oss-sec mailing list archives

Re: [PATCH] implement privmode support in dash

From: Michael Samuel <mik () miknet net>
Date: Fri, 23 Aug 2013 15:59:08 +1000

On 23 August 2013 15:42, Seth Arnold <seth.arnold () canonical com> wrote:

Regardless of the answer, it is probably worth using bash's mitigation
in dash, but I'm curious if we'll make discovering future bugs in setuid
programs more difficult to spot by happenstance by doing so.


I know of one instance where this has fooled a developer into thinking that
'nice' drops privileges (because they were executing a shell script through
nice).

One could argue that the developer is at fault and that programs that use
suid bits require extra-special care - but it's often not the developer
that needs protecting.

Could an alert (via stderr or syslog) be presented when the mitigation is
activated implicitly?

Current thread:

Re: [PATCH] implement privmode support in dash, (continued)
- - Re: [PATCH] implement privmode support in dash Ludwig Nussel (Aug 23)
- Re: [PATCH] implement privmode support in dash Harald van Dijk (Aug 22)
  - Re: [PATCH] implement privmode support in dash Tavis Ormandy (Aug 22)
  - Re: [PATCH] implement privmode support in dash Jilles Tjoelker (Aug 22)
    - Re: [PATCH] implement privmode support in dash Tavis Ormandy (Aug 22)
    - Re: [PATCH] implement privmode support in dash Jérémie Courrèges-Anglas (Aug 23)
    - Re: [PATCH] implement privmode support in dash Jérémie Courrèges-Anglas (Aug 23)
    - Re: [PATCH] implement privmode support in dash Roy (Aug 23)
- Re: [PATCH] implement privmode support in dash Kurt Seifried (Aug 22)
  - Re: [PATCH] implement privmode support in dash Seth Arnold (Aug 22)
    - Re: [PATCH] implement privmode support in dash Michael Samuel (Aug 22)
  - Re: [PATCH] implement privmode support in dash Tavis Ormandy (Aug 23)
  - Re: [PATCH] implement privmode support in dash Florian Weimer (Aug 23)
- Re: [PATCH] implement privmode support in dash Tim Brown (Aug 23)