This is confirmed as a bug.  It appears as if the Red Hat rpm needs to be
patched and distributed.

Subject: Re: rbash 2.05b security hole (fwd)  View Full Header
View Printable Version
From: Chet Ramey <chet@nike.ins.cwru.edu> 
Date: Mon, November 25, 2002 9:04 am 
Cc: chet@po.cwru.edu 
> ---------- Forwarded message ----------
> Date: Thu, 14 Nov 2002 17:14:19 -0600 (CST)
> From: Howard Atlas
> To: bug-bash@gnu.org
> Subject: rbash 2.05b security hole
> 
> rbash is not supposed to allow any commands that include a "/".  See below:
> 
> 
> Display version of bash:
>       piggy$ /bin/bash --version
>       GNU bash, version 2.05b.0(1)-release (i686-pc-linux-gnu)
>       Copyright (C) 2002 Free Software Foundation, Inc.
> Show what shell we are using:
>       piggy$ echo $0
>       -rbash
> Run a command using "/" in it?? not allowed in rbash??
>       piggy$ /usr/bin/whoami

It's a bug.  Bash mishandles `-rbash' and does not enable restricted mode.
It's been fixed for a while.  Try this patch and see if you like it.

*** ../bash-2.05b-patched/shell.c        Mon Jul  1 11:27:11 2002
--- shell.c        Sat Oct 12 14:41:10 2002
***************
*** 1083,1086 ****
--- 1083,1088 ----
  
    temp = base_pathname (name);
+   if (*temp == '-')
+     temp++;
    if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME)))
      {


Chet Ramey, ITS, CWRU    chet@po.CWRU.Edu    http://cnswww.cns.cwru.edu/~chet/

Fixed package is bash-2.05b-11, which will shortly appear in rawhide.

This is my first time reporting a bug; when will the updated package be listed 
as an offical update to RH 8.0 (i.e. available via up2date)?

Thanks.

I'm not sure that this problem is serious enough to warrant an advisory at the
moment.

Shouldn't someone who buys RH 8.0 and then performs an update using RHN expect
the product to be updated to the best of the vendor's capabilities?

How does a user know when to download a package from rawhide, and when to
download a package from updates?

I updated bash to Raw Hide version 2.05b-20, but the bug
still seems to be there. As reported by hatlas, everything's
fine if rbash is executed from another shell, but
no restrictions are applied if rbash is used as login shell.
Anyone have this working properly on Red Hat 8.0?

Latest Raw Hide RPM (2.05b-21) doesn't work either.
This bug has been discussed on Bash mailing list, see
http://mail.gnu.org/archive/html/bug-bash/2003-01/msg00074.html

This is the patch suggested:

--- bash-2.05b/shell.c.ORI	2003-01-16 12:23:56.000000000 +0100
+++ bash-2.05b/shell.c	2003-01-16 12:25:52.000000000 +0100
@@ -1065,7 +1065,7 @@
   if (restricted)
     return 1;
   temp = base_pathname (name);
-  return (STREQ (temp, RESTRICTED_SHELL_NAME));
+  return ( (STREQ (temp, RESTRICTED_SHELL_NAME)) || (STREQ (temp,
("-"RESTRICTED_SHELL_NAME))) );
 }
 
 /* Perhaps make this shell a `restricted' one, based on NAME.  If the
@@ -1082,7 +1082,7 @@
   char *temp;
 
   temp = base_pathname (name);
-  if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME)))
+  if (restricted || (STREQ (temp, RESTRICTED_SHELL_NAME)) || (STREQ (temp,
("-"RESTRICTED_SHELL_NAME))) )
     {
       set_var_read_only ("PATH");
       set_var_read_only ("SHELL");

Thanks, but please try bash-2.05b-22 when it appears in rawhide.  It contains a
patch which I think is equivalent (and slightly better IMHO).

I seem to have forgotten to add a comment to that effect when closing this bug
yesterday; sorry.

An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2003-140.html