Red Hat Bugzilla – Bug 78455
rbash doesn't restrict cd or commands with /
Last modified: 2008-05-01 11:38:04 EDT
From Bugzilla Helper: User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Description of problem: by design, rbash is supposed to restrict use of cd and execution of commands with "/". This works on my RH7.2 box, but not on RH8.0 Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1.ln -s /bin/bash2 /bin/rbash; echo "/bin/rbash" >> /etc/shells 2.useradd unknown -s /bin/rbash 3.login as unknown, echo $0 shows -rbash, but can use cd and / Actual Results: From within a /bin/bash shell, executing /bin/rbash does yield the correct results with cd and "/", but using /etc/passwd and using login, sshd, or su bash is not restricted. Expected Results: Having /bin/rbash as the shell in /etc/passwd should put the user into a restricted shell that does not allow cd or commands to be executed with / Additional info: Display version of bash: piggy$ /bin/bash --version GNU bash, version 2.05b.0(1)-release (i686-pc-linux-gnu) Copyright (C) 2002 Free Software Foundation, Inc. Show what shell we are using: piggy$ echo $0 -rbash Run a command using "/" in it?? not allowed in rbash?? piggy$ /usr/bin/whoami piggy Show what our path is: piggy$ echo $PATH /usr/restricted/bin piggy$
This is confirmed as a bug. It appears as if the Red Hat rpm needs to be patched and distributed. Subject: Re: rbash 2.05b security hole (fwd) View Full Header View Printable Version From: Chet Ramey <chet@nike.ins.cwru.edu> Date: Mon, November 25, 2002 9:04 am Cc: chet@po.cwru.edu > ---------- Forwarded message ---------- > Date: Thu, 14 Nov 2002 17:14:19 -0600 (CST) > From: Howard Atlas > To: bug-bash@gnu.org > Subject: rbash 2.05b security hole > > rbash is not supposed to allow any commands that include a "/". See below: > > > Display version of bash: > piggy$ /bin/bash --version > GNU bash, version 2.05b.0(1)-release (i686-pc-linux-gnu) > Copyright (C) 2002 Free Software Foundation, Inc. > Show what shell we are using: > piggy$ echo $0 > -rbash > Run a command using "/" in it?? not allowed in rbash?? > piggy$ /usr/bin/whoami It's a bug. Bash mishandles `-rbash' and does not enable restricted mode. It's been fixed for a while. Try this patch and see if you like it. *** ../bash-2.05b-patched/shell.c Mon Jul 1 11:27:11 2002 --- shell.c Sat Oct 12 14:41:10 2002 *************** *** 1083,1086 **** --- 1083,1088 ---- temp = base_pathname (name); + if (*temp == '-') + temp++; if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME))) { Chet Ramey, ITS, CWRU chet@po.CWRU.Edu http://cnswww.cns.cwru.edu/~chet/
Fixed package is bash-2.05b-11, which will shortly appear in rawhide.
This is my first time reporting a bug; when will the updated package be listed as an offical update to RH 8.0 (i.e. available via up2date)? Thanks.
I'm not sure that this problem is serious enough to warrant an advisory at the moment.
Shouldn't someone who buys RH 8.0 and then performs an update using RHN expect the product to be updated to the best of the vendor's capabilities? How does a user know when to download a package from rawhide, and when to download a package from updates?
I updated bash to Raw Hide version 2.05b-20, but the bug still seems to be there. As reported by hatlas, everything's fine if rbash is executed from another shell, but no restrictions are applied if rbash is used as login shell. Anyone have this working properly on Red Hat 8.0?
Latest Raw Hide RPM (2.05b-21) doesn't work either. This bug has been discussed on Bash mailing list, see http://mail.gnu.org/archive/html/bug-bash/2003-01/msg00074.html This is the patch suggested: --- bash-2.05b/shell.c.ORI 2003-01-16 12:23:56.000000000 +0100 +++ bash-2.05b/shell.c 2003-01-16 12:25:52.000000000 +0100 @@ -1065,7 +1065,7 @@ if (restricted) return 1; temp = base_pathname (name); - return (STREQ (temp, RESTRICTED_SHELL_NAME)); + return ( (STREQ (temp, RESTRICTED_SHELL_NAME)) || (STREQ (temp, ("-"RESTRICTED_SHELL_NAME))) ); } /* Perhaps make this shell a `restricted' one, based on NAME. If the @@ -1082,7 +1082,7 @@ char *temp; temp = base_pathname (name); - if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME))) + if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME)) || (STREQ (temp, ("-"RESTRICTED_SHELL_NAME))) ) { set_var_read_only ("PATH"); set_var_read_only ("SHELL");
Thanks, but please try bash-2.05b-22 when it appears in rawhide. It contains a patch which I think is equivalent (and slightly better IMHO). I seem to have forgotten to add a comment to that effect when closing this bug yesterday; sorry.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2003-140.html