Bash recursion insecurity

Vladimir A. Pavlov pv4 at bk.ru
Sun Sep 24 04:33:52 PDT 2006


On Sunday 24 September 2006 09:25, Kevin Day wrote:
> I've been thinking about the well known recursive security issues with
> a program calling itself over and over again. In this case, with bash.
> 
> Something like:
> 
> $  #!/bin/bash
> $  $0 &
> $  $0 &
> $  exec $0 # just for kicks
> 
> [snip]
>
> I've been wondering if I should make a patch for patch that extends
> some sort of memory (double-pointed list?) so that when bash executes
> commands from child scripts, it will not allow the parent script to be
> called.

If the problem you're trying to solve is really bad security of a
recursive behaviour then I don't recommend you to make the patch since
this behaviour is the "standard". In other words, the patch may break
the _correct_ scripts written using this manner.

> some people, perhaps isolated embeded systems, may actually need
> recursion in this manner
> I can see a fix for this by doing #ifdefs and a compile time
> --enable-recursive-calls

Making such a patch is similar to a patch that would allow/disallow
installing the "rm" program when installing coreutils just because the
command can be used for removing important files on a system.

-- 
Nothing but perfection
pv



More information about the hlfs-dev mailing list