[arch-general] A good time to switch to dash as /bin/sh?
Doug Newgard
scimmia at archlinux.info
Fri Sep 26 09:50:18 EDT 2014
On 2014-09-26 07:29, lolilolicon wrote:
> On Fri, Sep 26, 2014 at 8:13 PM, Martti Kühne <mysatyre at gmail.com>
> wrote:
>> On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists
>> <mailinglists at hawkradius.com> wrote:
>>>
>>> Even if we agree to shift /bin/sh to dash, I'm not sure that it'll
>>> make
>>> that much of a difference. From what I've read, most of the problems
>>> come from CGI scripts which invoke bash, and ssh post-authentication.
>>> I'm not saying that these are the only vectors of attack, no, but
>>> these
>>> are the ones which are mentioned the most. Since bash is not
>>> generally
>>> used remotely (except in the case of sshing to a remote machine), I
>
> The problem is on many systems /bin/sh is linked to bash -- which is
> why
> this bug is so widespread / severe. /bin/sh is "the single biggest
> UNIX loophole", so let's make it a bit smaller by switching it to
> something minimal, such as dash.
Why? Why is that the problem? What attack vector is available because of
this? Give me specifics, not theoretical, non-existent examples.
>
>>> doubt that removing bashisms from most such scripts will really make
>>> much difference in security. How many of these scripts are even
>>> called
>>> remotely? How many of them actually form an attack surface? Do you
>>> have
>>> any data for that? Without actually having this data, it seems
>>> irresponsible to talk about shifting.
>>>
>>
>>
>> Removing bashisms would not have any inpact in security but rather
>> enable us switching /bin/sh away from /usr/bin/bash. Which we in
>> general appear to agree on?
>
> Indeed.
>
> We're not talking about this specific bash bug here. We're not even
> talking about security specifically, although it would be an important
> side effect.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pubkey.asc
URL: <http://mailman.archlinux.org/pipermail/arch-general/attachments/20140926/2be55610/attachment.ksh>
More information about the arch-general
mailing list