From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <zsh-workers-return-44387-ml=inbox.vuxu.org@zsh.org>
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE
	autolearn=ham autolearn_force=no version=3.4.2
Received: from primenet.com.au (ns1.primenet.com.au [203.24.36.2])
	by inbox.vuxu.org (OpenSMTPD) with ESMTP id 69e7c6ff
	for <ml@inbox.vuxu.org>;
	Fri, 31 May 2019 12:06:06 +0000 (UTC)
Received: (qmail 7131 invoked by alias); 31 May 2019 12:05:52 -0000
Mailing-List: contact zsh-workers-help@zsh.org; run by ezmlm
Precedence: bulk
X-No-Archive: yes
List-Id: Zsh Workers List <zsh-workers.zsh.org>
List-Post: <mailto:zsh-workers@zsh.org>
List-Help: <mailto:zsh-workers-help@zsh.org>
List-Unsubscribe: <mailto:zsh-workers-unsubscribe@zsh.org>
X-Seq: 44387
Received: (qmail 15911 invoked by uid 1010); 31 May 2019 12:05:52 -0000
X-Qmail-Scanner-Diagnostics: from mail-wr1-f43.google.com by f.primenet.com.au (envelope-from <stephane.chazelas@gmail.com>, uid 7791) with qmail-scanner-2.11 
 (clamdscan: 0.101.2/25461. spamassassin: 3.4.2.  
 Clear:RC:0(209.85.221.43):SA:0(-2.0/5.0):. 
 Processed in 2.507973 secs); 31 May 2019 12:05:52 -0000
X-Envelope-From: stephane.chazelas@gmail.com
X-Qmail-Scanner-Mime-Attachments: |
X-Qmail-Scanner-Zip-Files: |
Received-SPF: pass (ns1.primenet.com.au: SPF record at _netblocks.google.com designates 209.85.221.43 as permitted sender)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:content-transfer-encoding
         :in-reply-to:user-agent;
        bh=IPzHRNtjTHNryyzzGWWmt8jKy6d5RF5w/aXyE3M16GE=;
        b=SrKdWEbrGU3MqLeF4YdVv1yoJ2MazQhZf459MAxwQNGInvaUifk4ajUFhtIS0owk2F
         MAXDyJvzmxhaQ3y+q3QwH1OdjwlxqE/RP+cMuaRToec0UGNDltogKLX5MaAwkcprLmy7
         dKKd+LnQjPVYHW4zFdzyjec90rW4J2DSzyIOEVyCznUP0ZP2pYRQ+u6DwkPL8WlZ5kmA
         exxfYrv/hwF00QdWqfAEfHpt9SSEDj7xqtXRdWE9RYquufzZsfK0gn6bLgLyZwjiFGyt
         OY4NilQxDTmXpIgM9fl/PHewrqGqFejya847UiC7eCbTsAIJPGsRdAfSFATAxpa0TT4r
         vvKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:subject:message-id:mail-followup-to
         :references:mime-version:content-disposition
         :content-transfer-encoding:in-reply-to:user-agent;
        bh=IPzHRNtjTHNryyzzGWWmt8jKy6d5RF5w/aXyE3M16GE=;
        b=tKwJ1WFXtGXPGHH+K8/1ar7Nr5/5akg8HoQPbOHcaIOgzEdVqcSiMcZoj5tGWkbrvT
         /MU0D/r9IhHsD626ipF7L7zrBz3VQtgsrjkuTvQnrzbStfjRxzQ9MmOKRDGSrCAPhqAz
         GMAlO63bhPL7CZl+R3wsUVoW6j5ZnnxFnzNcGV6FOv4qoAZN180DDg60F5dHMVTw78iE
         5jOOsAXYlLUnQg4GmeClO51H0Kwes8KI6kTuKoSFNoMocSuksNLbjPKDXNh9phZaV8CX
         9WqGMuiPhN+yeuupd0UFvA4B6Ns9mlDGLHGTQ61rokvflNNtg8WFpRul/iUZQAwJuauH
         UUJg==
X-Gm-Message-State: APjAAAVQOVo9yckC5Luj2meaQd4BiEZtsky22txf7/Zb6g+63SjM//k5
	ylLMAZL9UClykYmNGebICyQ=
X-Google-Smtp-Source: APXvYqxY6bdYwhIAQwgUMuNvdglu8ZObKOtLJ87GghIGPaNlxAiiuF7Qx6p35JEOVPX9j3Pmmz/MSg==
X-Received: by 2002:adf:e590:: with SMTP id l16mr6241157wrm.257.1559304315623;
        Fri, 31 May 2019 05:05:15 -0700 (PDT)
Date: Fri, 31 May 2019 13:05:13 +0100
From: Stephane Chazelas <stephane.chazelas@gmail.com>
To: Bart Schaefer <schaefer@brasslantern.com>,
	David Wells <bughunters@tenable.com>,
	"zsh-workers@zsh.org" <zsh-workers@zsh.org>
Subject: [PATCH] [doc] [repost] warnings about restricted shell (Was: Zsh -
 Multiple DoS Vulnerabilities)
Message-ID: <20190531120513.4q7xzkw3xjxkaxnh@chaz.gmail.com>
Mail-Followup-To: Bart Schaefer <schaefer@brasslantern.com>,
	David Wells <bughunters@tenable.com>,
	"zsh-workers@zsh.org" <zsh-workers@zsh.org>
References: <CAAOKOsfSAR5aRBvEcyQKRzDCvOgRJdyRvVb9AXMq6d22RaUozQ@mail.gmail.com>
 <CAH+w=7YSL2eLRWeXaZj09er-v4noxuALxAum5Zj4awLP=7mQRQ@mail.gmail.com>
 <20190512162149.3fsqupqftmwxrbvd@chaz.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <20190512162149.3fsqupqftmwxrbvd@chaz.gmail.com>
User-Agent: NeoMutt/20171215

