[arch-general] A good time to switch to dash as /bin/sh?
Doug Newgard
scimmia at archlinux.info
Fri Sep 26 16:59:25 UTC 2014
On 2014-09-26 11:46, Benjamin A. Shelton wrote:
> On 09/26/2014 10:16 AM, Leonid Isaev wrote:
>> The bugs which started this discussion are not a big deal anyway. They
>> will only affect scripts that don't properly sanitize the input. Such
>> scripts have bigger problems to worry about IMHO. The SSH-related
>> issue is also insignificant because the bug will be triggered
>> post-auth... Cheers,
>
> The bug can be triggered by Apache and is potentially not limited to
> CGI
> alone [1] if /bin/sh links to bash. As others have stated earlier,
> certain syscalls can also serve as a vector, which implies that simply
> avoiding CGI (FastCGI, mod_*) may not provide complete resolution.
>
> I don't know if Arch is affected, but there's a proof of concept
> floating around (ab)using dhcpcd's hook scripts [2] to exploit clients
> on a potentially hostile network. It also appears possible that
> previous
> patches have *not* completely fixed the issue [3].
>
> I'm just a user of Arch, and while I agree (to an extent) this issue
> may
> be overblown, I certainly don't think sticking our head in the sand,
> pretending it doesn't exist (or cannot affect us) is a viable long-term
> solution.
>
> That said, I agree with the others here: The primary reason I'd support
> linking /bin/sh to dash is to favor correctness. From such a
> standpoint,
> if a script asks for /bin/sh, it should expect a POSIX-compliant sh and
> should not rely on bashisms (i.e. I should be able to move it to *BSD
> or
> other platforms and it ought to simply work). Therefore, I agree that
> any improvement in terms of security would be relegated to a convenient
> side effect.
>
> [1] http://security.stackexchange.com/a/68164
> [2]
> https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
> [3] http://seclists.org/oss-sec/2014/q3/741
OK, we're finally getting some examples of where the sh symlink could be
used to trigger this exploit. Thank you.
@Benjamin A. Shelton: What do you mean you'd support it for correctness?
Bash is POSIX compliant, anything that uses only POSIX sh should run
correctly on Bash. If it doens't, it should be reported upstream.
Now my question for everyone else is, what will people do *WHEN* a bug
is found in dash? Bash is the most tested shell code base we have, and I
don't buy into the fallacy that a smaller code base is inherently more
secure. Or are you simply relying on security through obscurity?
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pubkey.asc
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20140926/36fa4da9/attachment.ksh>
More information about the arch-general
mailing list