[arch-general] A good time to switch to dash as /bin/sh?

Doug Newgard scimmia at archlinux.info
Fri Sep 26 09:50:18 EDT 2014

On 2014-09-26 07:29, lolilolicon wrote:
> On Fri, Sep 26, 2014 at 8:13 PM, Martti Kühne <mysatyre at gmail.com> 
> wrote:
>> On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists
>> <mailinglists at hawkradius.com> wrote:
>>> Even if we agree to shift /bin/sh to dash, I'm not sure that it'll 
>>> make
>>> that much of a difference. From what I've read, most of the problems
>>> come from CGI scripts which invoke bash, and ssh post-authentication.
>>> I'm not saying that these are the only vectors of attack, no, but 
>>> these
>>> are the ones which are mentioned the most. Since bash is not 
>>> generally
>>> used remotely (except in the case of sshing to a remote machine), I
> The problem is on many systems /bin/sh is linked to bash -- which is 
> why
> this bug is so widespread / severe. /bin/sh is "the single biggest
> UNIX loophole", so let's make it a bit smaller by switching it to
> something minimal, such as dash.

Why? Why is that the problem? What attack vector is available because of 
this? Give me specifics, not theoretical, non-existent examples.

>>> doubt that removing bashisms from most such scripts will really make
>>> much difference in security. How many of these scripts are even 
>>> called
>>> remotely? How many of them actually form an attack surface? Do you 
>>> have
>>> any data for that? Without actually having this data, it seems
>>> irresponsible to talk about shifting.
>> Removing bashisms would not have any inpact in security but rather
>> enable us switching /bin/sh away from /usr/bin/bash. Which we in
>> general appear to agree on?
> Indeed.
> We're not talking about this specific bash bug here. We're not even
> talking about security specifically, although it would be an important
> side effect.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pubkey.asc
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140926/2be55610/attachment.ksh>

More information about the arch-general mailing list