I know this could be found in the code, and my own systems have busybox not bash, but I thought I'd ask for general interest:
Is this a matter only of the shebang line in the script, or does dnsmasq use `system()` to run it, meaning that control passes through the user's login shell before transferring to the interpreter listed in the shebang? If the script is execed or spawned, then changing the shebang to /bin/ash or other non-bash implementation which aims for bash compatibility could be an even faster workaround (that also cures aftershock). BTW, isn't that script executed as root only in --leasefile-ro mode, and that without remote input in the environment? Oh nevermind, the script always gets invoked from the dnsmasq process that doesn't drop privilege, unless that new --dhcp-scriptuser option is active. On Fri, Sep 26, 2014 at 4:14 PM, Simon Kelley <si...@thekelleys.org.uk> wrote: > This is just a heads-up that if you're using the --dhcp-script option in > dnsmasq, and the script you're calling is being interpreted by bash, > then you're affected by the shellshock bug. > > The bug allows execution of arbitrary code contained in the values of > environment variables, and there are several variables in the > environment inherited by the DHCP script whose values can be set > directly by a DHCP client, so any DHCP client on your network (or > elsewhere, if your firewall allows) can execute arbitrary shellcode, > probably as root, with a simple DHCP request. > > The fix, of course, is to update bash. > > > Cheers, > > Simon. > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss >
_______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss