[arch-general] A good time to switch to dash as /bin/sh?
Maarten de Vries
maarten at de-vri.es
Fri Sep 26 14:52:40 UTC 2014
On 26 September 2014 16:40, Maarten de Vries <maarten at de-vri.es> wrote:
> On 26 September 2014 16:34, Doug Newgard <scimmia at archlinux.info> wrote:
>> On 2014-09-26 09:29, Maarten de Vries wrote:
>>> On 26 September 2014 16:25, Doug Newgard <scimmia at archlinux.info> wrote:
>>> Wrong, they DO call bash by name. The main issues are with ssh, which
>>>> the user's specified interactive shell, and with Apache's mod_cgi and
>>>> mod_cgid, which do call bash. Again, stop providing non-existent FUD and
>>>> give real-world examples of where having /bin/sh linked to something
>>>> would have mitigated this.
>>> Some programs may call bash by name, but many will just use system() and
>>> get bash without asking for it.
>>> From man 3 system:
>>> The system() library function uses fork(2) to create a child process that
>>>> executes the shell command specified in command using execl(3) as
>>>> follows: execl("/bin/sh", "sh", "-c", command, (char *) 0);
>> Instead of theorizing that "many" will do this, give a real world example
>> of where this happens and would have reduced the attack surface of the bug
>> in question.
> So you do not find "any program that calls system()" specific and scary
> enough? I do.
I do have a real world example actually, although not because of the use of
I host the code of some private projects on my own server using gitolite.
Gitolite has a dedicated user with the shell set to /bin/sh . Gitolite uses
ssh's force-command option to restrict access based on which private/public
key was used to authenticate, and the original command ends up in
SSH_ORIGINAL_COMMAND and could be used trigger the bash bug. This would not
have been possible is /bin/sh was not bash.
More information about the arch-general