Bash Shellshocked Bug Of Doom
The intertubes are currently ablaze with the news of the Bash Shellshocked bug, with the usual glut of misinformed commentary through to apocalyptic doom-mongering. What I haven't seen mentioned is that there's a relatively straightforward workaround that I think you could use if you can't get hold of a patched version of bash and you have to expose bash scripts to the outside world - which of course you shouldn't be doing anyway, right? ;-) It's to make sure that any such scripts use the -p
flag to bash when they are invoked:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test $ env x='() { :;}; echo vulnerable' bash -cp "echo this is a test" this is a test
As the bash manpage says:
-p Turn on privileged mode. In this mode, the $ENV and $BASH_ENV files are not processed, shell functions are not inherited from the environment, and the SHELLOPTS, BASHOPTS, CDPATH, and GLOBIGNORE variables, if they appear in the environment, are ignored. If the shell is started with the effective user (group) id not equal to the real user (group) id, and the -p option is not supplied, these actions are taken and the effective user id is set to the real user id. If the -p option is supplied at startup, the effective user id is not reset. Turning this option off causes the effective user and group ids to be set to the real user and group ids.
So simply add -p
to the #!/bin/bash
line at the start of your scripts, i.e. #!/bin/bash -p
. This isn't entirely devoid of side-effects, as the manpage segment says, and there may be clever ways of hacking around even this protection but I'm surprised I haven't seen it mentioned anywhere as a potential workaround.