Hacker News new | past | comments | ask | show | jobs | submit login

Is there a way of preventing functions from being imported from the environment, but still allowing some variables in?

My experiments with

#!/usr/bin/env -i sh


#!/usr/bin/env - sh

...have not obtained what I'm after.

The problem being that functions take precedence over names in the file system, so

    bash-4.2$ env '/bin/cp=() { echo oops;}' /bin/sh -c '/bin/cp /tmp/foo /tmp/bar'

If an attacker can fully control the name of an injected environment variable, then you've lost already. The attacker can override LD_PRELOAD, which is an environment variable honored by the Linux kernel itself.

LD_PRELOAD is not honored for setuid executables, but you're right, we don't want to go there.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact