I don't know what you mean by "a solution". bash is a nicer programming language than /bin/sh, and its easy to use bash in your scripts, just use #!/bin/bash. bash makes a poor /bin/sh because it adds lots of stuff that has nothing to do with /bin/sh and makes it slower and much less secure, as we are seeing with these exploits. dash makes a much better /bin/sh
.hc Lee Azzarello wrote: > If I'm not mistaken, you just recommended not using bash as a > solution. is that correct? > > -lee > > On 9/26/14, 1:24 PM, Hans-Christoph Steiner wrote: > >> Another reason why bash should never be your /bin/sh. For scripts >> that need bash, they can easily use the shebang #!/bin/bash. dash >> provides a more secure, faster /bin/sh that is /bin/sh without >> unneeded extras. > >> .hc > >> Chris Ballinger wrote: >>> Saw this SIP server Shellshock scanner today: >>> https://github.com/zaf/sipshock >>> >>>> The exec module in Kamailio, Opensips and propably every other >>>> SER fork >>> passes the received SIP headers as environment viarables to the >>> invoking shell. This makes these SIP proxies vulnerable to >>> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the >>> exec funtions and has the 'setvars' parameter set to 1 (default) >>> then by sending SIP message containing a specially crafted header >>> we can run arbitrary code on the proxy machine. >>> >>> Every time I read about the Shellshock vulnerability I get >>> flashbacks to this SNES game: >>> https://www.youtube.com/watch?v=lASNUQ7M8gs >>> >>> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello >>> <[email protected]> wrote: >>> >>> Weird. I'm using a Wheezy base install built via debootstrap on >>> an Open Hosting container. It uses bash by default for the root >>> user. Perhaps debootstrap or my platform build scripts override >>> the default shell for root to be bash? >>> >>> Anyhoo, I think most people prefer Bash because it is very close >>> to a real programming language. This shellshock shitstorm might >>> be a setback for popular programming culture. >>> >>> -lee >>> >>> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote: >>>>>> >>>>>> That's for "Lenny users:". See this section: >>>>>> >>>>>> Squeeze users: >>>>>> >>>>>> * Dash is always installed. * /bin/sh is dash by default >>>>>> (even for upgraded systems). >>>>>> >>>>>> .hc >>>>>> >>>>>> Lee Azzarello wrote: >>>>>>> I'm confused. The article you linked is instructions to >>>>>>> install dash and configure a base system to use it as >>>>>>> default. Am I misunderstanding something? >>>>>>> >>>>>>> -lee >>>>>>> >>>>>>> On Thursday, September 25, 2014, Hans-Christoph Steiner >>>>>>> < [email protected]> wrote: >>>>>>> >>>>>>>> >>>>>>>> dash is still the default /bin/sh, for speed and >>>>>>>> security, but you can change that to bash if you want: >>>>>>>> https://wiki.debian.org/DashAsBinSh >>>>>>>> >>>>>>>> Ubuntu also uses dash by default: >>>>>>>> https://wiki.ubuntu.com/DashAsBinSh >>>>>>>> >>>>>>>> .hc >>>>>>>> >>>>>>>> Lee Azzarello wrote: >>>>>>>>> This output is from a Debian stable base system built >>>>>>>>> with debootstrap and no additional packages >>>>>>>>> installed. >>>>>>>>> >>>>>>>>> root@debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 >>>>>>>>> Jun 17 21:47 /bin/sh -> bash >>>>>>>>> >>>>>>>>> I don't think Debian has used Dash since Sarge. >>>>>>>>> >>>>>>>>> -lee >>>>>>>>> >>>>>>>>> On 9/25/14, 1:36 PM, Dev Random wrote: >>>>>>>>>> This seems mitigated by the fact that /bin/sh is -> >>>>>>>>>> dash on debian. So unless something does explicitly >>>>>>>>>> #!/bin/bash, things should be okay. >>>>>>>>> >>>>>>>>>> BTW, there's a related vuln that's not fixed yet - >>>>>>>>>> CVE-2014-7169 >>>>>>>>>> https://news.ycombinator.com/item?id=8365158 >>>>>>>>> >>>>>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello >>>>>>>>>> wrote: >>>>>>>>>>> A remote code execution bug was found in the GNU >>>>>>>>>>> Bash shell. >>>>>>>>>>> >>>>>>>>>>> http://seclists.org/oss-sec/2014/q3/650 >>>>>>>>>>> >>>>>>>>>>> I tested it on Debian stable from two days ago >>>>>>>>>>> and indeed, I could execute code after a function >>>>>>>>>>> definition in an environment variable. A server I >>>>>>>>>>> updated yesterday evening was not vulnerable, as >>>>>>>>>>> the Debian team got a patch released quite fast. >>>>>>>>>>> >>>>>>>>>>> This effects any server you run any code on, >>>>>>>>>>> though the remote code execution attack vector is >>>>>>>>>>> unlikely for many contemporary application >>>>>>>>>>> servers. Read the write up for details about a >>>>>>>>>>> proof of concept. >>>>>>>>>>> >>>>>>>>>>> Good Morning! >>>>>>>>>>> >>>>>>>>>>> -lee >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Guardian-dev mailing list >>>>>>>>>>> >>>>>>>>>>> Post: [email protected] >>>>>>>>>>> <javascript:;> List info: >>>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> > To Unsubscribe Send email to: >>>>>>>>>>> [email protected] >>>>>>>>>>> <javascript:;> Or visit: >>>>>>>>>>> >>>>>>>> >>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>> >>>>>>>> >>> >>> > You are subscribed as: [email protected] <javascript:;> >>>>>>>>> >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Guardian-dev mailing list >>>>>>>>> >>>>>>>>> Post: [email protected] <javascript:;> >>>>>>>>> List info: >>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>>> >>>>>>>>> >>>>>>>>> > To Unsubscribe Send email to: >>>>>>>>> [email protected] >>>>>>>> <javascript:;> >>>>>>>>> Or visit: >>>>>>>> >>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >>>>>>>>> >>>>>>>>> >>>>>>>> >>> >>> > You are subscribed as: [email protected] <javascript:;> >>>>>>>>> >>>>>>>> >>>>>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F >>>>>>>> E587 374B BE81 >>>>>>>> _______________________________________________ >>>>>>>> Guardian-dev mailing list >>>>>>>> >>>>>>>> Post: [email protected] <javascript:;> >>>>>>>> List info: >>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>> >>>>>>>> >>>>>>>> > To Unsubscribe Send email to: >>>>>>>> [email protected] >>>>>>>> <javascript:;> Or visit: >>>>>>>> >>> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info >>>>>>>> >>>>>>>> >>>>>>>> >>> >>> > You are subscribed as: [email protected] <javascript:;> >>>>>>>> >>>>>>> >>>>>> >>> >>>> _______________________________________________ Guardian-dev >>>> mailing list >>>> >>>> Post: [email protected] List info: >>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>> >>>> To Unsubscribe Send email to: >>>> [email protected] Or visit: >>>> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com >>>> >>>> >>>> > You are subscribed as: [email protected] >>>> >>> >>> >>> >>> _______________________________________________ Guardian-dev >>> mailing list >>> >>> Post: [email protected] List info: >>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>> >>> To Unsubscribe Send email to: >>> [email protected] Or visit: >>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >>> >>> >>> > You are subscribed as: [email protected] >>> > > > _______________________________________________ > Guardian-dev mailing list > > Post: [email protected] > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe > Send email to: [email protected] > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info > > You are subscribed as: [email protected] > -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
