[arch-general] A good time to switch to dash as /bin/sh?
Doug Newgard
scimmia at archlinux.info
Fri Sep 26 10:25:07 EDT 2014
On 2014-09-26 09:15, lolilolicon wrote:
> On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard <scimmia at archlinux.info>
> wrote:
>>> The problem is on many systems /bin/sh is linked to bash -- which is
>>> why
>>> this bug is so widespread / severe. /bin/sh is "the single biggest
>>> UNIX loophole", so let's make it a bit smaller by switching it to
>>> something minimal, such as dash.
>>
>>
>> Why? Why is that the problem? What attack vector is available because
>> of
>> this? Give me specifics, not theoretical, non-existent examples.
>
> Because the vulnerable systems do not call bash by name, they call
> /bin/sh. And they are vulnerable only because /bin/sh is linked to
> bash.
Wrong, they DO call bash by name. The main issues are with ssh, which
uses the user's specified interactive shell, and with Apache's mod_cgi
and mod_cgid, which do call bash. Again, stop providing non-existent FUD
and give real-world examples of where having /bin/sh linked to something
else would have mitigated this.
>
> Specifically, only on systems where /bin/sh is bash, any ENV whose
> value
> starts with '() {' gets turned into a function by the shell.
> (It's being patched up, but this whole affair is telling...)
>
> This is pretty real, unless what you want is some vivid horror story.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pubkey.asc
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140926/0a46f349/attachment-0001.ksh>
More information about the arch-general
mailing list