[arch-general] A good time to switch to dash as /bin/sh?

Martti Kühne mysatyre at gmail.com
Fri Sep 26 08:13:49 EDT 2014

On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists
<mailinglists at hawkradius.com> wrote:
> Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
> that much of a difference. From what I've read, most of the problems
> come from CGI scripts which invoke bash, and ssh post-authentication.
> I'm not saying that these are the only vectors of attack, no, but these
> are the ones which are mentioned the most. Since bash is not generally
> used remotely (except in the case of sshing to a remote machine), I
> doubt that removing bashisms from most such scripts will really make
> much difference in security. How many of these scripts are even called
> remotely? How many of them actually form an attack surface? Do you have
> any data for that? Without actually having this data, it seems
> irresponsible to talk about shifting.

Removing bashisms would not have any inpact in security but rather
enable us switching /bin/sh away from /usr/bin/bash. Which we in
general appear to agree on?


More information about the arch-general mailing list