On 26 September 2014 16:40, Maarten de Vries <maarten@de-vri.es> wrote:
On 26 September 2014 16:34, Doug Newgard <scimmia@archlinux.info> wrote:
On 2014-09-26 09:29, Maarten de Vries wrote:
On 26 September 2014 16:25, Doug Newgard <scimmia@archlinux.info> wrote:
Wrong, they DO call bash by name. The main issues are with ssh, which
uses the user's specified interactive shell, and with Apache's mod_cgi and mod_cgid, which do call bash. Again, stop providing non-existent FUD and give real-world examples of where having /bin/sh linked to something else would have mitigated this.
Some programs may call bash by name, but many will just use system() and get bash without asking for it.
From man 3 system:
The system() library function uses fork(2) to create a child process that
executes the shell command specified in command using execl(3) as follows: execl("/bin/sh", "sh", "-c", command, (char *) 0);
Instead of theorizing that "many" will do this, give a real world example of where this happens and would have reduced the attack surface of the bug in question.
So you do not find "any program that calls system()" specific and scary enough? I do.
I do have a real world example actually, although not because of the use of system(). I host the code of some private projects on my own server using gitolite. Gitolite has a dedicated user with the shell set to /bin/sh . Gitolite uses ssh's force-command option to restrict access based on which private/public key was used to authenticate, and the original command ends up in SSH_ORIGINAL_COMMAND and could be used trigger the bash bug. This would not have been possible is /bin/sh was not bash.