On 2014-09-26 11:46, Benjamin A. Shelton wrote:
On 09/26/2014 10:16 AM, Leonid Isaev wrote:
The bugs which started this discussion are not a big deal anyway. They
will only affect scripts that don't properly sanitize the input. Such
scripts have bigger problems to worry about IMHO. The SSH-related
issue is also insignificant because the bug will be triggered
post-auth... Cheers,
The bug can be triggered by Apache and is potentially not limited to
CGI
alone [1] if /bin/sh links to bash. As others have stated earlier,
certain syscalls can also serve as a vector, which implies that simply
avoiding CGI (FastCGI, mod_*) may not provide complete resolution.
I don't know if Arch is affected, but there's a proof of concept
floating around (ab)using dhcpcd's hook scripts [2] to exploit clients
on a potentially hostile network. It also appears possible that
previous
patches have *not* completely fixed the issue [3].
I'm just a user of Arch, and while I agree (to an extent) this issue
may
be overblown, I certainly don't think sticking our head in the sand,
pretending it doesn't exist (or cannot affect us) is a viable long-term
solution.
That said, I agree with the others here: The primary reason I'd support
linking /bin/sh to dash is to favor correctness. From such a
standpoint,
if a script asks for /bin/sh, it should expect a POSIX-compliant sh and
should not rely on bashisms (i.e. I should be able to move it to *BSD
or
other platforms and it ought to simply work). Therefore, I agree that
any improvement in terms of security would be relegated to a convenient
side effect.
[1] http://security.stackexchange.com/a/68164
[2]
https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/
[3] http://seclists.org/oss-sec/2014/q3/741
OK, we're finally getting some examples of where the sh symlink could be
used to trigger this exploit. Thank you.
@Benjamin A. Shelton: What do you mean you'd support it for correctness?
Bash is POSIX compliant, anything that uses only POSIX sh should run
correctly on Bash. If it doens't, it should be reported upstream.
Now my question for everyone else is, what will people do *WHEN* a bug
is found in dash? Bash is the most tested shell code base we have, and I
don't buy into the fallacy that a smaller code base is inherently more
secure. Or are you simply relying on security through obscurity?