I guess I've been too reactive due to the escalating panic all up on the interwebs. There have been some randos on Twitter who have suggested /removing bash/ as a solution. Which to me sounds hilarious since what does pid 1 do when bash is gone?
I understand your point and I agree. Though I fear that the test coverage for your recommendation is impossible in practice for existing software. I can't ensure that replacing /bin/sh with something other than Bash would not break random software that people run on boot. There's a bunch of stuff in /etc/init.d that could possibly require /bin/bash, right? I really don't know. Anecdote: I had a short gig not too long ago to install some esoteric enterprise database on Solaris 10 for some financial institution. The default shell for Solaris 10 is...wait for it... C shell! *mind blown* I never thought I would long for the luxury of bash. -lee On 9/27/14, 7:09 PM, Hans-Christoph Steiner wrote: > > I don't know what you mean by "a solution". bash is a nicer programming > language than /bin/sh, and its easy to use bash in your scripts, just use > #!/bin/bash. bash makes a poor /bin/sh because it adds lots of stuff that has > nothing to do with /bin/sh and makes it slower and much less secure, as we are > seeing with these exploits. dash makes a much better /bin/sh > > .hc > > Lee Azzarello wrote: >> If I'm not mistaken, you just recommended not using bash as a >> solution. is that correct? >> >> -lee >> >> On 9/26/14, 1:24 PM, Hans-Christoph Steiner wrote: >> >>> Another reason why bash should never be your /bin/sh. For scripts >>> that need bash, they can easily use the shebang #!/bin/bash. dash >>> provides a more secure, faster /bin/sh that is /bin/sh without >>> unneeded extras. >> >>> .hc >> >>> Chris Ballinger wrote: >>>> Saw this SIP server Shellshock scanner today: >>>> https://github.com/zaf/sipshock >>>> >>>>> The exec module in Kamailio, Opensips and propably every other >>>>> SER fork >>>> passes the received SIP headers as environment viarables to the >>>> invoking shell. This makes these SIP proxies vulnerable to >>>> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the >>>> exec funtions and has the 'setvars' parameter set to 1 (default) >>>> then by sending SIP message containing a specially crafted header >>>> we can run arbitrary code on the proxy machine. >>>> >>>> Every time I read about the Shellshock vulnerability I get >>>> flashbacks to this SNES game: >>>> https://www.youtube.com/watch?v=lASNUQ7M8gs >>>> >>>> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello >>>> <[email protected]> wrote: >>>> >>>> Weird. I'm using a Wheezy base install built via debootstrap on >>>> an Open Hosting container. It uses bash by default for the root >>>> user. Perhaps debootstrap or my platform build scripts override >>>> the default shell for root to be bash? >>>> >>>> Anyhoo, I think most people prefer Bash because it is very close >>>> to a real programming language. This shellshock shitstorm might >>>> be a setback for popular programming culture. >>>> >>>> -lee >>>> >>>> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote: >>>>>>> >>>>>>> That's for "Lenny users:". See this section: >>>>>>> >>>>>>> Squeeze users: >>>>>>> >>>>>>> * Dash is always installed. * /bin/sh is dash by default >>>>>>> (even for upgraded systems). >>>>>>> >>>>>>> .hc >>>>>>> >>>>>>> Lee Azzarello wrote: >>>>>>>> I'm confused. The article you linked is instructions to >>>>>>>> install dash and configure a base system to use it as >>>>>>>> default. Am I misunderstanding something? >>>>>>>> >>>>>>>> -lee >>>>>>>> >>>>>>>> On Thursday, September 25, 2014, Hans-Christoph Steiner >>>>>>>> < [email protected]> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> dash is still the default /bin/sh, for speed and >>>>>>>>> security, but you can change that to bash if you want: >>>>>>>>> https://wiki.debian.org/DashAsBinSh >>>>>>>>> >>>>>>>>> Ubuntu also uses dash by default: >>>>>>>>> https://wiki.ubuntu.com/DashAsBinSh >>>>>>>>> >>>>>>>>> .hc >>>>>>>>> >>>>>>>>> Lee Azzarello wrote: >>>>>>>>>> This output is from a Debian stable base system built >>>>>>>>>> with debootstrap and no additional packages >>>>>>>>>> installed. >>>>>>>>>> >>>>>>>>>> root@debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 >>>>>>>>>> Jun 17 21:47 /bin/sh -> bash >>>>>>>>>> >>>>>>>>>> I don't think Debian has used Dash since Sarge. >>>>>>>>>> >>>>>>>>>> -lee >>>>>>>>>> >>>>>>>>>> On 9/25/14, 1:36 PM, Dev Random wrote: >>>>>>>>>>> This seems mitigated by the fact that /bin/sh is -> >>>>>>>>>>> dash on debian. So unless something does explicitly >>>>>>>>>>> #!