On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists <mailinglists@xxxxxxxxxxxxxx> wrote: > > Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make > that much of a difference. From what I've read, most of the problems > come from CGI scripts which invoke bash, and ssh post-authentication. > I'm not saying that these are the only vectors of attack, no, but these > are the ones which are mentioned the most. Since bash is not generally > used remotely (except in the case of sshing to a remote machine), I > doubt that removing bashisms from most such scripts will really make > much difference in security. How many of these scripts are even called > remotely? How many of them actually form an attack surface? Do you have > any data for that? Without actually having this data, it seems > irresponsible to talk about shifting. > Removing bashisms would not have any inpact in security but rather enable us switching /bin/sh away from /usr/bin/bash. Which we in general appear to agree on? cheers! mar77i
