[arch-general] A good time to switch to dash as /bin/sh?
mailinglists at hawkradius.com
Fri Sep 26 20:21:40 UTC 2014
On Sat, Sep 27, 2014, at 01:30 AM, Benjamin A. Shelton wrote:
> On 09/26/2014 10:59 AM, Doug Newgard wrote:
> > OK, we're finally getting some examples of where the sh symlink could
> be used to trigger this exploit. Thank you.
> There are samples that have been available for the past 2-3 days, and
> there's a fairly steady stream of new information on various sites (HN,
> probably Slashdot, among others). It isn't difficult to find, if you're
> willing to look, but you do have to sort through the cruft and the "sky
> is falling" paranoia.
> > @Benjamin A. Shelton: What do you mean you'd support it for
> correctness? Bash is POSIX compliant, anything that uses only POSIX sh
> should run correctly on Bash. If it doens't, it should be reported
> I should specify that by correctness (in this case), I mean to say
> POSIX-compliant *minus* the bashisms and rather "interesting" behavior
> of the bash interpreter, in the sense that I can take a script written
> for /bin/sh and plop it down on any system that expects /bin/sh, and it
> doesn't perform (or provide) any additional magic. "Simpler" might also
> be an appropriate synonym. bash has some very convenient behaviors, but
> I'm not *completely* convinced that the additional features of a user
> shell should necessarily be exposed to applications that expect /bin/sh
> to behave consistently across Unix/Unix-like OSes (e.g. Apache's APR and
> others) while providing a rather creative interpretation of envvars.
> bash is big.
> I submit that the bug in question is *exactly* the sort of behavior in
> question and has, in fact, already been sent upstream (that's what these
> bug reports are for, correct?). I may be mistaken, but I don't believe
> interpreting a special string of characters in envvars as
> functions--even when invoked as /bin/sh--is considered POSIX behavior?
> Does POSIX even address this? I don't see anything that specifies such,
> and I'm inclined to believe it is bash specific  (please point out if
> I'm mistaken).
> > Now my question for everyone else is, what will people do *WHEN* a
> bug is found in dash? Bash is the most tested shell code base we have,
> and I don't buy into the fallacy that a smaller code base is inherently
> more secure. Or are you simply relying on security through obscurity?
> I believe this "shellshock" vulnerability was discovered by a Red Hat
> auditor and has been exploitable for about one major version back. "Most
> tested" doesn't always mean "more secure." Also, dash is at least as old
> as bash .
> Smaller code bases do in fact have the potential to be more secure
> simply by fault of their relative magnitude: Less code makes it more
> readily auditable in less time, and less code (all other things being
> equal) with fewer features will exhibit fewer bugs. It's a matter of
> probability. It's not an absolute, of course: Some software may be
> written by more skilled individuals, but as a code base grows to include
> more features, the probability that it will contain errors in its
> implementation approaches one.
> Similarly, I don't see how switching /bin/sh is security through
> obscurity; if someone were advocating replacing /bin/sh with (t)csh then
> yes, I might agree with that assertion, but replacing it with another sh
> implementation is not. There are only so many sh-compatible
> implementations available (and only so many licensed in a manner that
> GPL-licensed projects find palatable), so the limited selection most
> certainly is not compatible with such a charge.
> What technical reasons are there against switching out /bin/sh? Thusfar,
> I haven't encountered anything particularly noisome (the ST2's subl
> launch script being one exception, probably several others), but there's
> certainly something lurking in unseen dark corners. It seems
> (superficially, at least) that most everything else is well behaved and
> asks specifically for /bin/bash where expected. Should those
> circumstances where this isn't the case be considered bugs? I would say
> "yes," but others might emphatically say "no."
>  http://en.wikipedia.org/wiki/Almquist_shell
I guess the bug report I opened has a pretty damning reason:
Given by Dave with a source, so... If there's a reason it doesn't
matter, be a dear and comment on the bug, will you?
More information about the arch-general