[arch-general] A good time to switch to dash as /bin/sh?

Maarten de Vries maarten at de-vri.es
Fri Sep 26 14:40:16 UTC 2014

On 26 September 2014 16:34, Doug Newgard <scimmia at archlinux.info> wrote:

> On 2014-09-26 09:29, Maarten de Vries wrote:
>> On 26 September 2014 16:25, Doug Newgard <scimmia at archlinux.info> wrote:
>> Wrong, they DO call bash by name. The main issues are with ssh, which uses
>>> the user's specified interactive shell, and with Apache's mod_cgi and
>>> mod_cgid, which do call bash. Again, stop providing non-existent FUD and
>>> give real-world examples of where having /bin/sh linked to something else
>>> would have mitigated this.
>> Some programs may call bash by name, but many will just use system() and
>> get bash without asking for it.
>> From man 3 system:
>> The system() library function uses fork(2) to create a child process that
>>> executes the shell command specified in command using execl(3) as
>>> follows:           execl("/bin/sh", "sh", "-c", command, (char *) 0);
> Instead of theorizing that "many" will do this, give a real world example
> of where this happens and would have reduced the attack surface of the bug
> in question.

So you do not find "any program that calls system()" specific and scary
enough? I do.

More information about the arch-general mailing list