[arch-general] A good time to switch to dash as /bin/sh?

[Benjamin A. Shelton]

On 09/26/2014 10:16 AM, Leonid Isaev wrote:
> The bugs which started this discussion are not a big deal anyway. They
> will only affect scripts that don't properly sanitize the input. Such
> scripts have bigger problems to worry about IMHO. The SSH-related
> issue is also insignificant because the bug will be triggered
> post-auth... Cheers, 

The bug can be triggered by Apache and is potentially not limited to CGI
alone [1] if /bin/sh links to bash. As others have stated earlier,
certain syscalls can also serve as a vector, which implies that simply
avoiding CGI (FastCGI, mod_*) may not provide complete resolution.

I don't know if Arch is affected, but there's a proof of concept
floating around (ab)using dhcpcd's hook scripts [2] to exploit clients
on a potentially hostile network. It also appears possible that previous
patches have *not* completely fixed the issue [3].

I'm just a user of Arch, and while I agree (to an extent) this issue may
be overblown, I certainly don't think sticking our head in the sand,
pretending it doesn't exist (or cannot affect us) is a viable long-term
solution.

That said, I agree with the others here: The primary reason I'd support
linking /bin/sh to dash is to favor correctness. From such a standpoint,
if a script asks for /bin/sh, it should expect a POSIX-compliant sh and
should not rely on bashisms (i.e. I should be able to move it to *BSD or
other platforms and it ought to simply work). Therefore, I agree that
any improvement in terms of security would be relegated to a convenient
side effect.

[1] http://security.stackexchange.com/a/68164
[2]
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
[3] http://seclists.org/oss-sec/2014/q3/741