oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2014-6271: remote code execution through bash

From: Simon McVittie <smcv () debian org>
Date: Fri, 26 Sep 2014 14:12:20 +0100
On 26/09/14 00:43, Chet Ramey wrote:

I'm arguing that privilege boundaries should take responsibility for
their nature as a privilege boundary, and not pass the buck to the
code that they call into.


It doesn't help if some process sets ruid = euid and execs bash,
but bash doesn't import functions from the environment if
ruid != euid.


Yes, what I'm saying is that in that situation, we should blame the
"some process", not bash. It is the "some process" that opted to act as
a privilege boundary (by being setuid or whatever), so it should be
responsible for taking extra care when it executes non-trivial code
(e.g. bash) with its elevated privileges.

    S
Previous By Date Next
Previous By Thread Next

Current thread: