When bash
is invoked in setuid (or setgid) context, that is when the effective uid is different from the real uid, then bash
drops the privileges (sets the effective uid back to the real uid).
Exception to that is when using the -p
or -o privileged
(the SHELLOPTS
variable is ignored, so privileged
in there as well) or when invoked as sh
.
In that case though, functions are not imported from the environment (nor are things like BASH_ENV
, BASH_OPTS
, SHELLOPTS
for the same obvious reasons).
If they were, you wouldn't need the shellshock vulnerability to exploit it. Just exporting an echo
function (or anything called by the script including paths like /bin/mount
) would do.
Some setuid commands may chose to set the ruid to the euid. If they do and don't sanitize the environment and call bash (or any other shell), then game's over, shellshock vulnerability or not.
The libc's dynamic linker takes care of removing some variables that affect the libc or linker (LD_PRELOAD, LOCPATH, LD_LIBRARY_PATH...), but it's up to the setuid application to clear the rest if they invoke other commands like a shell (or python, or any other command whose behaviour can be controlled with environment variables), the typical sane approach being to clear everything except a sanitized whitelist.
A typical example of such an application is sudo
.
By default (with the env_reset
option on), sudo
clears the environment, sets a few (like PATH
, HOME
, SUDO_USER
...) and whitelists a few after checking their content like TERM
or DISPLAY
. Part of that checking specially takes care of variables whose content starts with ()
.
If env_reset
is off (disabled by the user/administrator), then sudo
still blacklists a few variables that affect various shells or other common tools (like PS4
, BASH_ENV
...) and those whose content starts with ()
.
So shellshock cannot be exploited by doing:
DISPLAY='() {(:);}; ouch;}' sudo trusted-bash-script
Now, it's possible that there are setuid commands out there that set ruid and don't check for variables that start with ()
and invoke bash
(possibly indirectly), but again no need for the shellshock bug to exploit those.
A possible exception to that is apache's suexec
. As far as I know, suexec
sanitizes the environment but only white-lists some variables based on their name, not their content. Without CVE-2014-6271, that wouldn't be a concern as those variables names like QUERYSTRING
, HTTP_USER_AGENT
are not likely to match the name of a command, so it wasn't deemed necessary to block variables whose content starts with "() {"
, but in practice that means it's exposed to CVE-2014-6271.