[Bug 806628] New: Bash doesn't execute a script w/o the #! line as user's shell but as /bin/sh
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c0 Summary: Bash doesn't execute a script w/o the #! line as user's shell but as /bin/sh Classification: openSUSE Product: openSUSE 12.3 Version: RC 1 Platform: All OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: suse@tlinx.org QAContact: qa-bugs@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.28) Gecko/20120306 Firefox/3.6.28 Someone hard coded bash to execute /bin/sh to execute user scripts that don't have a #!/bin/bash at the top. This is abnormal and confusing. Scripts should be execute with the user's login or $SHELL scripts, not /bin/sh. I often type in 1-lines that evolve into a short script that I'll edit, but I get different execution results if I edit the command line in 'vim' (for example), vs. if I save the file and the try to execute it. That is counter-intuitive. This is also something that is a SuSE-only patch -- i.e. when I asked about it on the bash list and was pointed at the source, I found the normal code had been #ifdef'ed out, and some hard-coded references to /bin/sh had been put in to always run. Please don't override the user's choice of shells. I've been told that bash is the system shell -- so why invoke it as /bin/sh which invokes incompatible behavior? Reproducible: Always Steps to Reproduce: 1. type "while read fn;do ls -l "$fn"; done < <('ls' -1)" into bash and notice it works. 2. Now put that line into a file and try running it -- (also in bash) and notice it doesn't. 3. Actual Results: /tmp/t: line 3: syntax error near unexpected token `<' /tmp/t: line 3: `done < <('ls' -1)' Expected Results: list of files in long format This is broken in 12.1 and is still broken in 12.3. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c L. A. Walsh <suse@tlinx.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P1 - Urgent Version|RC 1 |Final Severity|Major |Critical -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c1 --- Comment #1 from L. A. Walsh <suse@tlinx.org> 2013-03-08 18:00:06 PST --- This is a security bug and needs to be fixed. I don't see how to mark this bug as a security bug and have it closed off to the public though, so am not sure I should explain the details, but they are rocket science... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c L. A. Walsh <suse@tlinx.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |808499 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c2 --- Comment #2 from L. A. Walsh <suse@tlinx.org> 2013-03-08 18:10:33 PST --- oops.. insert 'not' as 3rd word to the end of last comment ;-) see bug #808499 for me details. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c3 Lars Müller <lmuelle@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Component|Basesystem |Security AssignedTo|bnc-team-screening@forge.pr |security-team@suse.de |ovo.novell.com | --- Comment #3 from Lars Müller <lmuelle@suse.com> 2013-03-09 13:51:43 CET --- If you count this as an security issue please select 'Component: Security' to enable access limitation as done with this comment. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c4 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@suse.com, | |security-team@suse.de AssignedTo|security-team@suse.de |werner@suse.com --- Comment #4 from Marcus Meissner <meissner@suse.com> 2013-03-09 13:49:50 UTC --- This does not look like a security bug, more a question of shell standard compliance. Lets ask Werner. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c5 --- Comment #5 from Marcus Meissner <meissner@suse.com> 2013-03-09 13:50:29 UTC --- *** Bug 808499 has been marked as a duplicate of this bug. *** http://bugzilla.novell.com/show_bug.cgi?id=808499 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c6 --- Comment #6 from L. A. Walsh <suse@tlinx.org> 2013-03-09 06:25:29 PST --- Since the bug marked as non-public was closed, I'll copy the parts that make this security relevant here. f a user has shell 'rbash', and has any means to create a file and execute it, The following script in a file will give them an unrestricted shell. (not root, but if the intent was to restrict the user, this patch breaks it). I would strongly suggest not including the patch in the bash-rpm sources called "bash-3.2-longjmp.dif" that patches bash source file execute_cmd.c to ignore the shell the user started with and execute any new, script source that doesn't start with "#!...", under /bin/sh. This elevates restricted users to a non restricted shell. ----script------ # see what we can do w/suse's patch echo in script, 0=$0, exec /bin/bash -i -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c7 Dr. Werner Fink <werner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P1 - Urgent |P4 - Low Component|Security |Basesystem AssignedTo|werner@suse.com |bnc-team-screening@forge.pr | |ovo.novell.com Severity|Critical |Minor --- Comment #7 from Dr. Werner Fink <werner@suse.com> 2013-03-11 07:47:37 UTC --- Q: Why this is an security issue? Not using a shebang line due lazy writing bournce shell code or bash code has nothing to do with security. A shel script should always show a shebang line. Otherwise tcsh users or users with any other shell not identical with the bash will run into trouble. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c8 --- Comment #8 from L. A. Walsh <suse@tlinx.org> 2013-03-11 02:39:53 PDT --- Werner, if the user's shell is a restricted shell like rbash, you claim that elevating them to a non-restricted shell is not a security issue? You want me to ask around on the BASH list for you? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c9 --- Comment #9 from L. A. Walsh <suse@tlinx.org> 2013-03-11 02:45:49 PDT --- As for you assertion that any any csh /tcsh script writer writing a casual script in their language isn't not going to be harmed if it is executed in their own language. Even the stupidest of users know to run a script in a different language with a different interpreter. They are in a shell environment. Their mindset for writing casual scripts is in that shell language. They are more likely to because problems by having it interpreted as /bin/sh than as their own script language. As you said -- any official scripts would have the shebang, so it's a non issue. It's only the case for casual use scripts where they are trying to automate something and have graduated to defining it as a 'executable' I.e. a script run under a shell without specification should run under that shell. