Re: A good time to switch to dash as /bin/sh?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Fri, Sep 26, 2014 at 8:13 PM, Martti Kühne <mysatyre@xxxxxxxxx> wrote:
> On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists
> <mailinglists@xxxxxxxxxxxxxx> wrote:
>>
>> Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
>> that much of a difference. From what I've read, most of the problems
>> come from CGI scripts which invoke bash, and ssh post-authentication.
>> I'm not saying that these are the only vectors of attack, no, but these
>> are the ones which are mentioned the most. Since bash is not generally
>> used remotely (except in the case of sshing to a remote machine), I

The problem is on many systems /bin/sh is linked to bash -- which is why
this bug is so widespread / severe. /bin/sh is "the single biggest
UNIX loophole", so let's make it a bit smaller by switching it to
something minimal, such as dash.

>> doubt that removing bashisms from most such scripts will really make
>> much difference in security. How many of these scripts are even called
>> remotely? How many of them actually form an attack surface? Do you have
>> any data for that? Without actually having this data, it seems
>> irresponsible to talk about shifting.
>>
>
>
> Removing bashisms would not have any inpact in security but rather
> enable us switching /bin/sh away from /usr/bin/bash. Which we in
> general appear to agree on?

Indeed.

We're not talking about this specific bash bug here. We're not even
talking about security specifically, although it would be an important
side effect.


[Index of Archives]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Share Photos]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Samba]     [Device Mapper]
  Powered by Linux