On 2014-09-26 11:46, Benjamin A. Shelton wrote:
On 09/26/2014 10:16 AM, Leonid Isaev wrote:
The bugs which started this discussion are not a big deal anyway. They will only affect scripts that don't properly sanitize the input. Such scripts have bigger problems to worry about IMHO. The SSH-related issue is also insignificant because the bug will be triggered post-auth... Cheers,
The bug can be triggered by Apache and is potentially not limited to CGI alone [1] if /bin/sh links to bash. As others have stated earlier, certain syscalls can also serve as a vector, which implies that simply avoiding CGI (FastCGI, mod_*) may not provide complete resolution.
I don't know if Arch is affected, but there's a proof of concept floating around (ab)using dhcpcd's hook scripts [2] to exploit clients on a potentially hostile network. It also appears possible that previous patches have *not* completely fixed the issue [3].
I'm just a user of Arch, and while I agree (to an extent) this issue may be overblown, I certainly don't think sticking our head in the sand, pretending it doesn't exist (or cannot affect us) is a viable long-term solution.
That said, I agree with the others here: The primary reason I'd support linking /bin/sh to dash is to favor correctness. From such a standpoint, if a script asks for /bin/sh, it should expect a POSIX-compliant sh and should not rely on bashisms (i.e. I should be able to move it to *BSD or other platforms and it ought to simply work). Therefore, I agree that any improvement in terms of security would be relegated to a convenient side effect.
[1] http://security.stackexchange.com/a/68164 [2] https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/ [3] http://seclists.org/oss-sec/2014/q3/741
OK, we're finally getting some examples of where the sh symlink could be used to trigger this exploit. Thank you. @Benjamin A. Shelton: What do you mean you'd support it for correctness? Bash is POSIX compliant, anything that uses only POSIX sh should run correctly on Bash. If it doens't, it should be reported upstream. Now my question for everyone else is, what will people do *WHEN* a bug is found in dash? Bash is the most tested shell code base we have, and I don't buy into the fallacy that a smaller code base is inherently more secure. Or are you simply relying on security through obscurity?