[arch-general] A good time to switch to dash as /bin/sh?

lolilolicon lolilolicon at gmail.com
Fri Sep 26 08:29:35 EDT 2014

On Fri, Sep 26, 2014 at 8:13 PM, Martti Kühne <mysatyre at gmail.com> wrote:
> On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists
> <mailinglists at hawkradius.com> wrote:
>> Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
>> that much of a difference. From what I've read, most of the problems
>> come from CGI scripts which invoke bash, and ssh post-authentication.
>> I'm not saying that these are the only vectors of attack, no, but these
>> are the ones which are mentioned the most. Since bash is not generally
>> used remotely (except in the case of sshing to a remote machine), I

The problem is on many systems /bin/sh is linked to bash -- which is why
this bug is so widespread / severe. /bin/sh is "the single biggest
UNIX loophole", so let's make it a bit smaller by switching it to
something minimal, such as dash.

>> doubt that removing bashisms from most such scripts will really make
>> much difference in security. How many of these scripts are even called
>> remotely? How many of them actually form an attack surface? Do you have
>> any data for that? Without actually having this data, it seems
>> irresponsible to talk about shifting.
> Removing bashisms would not have any inpact in security but rather
> enable us switching /bin/sh away from /usr/bin/bash. Which we in
> general appear to agree on?


We're not talking about this specific bash bug here. We're not even
talking about security specifically, although it would be an important
side effect.

More information about the arch-general mailing list