Bash Shellshocked Bug Of Doom

The intertubes are currently ablaze with the news of the Bash Shellshocked bug, with the usual glut of misinformed commentary through to apocalyptic doom-mongering. What I haven't seen mentioned is that there's a relatively straightforward workaround that I think you could use if you can't get hold of a patched version of bash and you have to expose bash scripts to the outside world - which of course you shouldn't be doing anyway, right? ;-) It's to make sure that any such scripts use the -p flag to bash when they are invoked:

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

$ env x='() { :;}; echo vulnerable' bash -cp "echo this is a test"
this is a test

As the bash manpage says:

          -p      Turn on privileged mode.   In  this  mode,  the
                  $ENV  and  $BASH_ENV  files  are not processed,
                  shell functions  are  not  inherited  from  the
                  environment,   and   the  SHELLOPTS,  BASHOPTS,
                  CDPATH,  and  GLOBIGNORE  variables,  if   they
                  appear in the environment, are ignored.  If the
                  shell  is  started  with  the  effective   user
                  (group)  id  not equal to the real user (group)
                  id, and the -p option is  not  supplied,  these
                  actions  are taken and the effective user id is
                  set to the real user id.  If the -p  option  is
                  supplied  at  startup, the effective user id is
                  not reset.  Turning this option off causes  the
                  effective  user  and group ids to be set to the
                  real user and group ids.

So simply add -p to the #!/bin/bash line at the start of your scripts, i.e. #!/bin/bash -p. This isn't entirely devoid of side-effects, as the manpage segment says, and there may be clever ways of hacking around even this protection but I'm surprised I haven't seen it mentioned anywhere as a potential workaround.

Categories : Web, Tech