From c1c78f8a91921fe87f5672cdbdf9791f569fc8ac Mon Sep 17 00:00:00 2001 From: =?utf8?q?Renaud=20M=C3=A9trich?= Date: Thu, 7 Jun 2018 15:42:12 +0200 Subject: [PATCH] Harden dracut against BASH_ENV environment variable MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit When dracut silently produces a broken initramfs, then the system will likely not boot and this can be very problematic. Typical use case is after the kernel has been updated. It appears that dracut is not protected against the BASH_ENV variable, causing various scripts called by dracut to possibly fail or provide wrong output (e.g. "ldd" is one of these). Having a broken output for "ldd" makes the generated initramfs be not usable, typically because vital binaries will be missing (e.g. "awk", "udevadm", ...). Note: because the shebang line cannot contain more than one argument, the '--norc' option had to be removed. IMHO, it was useless anyway. Signed-off-by: Renaud Métrich --- dracut.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/dracut.sh b/dracut.sh index a4406dd94..f1821e4a3 100755 --- a/dracut.sh +++ b/dracut.sh @@ -1,4 +1,4 @@ -#!/bin/bash --norc +#!/bin/bash -p # # Generator script for a dracut initramfs # Tries to retain some degree of compatibility with the command line @@ -23,6 +23,8 @@ # store for logging +unset BASH_ENV + # Verify bash version, current minimum is 4 if (( BASH_VERSINFO[0] < 4 )); then printf -- 'You need at least Bash 4 to use dracut, sorry.' >&2 -- 2.47.3