/bin/bash, things should be okay. >>>>>>>>>> >>>>>>>>>>> BTW, there's a related vuln that's not fixed yet - >>>>>>>>>>> CVE-2014-7169 >>>>>>>>>>> https://news.ycombinator.com/item?id=8365158 >>>>>>>>>> >>>>>>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello >>>>>>>>>>> wrote: >>>>>>>>>>>> A remote code execution bug was found in the GNU >>>>>>>>>>>> Bash shell. >>>>>>>>>>>> >>>>>>>>>>>> http://seclists.org/oss-sec/2014/q3/650 >>>>>>>>>>>> >>>>>>>>>>>> I tested it on Debian stable from two days ago >>>>>>>>>>>> and indeed, I could execute code after a function >>>>>>>>>>>> definition in an environment variable. A server I >>>>>>>>>>>> updated yesterday evening was not vulnerable, as >>>>>>>>>>>> the Debian team got a patch released quite fast. >>>>>>>>>>>> >>>>>>>>>>>> This effects any server you run any code on, >>>>>>>>>>>> though the remote code execution attack vector is >>>>>>>>>>>> unlikely for many contemporary application >>>>>>>>>>>> servers. Read the write up for details about a >>>>>>>>>>>> proof of concept. >>>>>>>>>>>> >>>>>>>>>>>> Good Morning! >>>>>>>>>>>> >>>>>>>>>>>> -lee >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Guardian-dev mailing list >>>>>>>>>>>> >>>>>>>>>>>> Post: [email protected] >>>>>>>>>>>> <javascript:;> List info: >>>>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >> To Unsubscribe Send email to: >>>>>>>>>>>> [email protected] >>>>>>>>>>>> <javascript:;> Or visit: >>>>>>>>>>>> >>>>>>>>> >>>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>> >>>> >> You are subscribed as: [email protected] <javascript:;> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Guardian-dev mailing list >>>>>>>>>> >>>>>>>>>> Post: [email protected] <javascript:;> >>>>>>>>>> List info: >>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >> To Unsubscribe Send email to: >>>>>>>>>> [email protected] >>>>>>>>> <javascript:;> >>>>>>>>>> Or visit: >>>>>>>>> >>>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>> >>>> >> You are subscribed as: [email protected] <javascript:;> >>>>>>>>>> >>>>>>>>> >>>>>>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F >>>>>>>>> E587 374B BE81 >>>>>>>>> _______________________________________________ >>>>>>>>> Guardian-dev mailing list >>>>>>>>> >>>>>>>>> Post: [email protected] <javascript:;> >>>>>>>>> List info: >>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>>> >>>>>>>>> >>>>>>>>> >> To Unsubscribe Send email to: >>>>>>>>> [email protected] >>>>>>>>> <javascript:;> Or visit: >>>>>>>>> >>>> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>> >>>> >> You are subscribed as: [email protected] <javascript:;> >>>>>>>>> >>>>>>>> >>>>>>> >>>> >>>>> _______________________________________________ Guardian-dev >>>>> mailing list >>>>> >>>>> Post: [email protected] List info: >>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>> >>>>> To Unsubscribe Send email to: >>>>> [email protected] Or visit: >>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com >>>>> >>>>> >>>>> >> You are subscribed as: [email protected] >>>>> >>>> >>>> >>>> >>>> _______________________________________________ Guardian-dev >>>> mailing list >>>> >>>> Post: [email protected] List info: >>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>> >>>> To Unsubscribe Send email to: >>>> [email protected] Or visit: >>>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >>>> >>>> >>>> >> You are subscribed as: [email protected] >>>> >> >> >> _______________________________________________ >> Guardian-dev mailing list >> >> Post: [email protected] >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> >> To Unsubscribe >> Send email to: [email protected] >> Or visit: >> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >> >> You are subscribed as: [email protected] >> > > > > _______________________________________________ > Guardian-dev mailing list > > Post: [email protected] > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe > Send email to: [email protected] > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info > > You are subscribed as: [email protected] > _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
