Both Debian and Ubuntu have shipped with dash as /bin/sh for many years, so if you're using packages from those repos, you should be fine. Can't help you with Solaris ;-)
.hc Lee Azzarello wrote: > I guess I've been too reactive due to the escalating panic all up on the > interwebs. There have been some randos on Twitter who have suggested > /removing bash/ as a solution. Which to me sounds hilarious since what > does pid 1 do when bash is gone? > > I understand your point and I agree. Though I fear that the test > coverage for your recommendation is impossible in practice for existing > software. I can't ensure that replacing /bin/sh with something other > than Bash would not break random software that people run on boot. > There's a bunch of stuff in /etc/init.d that could possibly require > /bin/bash, right? I really don't know. > > Anecdote: I had a short gig not too long ago to install some esoteric > enterprise database on Solaris 10 for some financial institution. The > default shell for Solaris 10 is...wait for it... > > C shell! > > *mind blown* > > I never thought I would long for the luxury of bash. > > -lee > > On 9/27/14, 7:09 PM, Hans-Christoph Steiner wrote: >> >> I don't know what you mean by "a solution". bash is a nicer programming >> language than /bin/sh, and its easy to use bash in your scripts, just use >> #!/bin/bash. bash makes a poor /bin/sh because it adds lots of stuff that >> has >> nothing to do with /bin/sh and makes it slower and much less secure, as we >> are >> seeing with these exploits. dash makes a much better /bin/sh >> >> .hc >> >> Lee Azzarello wrote: >>> If I'm not mistaken, you just recommended not using bash as a >>> solution. is that correct? >>> >>> -lee >>> >>> On 9/26/14, 1:24 PM, Hans-Christoph Steiner wrote: >>> >>>> Another reason why bash should never be your /bin/sh. For scripts >>>> that need bash, they can easily use the shebang #!/bin/bash. dash >>>> provides a more secure, faster /bin/sh that is /bin/sh without >>>> unneeded extras. >>> >>>> .hc >>> >>>> Chris Ballinger wrote: >>>>> Saw this SIP server Shellshock scanner today: >>>>> https://github.com/zaf/sipshock >>>>> >>>>>> The exec module in Kamailio, Opensips and propably every other >>>>>> SER fork >>>>> passes the received SIP headers as environment viarables to the >>>>> invoking shell. This makes these SIP proxies vulnerable to >>>>> CVE-2014-6271 (Bash Shellshock). If a proxy is using any of the >>>>> exec funtions and has the 'setvars' parameter set to 1 (default) >>>>> then by sending SIP message containing a specially crafted header >>>>> we can run arbitrary code on the proxy machine. >>>>> >>>>> Every time I read about the Shellshock vulnerability I get >>>>> flashbacks to this SNES game: >>>>> https://www.youtube.com/watch?v=lASNUQ7M8gs >>>>> >>>>> On Thu, Sep 25, 2014 at 7:54 PM, Lee Azzarello >>>>> <[email protected]> wrote: >>>>> >>>>> Weird. I'm using a Wheezy base install built via debootstrap on >>>>> an Open Hosting container. It uses bash by default for the root >>>>> user. Perhaps debootstrap or my platform build scripts override >>>>> the default shell for root to be bash? >>>>> >>>>> Anyhoo, I think most people prefer Bash because it is very close >>>>> to a real programming language. This shellshock shitstorm might >>>>> be a setback for popular programming culture. >>>>> >>>>> -lee >>>>> >>>>> On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote: >>>>>>>> >>>>>>>> That's for "Lenny users:". See this section: >>>>>>>> >>>>>>>> Squeeze users: >>>>>>>> >>>>>>>> * Dash is always installed. * /bin/sh is dash by default >>>>>>>> (even for upgraded systems). >>>>>>>> >>>>>>>> .hc >>>>>>>> >>>>>>>> Lee Azzarello wrote: >>>>>>>>> I'm confused. The article you linked is instructions to >>>>>>>>> install dash and configure a base system to use it as >>>>>>>>> default. Am I misunderstanding something? >>>>>>>>> >>>>>>>>> -lee >>>>>>>>> >>>>>>>>> On Thursday, September 25, 2014, Hans-Christoph Steiner >>>>>>>>> < [email protected]> wrote: >>>>>>>>> >>>>>>>>>> >>>>>>>>>> dash is still the default /bin/sh, for speed and >>>>>>>>>> security, but you can change that to bash if you want: >>>>>>>>>> https://wiki.debian.org/DashAsBinSh >>>>>>>>>> >>>>>>>>>> Ubuntu also uses dash by default: >>>>>>>>>> https://wiki.ubuntu.com/DashAsBinSh >>>>>>>>>> >>>>>>>>>> .hc >>>>>>>>>> >>>>>>>>>> Lee Azzarello wrote: >>>>>>>>>>> This output is from a Debian stable base system built >>>>>>>>>>> with debootstrap and no additional packages >>>>>>>>>>> installed. >>>>>>>>>>> >>>>>>>>>>> root@debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 >>>>>>>>>>> Jun 17 21:47 /bin/sh -> bash >>>>>>>>>>> >>>>>>>>>>> I don't think Debian has used Dash since Sarge. >>>>>>>>>>> >>>>>>>>>>> -lee >>>>>>>>>>> >>>>>>>>>>> On 9/25/14, 1:36 PM, Dev Random wrote: >>>>>>>>>>>> This seems mitigated by the fact that /bin/sh is -> >>>>>>>>>>>> dash on debian. So unless something does explicitly >>>>>>>>>>>> #!