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c10 --- Comment #10 from L. A. Walsh <suse@tlinx.org> 2013-03-11 02:57:30 PDT --- Werner said: "Otherwise tcsh users or users with any other shell not identical with the bash will run into trouble." I'm a bash user and I'm running into trouble because you are NOT running bash. If you had run BASH I wouldn't have noticed the problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c11 --- Comment #11 from Marcus Meissner <meissner@suse.com> 2013-03-11 16:07:48 UTC --- Werner has already removed himself from the list of users in this bugreport. But well, I have to agree with him ... if its in their casual language, they should use "source SCRIPT" and not "SCRIPT", expecting miracles. Their mistake is usually immediately obvious in csh vs sh scripts, less so in others. As for the rbash security angle I had not enough time to research yet -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c12 --- Comment #12 from L. A. Walsh <suse@tlinx.org> 2013-03-11 09:54:27 PDT --- Why is there a pressing need to maintain a 5 year old patch against a new version where it is no longer applicable. The patch **admittedly** was to fix a problem that only occurred on SuSE linux where a hang or SEGV happened. One has to ask, why was this a problem only on SuSE?? The likely answer is some other SuSE-only patch, possibly in a linked library, where Suse has changed the normal behavior. This isn't the first time I've seen a suse patch change standard behavior based on the developer's whimsy. It happens often enough, that when I first mentioned this problem on the Bash list, a response indicated that I shouldn't be surprised by non-standard behavior given that I was running Suse. The justification for adding the patch was a suse-only bug. Then the first justification for not removing it 5 years later, was that even though the bug was no longer present in the current version, the code might protect against future problems of the same type -- a horrible reason to patch an upstream product and a good reason to never get rid of any patches and end up with code that acts nothing like people expect upstream products to behave. Now it's being justified that it should be kept on the specious claim that it doesn't strictly go against POSIX requirements -- ignoring the fact that it shouldn't have been necessary in the first place, and the fact that it is no longer needed. Adding injury to malpractice, if the user is running under rsh or rbash, and excutes a header script, their shell is reset. allowing them access to an unrestricted shell. What research is needed to verify that other than trying it with a simple test case, I don't know, but as Werner and others don't think it's a problem, maybe he's right, and escalation of privilege out of a restricted shell isn't regarded as a security problem. I'll have to ask around... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c13 --- Comment #13 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-03-15 17:00:17 CET --- This is an autogenerated message for OBS integration: This bug (806628) was mentioned in https://build.opensuse.org/request/show/159581 Factory / bash -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c14 Sebastian Krahmer <krahmer@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #14 from Sebastian Krahmer <krahmer@suse.com> 2013-03-18 08:46:40 UTC --- Security team has have reviewed the rbash vector and consider it not relevant. rbash is not really a security protection anyway (think perl -e 'system("./a.out");') Also werner has submitted a bash that disables the patch for openSUSE Factory. closing -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c15 --- Comment #15 from L. A. Walsh <suse@tlinx.org> 2013-03-18 15:20:02 PDT --- (In reply to comment #14)
Security team has have reviewed the rbash vector and consider it not relevant. rbash is not really a security protection anyway (think perl -e 'system("./a.out");') Also werner has submitted a bash that disables the patch for openSUSE Factory.
closing
Certainly if you wanted rbash to provide any security, anything that allows arbitrary command execution causes a problem. As I find it difficult to imagine anyone using rbash as a security mechanism, I will not disagree with it being it being inadequate -- to the point that I asked why it shouldn't be removed on the bash list. One issue mentioned was "rbash is an optional feature. You can easily remove it by configuring bash with --disable-restricted". If suse doesn't it is useful, they don't have to supply it. It's not required by POSIX (nor by me for that matter). Others followed up with the idea that maybe the wording emphasizing it's low security usefulness should be added to the manpage... no commitments (or comments) after that point.... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c16 --- Comment #16 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-03-21 14:01:03 CET --- This is an autogenerated message for OBS integration: This bug (806628) was mentioned in https://build.opensuse.org/request/show/160437 Factory / bash -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c17 --- Comment #17 from Bernhard Wiedemann <bwiedemann@suse.com> 2013-07-22 14:00:47 CEST --- This is an autogenerated message for OBS integration: This bug (806628) was mentioned in https://build.opensuse.org/request/show/183978 Maintenance / https://build.opensuse.org/request/show/183979 Maintenance / -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=806628 https://bugzilla.novell.com/show_bug.cgi?id=806628#c18 --- Comment #18 from Swamp Workflow Management <swamp@suse.de> 2013-07-29 13:06:32 UTC --- openSUSE-RU-2013:1271-1: An update that has 7 recommended fixes can now be installed. Category: recommended (low) Bug References: 382214,763591,793536,804551,806628,820149,828877 CVE References: Sources used: openSUSE 12.2 (src): bash-4.2-51.13.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com