On Fri, Sep 30, 2016 at 5:16 AM, Toby Goodwin <toby@xxxxxxxxxxx> wrote: > As a member of the "remove nologin from /etc/shells" faction, I have 2 > technical reasons for my position. I don't think either of these points > have been addressed by the "leave it in" faction. [...] > > 2. Can anyone provide further detail on the "Shell variable pre-load > attack" mentioned in that original ticket? It's surely far too old to be > the "Shellshock" bug. > Unable to find any archive of the testers-list from 2001, the BZ references. However, one could reasonably speculate based on the information given. """ R P Herrold 2001-09-24 11:37:54 EDT Please add a SAFE no-login type shell to the base /etc/shells -- safe in the sense that it is immune from the Shell variable pre-load attack. It needs to be here, so that 'chsh' and other tools will allow its use without manual edit of /etc/passwd Nalin suggested /sbin/nologin on testers-list, but unlike all the other 'default' shells, this is not in /bin ... Doesn't bother me, but ... """ Lets break it out... "Immune from the Shell variable" Presumably the $SHELL variable? >From the Bash manual: """ SHELL The full pathname to the shell is kept in this environment variable. If it is not set when the shell starts, bash assigns to it the full pathname of the current user's login shell. """ Okay, so the SHELL variable in bash has logic to deal with before & during shell startup. So presumably the "testers-list" email with Nalin could have been about fuzzing the $SHELL variable prior to login? Maybe back in those days one could set the SHELL variable to /usr/bin/MY-AWESOME-SCRIPT and it would actually make that the login shell? Or perhaps by "pre-load attack" we mean something more along the lines of LD_PRELOAD and static Vs dynamic shells. Back in the old days Unix folks were pesky about their statically built login shell which were more resilient to problems, compared to linked binaries. For example statically build shell would survive the absence of libc, or whatever system library. That was handy back in old days when system libraries were placed in a (I.E. corrupted) /usr/lib/ filesystem. Anyhow... with linked binaries it's theoretically possible to pre-load adversarial things, right? I have no idea if bash these days is static or otherwise, so if you know please chime in? Regardless, I am unable to think of any good reason to oppose Toby Goodwin's proposal around removing the nologin shell from /etc/shells. His reasoning seems solid. -Jon Disnard _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
