I know I created the original post that sparked this debate, but I have to say that we've been checking our servers all day, and we cannot get any of them to act compromised ... we don't use bash scripts in our cgi-bin and nothing seems to try to run bash at all (fuser `which bash` only returns my shells)
The ssh things could be an issue, but we're nuking all ssh authorized_keys wherever we find them, and we don't have accounts restricted to running specific applications via ssh, so the users who can ssh in should know what they're doing, or not know so much that they aren't a threat. I do have bash scripts on our system that users run manually, but that is because the old Solaris 10 /bin/sh is brain-dead, csh is a nasty piece of work for scripting and ksh scripts don't seem as portable to Linux/old Solaris boxes. Jon On 25 September 2014 18:18, Gary Gendel <g...@genashor.com> wrote: > I believe we mostly skirt the issue because, unlike Linux, the default > shell (/bin/sh) is ksh93 not bash. This means that under normal conditions > we shouldn't have an issue. Only if your cgi scripts actually request bash > will apache be a problem. As for ssh, it depends upon the login shell for > the user. > > On 09/25/2014 01:04 PM, Tim Mooney wrote: > >> In regard to: Re: [OpenIndiana-discuss] Bash bug issue, Bob >> Friesenhahn...: >> >> Unfortunately, 'dash' is not completely compatible with scripts written >>> for 'bash'. It is not clear to my why people write shell scripts targeting >>> bash, but it seems to happen often. >>> >> >> Two reasons: >> >> - It's the "all the world's a VAX" syndrome for the current generation. >> >> - bash (and ksh) do provide some handy features that traditional Bourne >> shell does not, and for a large portion of inexperienced programmers, >> convenience/laziness trumps portability >> >> Both things drive me crazy, but they've been going on for my entire >> career in computing, so I have no reason to expect that either are going >> to ever disappear. >> >> Tim >> > > > _______________________________________________ > openindiana-discuss mailing list > openindiana-discuss@openindiana.org > http://openindiana.org/mailman/listinfo/openindiana-discuss > _______________________________________________ openindiana-discuss mailing list openindiana-discuss@openindiana.org http://openindiana.org/mailman/listinfo/openindiana-discuss