bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SHELLOPTS=xtrace security hardening


From: up201407890
Subject: Re: SHELLOPTS=xtrace security hardening
Date: Tue, 15 Dec 2015 17:37:47 +0100
User-agent: Internet Messaging Program (IMP) H3 (4.2)

Quoting "Stephane Chazelas" <stephane.chazelas@gmail.com>:


I don't know if you can make a non-interactive bash write to the
$HISTFILE, but bash, even when non-interactive, even when called
as sh, with SHELLOPTS=history will *read* the HISTFILE.

Thanks for clearing that up for me. Makes sense.

Quoting "Chet Ramey" <chet.ramey@case.edu>:

I understand what you're saying.
As much as we would like, there's no way of stopping all attack vectors by
only hardening bash, not only that, but also taking away its useful features.
Though I still believe PS4 shouldn't be imported from the environment.

Maybe if running with uid 0.

That's something to think about.

You just need to enable history (set -o history).  History is independent
of whether or not the shell is interactive; it's just enabled by default
in interactive shells.

doing a "set -o history" didn't work for me, only when i added a "history -a" eg:

$ cat test.sh
#!/bin/bash

set -o history
HISTFILE="/tmp/history"
HISTSIZE="1000"

printf 'something\n'
$ ./test.sh
something
$ ls /tmp/history
ls: cannot access /tmp/history: No such file or directory
$ echo history -a >> test.sh
$ ./test.sh
something
$ ls /tmp/history
/tmp/history
$ cat !$
HISTFILE="/tmp/history"
HISTSIZE="1000"
printf 'something\n'
history -a

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.




reply via email to

[Prev in Thread] Current Thread [Next in Thread]