network redirection has been enabled
--
** This bug has been flagged as a security vulnerability
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/712662
Title:
network redirection has been enabled
--
ubuntu-bugs mailing list
This makes AppArmor confinement of services that have bash scripts hard,
as the /dev/* devices are emulated by bash, and are not actually in the
filesystem.
** Changed in: bash (Ubuntu)
Status: New = Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs,
To elaborate based on discussions amont the ubuntu-security team:
It is more than just confinement by AppArmor, it is any LSM. The kernel
doesn't have an implementation for mediating /dev/tcp or /dev/udp.
As a hypothetical example, consider an application confined by AppArmor, which
has this
** Changed in: bash (Ubuntu)
Importance: Undecided = High
** Also affects: bash (Ubuntu Karmic)
Importance: Undecided
Status: New
** Also affects: bash (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: bash (Ubuntu Maverick)
Importance: Undecided
12 matches
Mail list logo