On Fri, Sep 26, 2014 at 8:13 PM, Martti Kühne <mysatyre@xxxxxxxxx> wrote: > On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists > <mailinglists@xxxxxxxxxxxxxx> wrote: >> >> Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make >> that much of a difference. From what I've read, most of the problems >> come from CGI scripts which invoke bash, and ssh post-authentication. >> I'm not saying that these are the only vectors of attack, no, but these >> are the ones which are mentioned the most. Since bash is not generally >> used remotely (except in the case of sshing to a remote machine), I The problem is on many systems /bin/sh is linked to bash -- which is why this bug is so widespread / severe. /bin/sh is "the single biggest UNIX loophole", so let's make it a bit smaller by switching it to something minimal, such as dash. >> doubt that removing bashisms from most such scripts will really make >> much difference in security. How many of these scripts are even called >> remotely? How many of them actually form an attack surface? Do you have >> any data for that? Without actually having this data, it seems >> irresponsible to talk about shifting. >> > > > Removing bashisms would not have any inpact in security but rather > enable us switching /bin/sh away from /usr/bin/bash. Which we in > general appear to agree on? Indeed. We're not talking about this specific bash bug here. We're not even talking about security specifically, although it would be an important side effect.