2019-05-12 17:21:49 +0100, Stephane Chazelas:
[...]
> At least, we should give more warning about it and recommend
> alternatives. Here's an attempt below:

I'm bringing this up again as it looks like it has stayed mostly
unnoticed (except maybe by Chet ;-))

IMO, the restricted mode should be deprecated. In any case, we
should at least warn against using it. Below was my attempt
which could definitely be improved, I hope it can serve as a
basic for discussio.

See also what Chet recently added about it in the bash
documentation at
https://git.savannah.gnu.org/cgit/bash.git/commit/doc/bash.info?id=52e469696418877c5b7cd7f752f5f8309ef65a38
which is more concise.


diff --git a/Doc/Zsh/restricted.yo b/Doc/Zsh/restricted.yo
index 6cf9b36b5..121e2ae8d 100644
--- a/Doc/Zsh/restricted.yo
+++ b/Doc/Zsh/restricted.yo
@@ -37,3 +37,46 @@ Restricted mode can also be activated any time by setting the
 tt(RESTRICTED) option.  This immediately enables all the restrictions
 described above even if the shell still has not processed all startup
 files.
+
+A shell em(Restricted Mode) is an ancient way to restrict what users may
+do. However modern systems have better, safer and more reliable ways to
+confine user actions like em(chroot jails), em(containers) or em(zones).
+
+A restricted shell is very difficult to implement safely. That feature
+may be removed in a future version of zsh.
+
+It's important to realise the restrictions only apply to the shell and
+not to the commands it runs (except for some of its builtins). While a
+restricted shell can only run the restricted list of commands accessible
+via the predefined `tt(PATH)` variable, it doesn't prevent those
+commands from running any other command.
+
+As an example, if `tt(env)' is among the list of em(allowed) commands,
+then it allows the user to run any command as `tt(env)` is not a shell
+builtin command and can run arbitrary executables.
+
+So when implementing a restricted shell framework it's important to be
+fully aware of what actions each of the em(allowed) commands or features
+(think em(modules)) can perform.
+
+Many commands can have their behaviour affected by environment
+variables. Except for the few listed above, zsh doesn't restrict setting
+environment variables.
+
+Having a `tt(perl)', `tt(python)', `tt(bash)` script as a restricted
+command probably means the user can work around the restriction by
+setting specially crafted `tt(PERL5LIB)', `tt(PYTHONPATH)',
+`tt(BASHENV)' environment variables. On GNU systems, one can have any
+command doing character set conversion (which includes zsh itself) run
+arbitrary code by setting a `tt(GCONV_PATH)' environment variable, those
+are only a few examples.
+
+Bear in mind that contrary to some other shells, `tt(readonly)' is not a
+security feature in zsh as it can be undone and so cannot be used to
+mitigate the above.
+
+A restricted shell is only going to work if the allowed commands are few
+and carefully written so as not to grant more access to users than
+intended. It's also important to restrict what zsh module the user may
+load as some of them like `tt(zsh/system)', `tt(zsh/mapfile)' or
+`tt(zsh/files)' would allow bypassing most of the restrictions.

-- 
Stephane