TPE and shell scripts

Discuss and suggest new grsecurity features

TPE and shell scripts

Postby DataGhost » Wed Oct 10, 2012 5:09 am

It seems to be impossible to execute shell scripts without first invoking a shell, when TPE is enabled. For example:
Code: Select all
$ ./test.sh
-su: ./test.sh: /bin/bash: bad interpreter: Permission denied
$ bash ./test.sh
hi
$ cat test.sh
#!/bin/bash
echo "hi"

I'd expect both commands to give the same result, actually. As it's hard to prevent (from the kernel) interpreters from executing scripts I'd expect both commands to greet me, as the second one did.

So, my idea is that an extra option (or just code) is added to allow executing of scripts in this manner. As long as the interpreter conforms to TPE, the script should be executed. In this case I'm having trouble using gitolite with TPE, the repository hooks cannot be executed because they're owned by user git (which is in my untrusted group) although all those hooks are bash scripts. I could modify gitolite but I think that option is less flexible and not available in some cases.
DataGhost
 
Posts: 1
Joined: Wed Oct 10, 2012 4:02 am

Re: TPE and shell scripts

Postby spender » Tue Oct 23, 2012 5:36 pm

It's not possible to do anything about the second case. You could just as well just type the commands present in the shell script directly into your current shell session. This has been stated since the very beginning of TPE's introduction. You need to either limit access to interpreters, or provide hardened interpreters.

Some previous information on this same subject:
viewtopic.php?f=3&t=296&hilit=tpe+interpreter
http://insanitybit.wordpress.com/2012/0 ... tables-10/

-Brad
spender
 
Posts: 2185
Joined: Wed Feb 20, 2002 8:00 pm


Return to grsecurity development