On 2014-09-26 07:29, lolilolicon wrote:
On Fri, Sep 26, 2014 at 8:13 PM, Martti Kühne <mysatyre@xxxxxxxxx>
wrote:
On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists
<mailinglists@xxxxxxxxxxxxxx> wrote:
Even if we agree to shift /bin/sh to dash, I'm not sure that it'll
make
that much of a difference. From what I've read, most of the problems
come from CGI scripts which invoke bash, and ssh post-authentication.
I'm not saying that these are the only vectors of attack, no, but
these
are the ones which are mentioned the most. Since bash is not
generally
used remotely (except in the case of sshing to a remote machine), I
The problem is on many systems /bin/sh is linked to bash -- which is
why
this bug is so widespread / severe. /bin/sh is "the single biggest
UNIX loophole", so let's make it a bit smaller by switching it to
something minimal, such as dash.
Why? Why is that the problem? What attack vector is available because of
this? Give me specifics, not theoretical, non-existent examples.
doubt that removing bashisms from most such scripts will really make
much difference in security. How many of these scripts are even
called
remotely? How many of them actually form an attack surface? Do you
have
any data for that? Without actually having this data, it seems
irresponsible to talk about shifting.
Removing bashisms would not have any inpact in security but rather
enable us switching /bin/sh away from /usr/bin/bash. Which we in
general appear to agree on?
Indeed.
We're not talking about this specific bash bug here. We're not even
talking about security specifically, although it would be an important
side effect.
