Anthony,
No, what you say is valid. Bash is indeed a mongrel, but it is a likeable
mongrel and it earns it's keep. I suspect that security analysis of bash
is going to be a big topic, maybe the mongrel can be paper trained.
Finally, in relation to your comments, my own big question right now is
how much bash cgi is ther in say... "cups" the linux print manager?
Regards,
Paul
On Thu, 25 Sep 2014, Anthony Carrico wrote:
Date: Thu, 25 Sep 2014 13:02:38 -0400
From: Anthony Carrico <[email protected]>
Reply-To: Vermont Area Group of Unix Enthusiasts <[email protected]>
To: [email protected]
Subject: Re: ssschk.sh
I know I am stupid for commenting on a security alert that I don't know
that much about, but hey, this is the Internet right? Here it goes:
I'm not liking these hackish security fixes in Unix/Linux. Bash is a
programming language. It has features. Programs abuse these features and
create security holes in themselves. Fix the programs, or maybe quit
using them. Maybe quit using bash. Did you read the part "what about
programs that rely on these features?" The answer is "that is bad
practice". Dude, these programs are putting arbitrary unaudited stuff in
environment variables, and passing them to bash, a language that NOBODY
understands, a language with no semantics. That is good practice? Next
thing you will tell me that people trying to take bash out of the system
(think systemd) are evil.
Uh, sorry for the rant, not sure where that came from.
--
Anthony Carrico
Kindest Regards,
Paul Flint
(802) 479-2360 Home
(802) 595-9365 Cell
/************************************
Based upon email reliability concerns,
please send an acknowledgement in response to this note.
Paul Flint
17 Averill Street
Barre, VT
05641
