On 26 September 2014 16:25, Doug Newgard <scimmia@xxxxxxxxxxxxxx> wrote:
> On 2014-09-26 09:15, lolilolicon wrote:
>
>> On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard <scimmia@xxxxxxxxxxxxxx>
>> wrote:
>>
>>> The problem is on many systems /bin/sh is linked to bash -- which is why
>>>> this bug is so widespread / severe. /bin/sh is "the single biggest
>>>> UNIX loophole", so let's make it a bit smaller by switching it to
>>>> something minimal, such as dash.
>>>>
>>>
>>>
>>> Why? Why is that the problem? What attack vector is available because of
>>> this? Give me specifics, not theoretical, non-existent examples.
>>>
>>
>> Because the vulnerable systems do not call bash by name, they call
>> /bin/sh. And they are vulnerable only because /bin/sh is linked to bash.
>>
>
> Wrong, they DO call bash by name. The main issues are with ssh, which uses
> the user's specified interactive shell, and with Apache's mod_cgi and
> mod_cgid, which do call bash. Again, stop providing non-existent FUD and
> give real-world examples of where having /bin/sh linked to something else
> would have mitigated this.
Some programs may call bash by name, but many will just use system() and
get bash without asking for it.
>From man 3 system:
The system() library function uses fork(2) to create a child process that
> executes the shell command specified in command using execl(3) as
> follows: execl("/bin/sh", "sh", "-c", command, (char *) 0);
>
