Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 06 Jun 2014 13:12:45 +0100
From: Simon McVittie <>
Subject: Re: Re: [FD] Bug in bash <= 4.3 [security
 feature bypassed]

On 06/06/14 03:51, Jeffrey Walton wrote:
> It looks like Rage Against The Cage has been rediscovered. Also known
> as Android ADB Setuid bug.

It appears to be the same class of implementation error (calling
setuid() without checking whether it succeeded) in a different codebase
- analogous to the way lots of codebases have an off-by-one buffer
overflow, without off-by-one buffer overflows all being rediscoveries of
the same bug.

If something invokes bash (e.g. via system()) with untrusted input while
setuid, I would argue that that's a vulnerability in the invoking
process; the fact that bash tries to drop privileges is a hardening
measure (attempting to mitigate other projects' vulnerabilities). So I'd
characterize this as "bash had a hardening measure that doesn't work as
well as it was meant to". It's still a bug, and it would still be good
if the maintainers of bash fixed it so it could mitigate future

In my view, setuid[1] processes are the ones doing something unusual and
risky, so the onus should be on the authors of setuid code to:

* consider whether it actually needs to be setuid
* if it does, implement it securely
* drop privileges as soon as feasible
* avoid using libraries that are not designed and documented to be
  setuid-safe, at least until after privileges have been irrevocably

(that last point is not relevant here but is relevant in general)


[1] or setgid, or setcap +ep

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.