[arch-general] A good time to switch to dash as /bin/sh?

Doug Newgard scimmia at archlinux.info
Fri Sep 26 10:25:07 EDT 2014

On 2014-09-26 09:15, lolilolicon wrote:
> On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard <scimmia at archlinux.info> 
> wrote:
>>> The problem is on many systems /bin/sh is linked to bash -- which is 
>>> why
>>> this bug is so widespread / severe. /bin/sh is "the single biggest
>>> UNIX loophole", so let's make it a bit smaller by switching it to
>>> something minimal, such as dash.
>> Why? Why is that the problem? What attack vector is available because 
>> of
>> this? Give me specifics, not theoretical, non-existent examples.
> Because the vulnerable systems do not call bash by name, they call
> /bin/sh. And they are vulnerable only because /bin/sh is linked to 
> bash.

Wrong, they DO call bash by name. The main issues are with ssh, which 
uses the user's specified interactive shell, and with Apache's mod_cgi 
and mod_cgid, which do call bash. Again, stop providing non-existent FUD 
and give real-world examples of where having /bin/sh linked to something 
else would have mitigated this.

> Specifically, only on systems where /bin/sh is bash, any ENV whose 
> value
> starts with '() {' gets turned into a function by the shell.
> (It's being patched up, but this whole affair is telling...)
> This is pretty real, unless what you want is some vivid horror story.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pubkey.asc
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140926/0a46f349/attachment-0001.ksh>

More information about the arch-general mailing list