/bin/bash, things should be okay. >>>>>>>>>>> >>>>>>>>>>>> BTW, there's a related vuln that's not fixed yet - >>>>>>>>>>>> CVE-2014-7169 >>>>>>>>>>>> https://news.ycombinator.com/item?id=8365158 >>>>>>>>>>> >>>>>>>>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello >>>>>>>>>>>> wrote: >>>>>>>>>>>>> A remote code execution bug was found in the GNU >>>>>>>>>>>>> Bash shell. >>>>>>>>>>>>> >>>>>>>>>>>>> http://seclists.org/oss-sec/2014/q3/650 >>>>>>>>>>>>> >>>>>>>>>>>>> I tested it on Debian stable from two days ago >>>>>>>>>>>>> and indeed, I could execute code after a function >>>>>>>>>>>>> definition in an environment variable. A server I >>>>>>>>>>>>> updated yesterday evening was not vulnerable, as >>>>>>>>>>>>> the Debian team got a patch released quite fast. >>>>>>>>>>>>> >>>>>>>>>>>>> This effects any server you run any code on, >>>>>>>>>>>>> though the remote code execution attack vector is >>>>>>>>>>>>> unlikely for many contemporary application >>>>>>>>>>>>> servers. Read the write up for details about a >>>>>>>>>>>>> proof of concept. >>>>>>>>>>>>> >>>>>>>>>>>>> Good Morning! >>>>>>>>>>>>> >>>>>>>>>>>>> -lee >>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>> Guardian-dev mailing list >>>>>>>>>>>>> >>>>>>>>>>>>> Post: [email protected] >>>>>>>>>>>>> <javascript:;> List info: >>>>>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>> To Unsubscribe Send email to: >>>>>>>>>>>>> [email protected] >>>>>>>>>>>>> <javascript:;> Or visit: >>>>>>>>>>>>> >>>>>>>>>> >>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>> >>>>> >>> You are subscribed as: [email protected] <javascript:;> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Guardian-dev mailing list >>>>>>>>>>> >>>>>>>>>>> Post: [email protected] <javascript:;> >>>>>>>>>>> List info: >>>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>> To Unsubscribe Send email to: >>>>>>>>>>> [email protected] >>>>>>>>>> <javascript:;> >>>>>>>>>>> Or visit: >>>>>>>>>> >>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>> >>>>> >>> You are subscribed as: [email protected] <javascript:;> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F >>>>>>>>>> E587 374B BE81 >>>>>>>>>> _______________________________________________ >>>>>>>>>> Guardian-dev mailing list >>>>>>>>>> >>>>>>>>>> Post: [email protected] <javascript:;> >>>>>>>>>> List info: >>>>>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>> To Unsubscribe Send email to: >>>>>>>>>> [email protected] >>>>>>>>>> <javascript:;> Or visit: >>>>>>>>>> >>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>> >>>>> >>> You are subscribed as: [email protected] <javascript:;> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>> >>>>>> _______________________________________________ Guardian-dev >>>>>> mailing list >>>>>> >>>>>> Post: [email protected] List info: >>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>>> >>>>>> To Unsubscribe Send email to: >>>>>> [email protected] Or visit: >>>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/chrisballinger%40gmail.com >>>>>> >>>>>> >>>>>> >>> You are subscribed as: [email protected] >>>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ Guardian-dev >>>>> mailing list >>>>> >>>>> Post: [email protected] List info: >>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>>>> >>>>> To Unsubscribe Send email to: >>>>> [email protected] Or visit: >>>>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >>>>> >>>>> >>>>> >>> You are subscribed as: [email protected] >>>>> >>> >>> >>> _______________________________________________ >>> Guardian-dev mailing list >>> >>> Post: [email protected] >>> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >>> >>> To Unsubscribe >>> Send email to: [email protected] >>> Or visit: >>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info >>> >>> You are subscribed as: [email protected] >>> >> >> >> >> _______________________________________________ >> Guardian-dev mailing list >> >> Post: [email protected] >> List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev >> >> To Unsubscribe >> Send email to: [email protected] >> Or visit: >> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info >> >> You are subscribed as: [email protected] >> > > _______________________________________________ > Guardian-dev mailing list > > Post: [email protected] > List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev > > To Unsubscribe > Send email to: [email protected] > Or visit: > https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info > > You are subscribed as: [email protected] > -- PGP fingerprint: 5E61 C878 0F86 295C E17D 8677 9F0F E587 374B BE81 _______________________________________________ Guardian-dev mailing list Post: [email protected] List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: [email protected] Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/archive%40mail-archive.com You are subscribed as: [email protected]
