-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Weird. I'm using a Wheezy base install built via debootstrap on an Open Hosting container. It uses bash by default for the root user. Perhaps debootstrap or my platform build scripts override the default shell for root to be bash?
Anyhoo, I think most people prefer Bash because it is very close to a real programming language. This shellshock shitstorm might be a setback for popular programming culture. - -lee On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote: > > That's for "Lenny users:". See this section: > > Squeeze users: > > * Dash is always installed. * /bin/sh is dash by default (even for > upgraded systems). > > .hc > > Lee Azzarello wrote: >> I'm confused. The article you linked is instructions to install >> dash and configure a base system to use it as default. Am I >> misunderstanding something? >> >> -lee >> >> On Thursday, September 25, 2014, Hans-Christoph Steiner < >> [email protected]> wrote: >> >>> >>> dash is still the default /bin/sh, for speed and security, but >>> you can change that to bash if you want: >>> https://wiki.debian.org/DashAsBinSh >>> >>> Ubuntu also uses dash by default: >>> https://wiki.ubuntu.com/DashAsBinSh >>> >>> .hc >>> >>> Lee Azzarello wrote: >>>> This output is from a Debian stable base system built with >>>> debootstrap and no additional packages installed. >>>> >>>> root@debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun 17 >>>> 21:47 /bin/sh -> bash >>>> >>>> I don't think Debian has used Dash since Sarge. >>>> >>>> -lee >>>> >>>> On 9/25/14, 1:36 PM, Dev Random wrote: >>>>> This seems mitigated by the fact that /bin/sh is -> dash on >>>>> debian. So unless something does explicitly #!/bin/bash, >>>>> things should be okay. >>>> >>>>> BTW, there's a related vuln that's not fixed yet - >>>>> CVE-2014-7169 https://news.ycombinator.com/item?id=8365158 >>>> >>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote: >>>>>> A remote code execution bug was found in the GNU Bash >>>>>> shell. >>>>>> >>>>>> http://seclists.org/oss-sec/2014/q3/650 >>>>>> >>>>>> I tested it on Debian stable from two days ago and >>>>>> indeed, I could execute code after a function definition >>>>>> in an environment variable. A server I updated yesterday >>>>>> evening was not vulnerable, as the Debian team got a >>>>>> patch released quite fast. >>>>>> >>>>>> This effects any server you run any code on, though the >>>>>> remote code execution attack vector is unlikely for many >>>>>> contemporary application servers. Read the write up for >>>>>> details about a proof of concept. >>>>>> >>>>>> Good Morning! >>>>>> >>>>>> -lee _______________________________________________ >>>>>> Guardian-dev mailing list >>>>>> >>>>>> Post: [email protected] <javascript:;> List >>>>>> info: >>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>> >>>>>> To Unsubscribe Send email to: >>>>>> [email protected] >>>>>> <javascript:;> Or visit: >>>>>> >>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net >>>>>> >>>>>> >>>>>> >>>> >>> You are subscribed as: [email protected] <javascript:;> >>>> >>>> >>>> _______________________________________________ Guardian-dev >>>> mailing list >>>> >>>> Post: [email protected] <javascript:;> List >>>> info: >>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>> >>>> To Unsubscribe Send email to: >>>> [email protected] >>> <javascript:;> >>>> Or visit: >>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >>>> >>>> >>> You are subscribed as: [email protected] <javascript:;> >>>> >>> >>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 >>> 374B BE81 _______________________________________________ >>> Guardian-dev mailing list >>> >>> Post: [email protected] <javascript:;> List info: >>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>> >>> To Unsubscribe Send email to: >>> [email protected] <javascript:;> Or >>> visit: >>> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info >>> >>> >>> You are subscribed as: [email protected] <javascript:;> >>> >> > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUJNVZAAoJEKhL9IoSyjdlQVQP/iQYtoX6gUgUf8Q2MoExajx7 Q1ul0s/R0xn6eAl3Fe9hDgKF7/H4jM7CyTxyRpeWkhgaJ4gTiMcqblABoGszMiDp HrpPHhXhcgq2IKSAELRzfkvHooJIRVE9QyQb1K4+W2kqRbDD1JWCZj4KVFt8dTBK 9KFsGZ8nJdqM8t63YA4u5INVYbRWa/gCPesjMaOrL95t8F5OvMsFKgxMtuZj44XK tiOhevYcp9zWP1XIoMRpazGkFUTx9KY6hRVz4QD6yw9/LL1B2qI7M7IkqV3+i0dK 7K2mQAoVRE+P6c7QGID5HLH8T5sWNll8cQnuasZo8ElQbHLPv4SWjqRBMXFgFV1P eDz3mpDVjC4gi1AP7BBTvqaYOMj42U8coP9RI0/CTbCsR+DX1IkjkkcWDqPOj2Gi zLdGRP4N9hfMfcERtp7FeS8tG6lW8px2EstU3UwLTMRBXtmnREXJOBPGK8L6Wb/T dp0VXO+kjrPV8xArD5GbvzqCs+ZvH6kTh2z6vU6TuldA+6LhY+15rvMzey5BwnOK M2ZwTOBLCx8wmyJVvH5qObYVYFAleV+oYL55LINOfo4b+xwZr7L9Vj6vpUTWVybI xx3F9csoklTFfycIGg5qdvQnqulq1yOcdagIHpKratKkmE+igcflAXD2WQMrZO3P DxKtFq25bpwMo5HOxuBn =gzNg -----END PGP SIGNATURE----- _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
