[arch-general] A good time to switch to dash as /bin/sh?

Doug Newgard scimmia at archlinux.info
Fri Sep 26 14:34:08 UTC 2014 

On 2014-09-26 09:29, Maarten de Vries wrote:
> On 26 September 2014 16:25, Doug Newgard <scimmia at archlinux.info> 
> wrote:
> 
>> On 2014-09-26 09:15, lolilolicon wrote:
>> 
>>> On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard 
>>> <scimmia at archlinux.info>
>>> wrote:
>>> 
>>>> The problem is on many systems /bin/sh is linked to bash -- which is 
>>>> why
>>>>> this bug is so widespread / severe. /bin/sh is "the single biggest
>>>>> UNIX loophole", so let's make it a bit smaller by switching it to
>>>>> something minimal, such as dash.
>>>>> 
>>>> 
>>>> 
>>>> Why? Why is that the problem? What attack vector is available 
>>>> because of
>>>> this? Give me specifics, not theoretical, non-existent examples.
>>>> 
>>> 
>>> Because the vulnerable systems do not call bash by name, they call
>>> /bin/sh. And they are vulnerable only because /bin/sh is linked to 
>>> bash.
>>> 
>> 
>> Wrong, they DO call bash by name. The main issues are with ssh, which 
>> uses
>> the user's specified interactive shell, and with Apache's mod_cgi and
>> mod_cgid, which do call bash. Again, stop providing non-existent FUD 
>> and
>> give real-world examples of where having /bin/sh linked to something 
>> else
>> would have mitigated this.
> 
> 
> 
> Some programs may call bash by name, but many will just use system() 
> and
> get bash without asking for it.
> 
> From man 3 system:
> 
> The system() library function uses fork(2) to create a child process 
> that
>> executes the shell command specified in command using execl(3) as
>> follows:           execl("/bin/sh", "sh", "-c", command, (char *) 0);
>> 

Instead of theorizing that "many" will do this, give a real world 
example of where this happens and would have reduced the attack surface 
of the bug in question.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pubkey.asc
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140926/66c2c591/attachment.ksh>

More information about the arch-general mailing list