bash security hole
O. Sinclair
o.sinclair at gmail.com
Sun Sep 28 06:24:34 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28/09/2014 04:26, Steve Riley wrote:
> On 2014-09-27 08:55:01 Scott DuBois <sdubois at linux.com> wrote:
>>
>> Thanks Steve, but isn't dash public facing through the servers
>> while bash is not (at least by default anyway).
>>
>> _from another mailing list_:
>>
>> "If I understand correctly, the general path to execution is any
>> external calls to bash explicitly, or to /bin/sh in any fashion,
>> most notably via the system(3) syscall. Amirite? So, first
>> point, /bin/sh doesn't need to be bash. On Debian[1]/*buntu[2]
>> systems by default, it's been dash (Debian Almquist shell, a
>> variant of the lightweight Bourne-compatible Almquist shell
>> 'ash') for many years, because dash is smaller, faster, and -- ta
>> da! -- less feature-bloated hence less likely to be involved in
>> security problems."
>
> Not exactly sure what you may mean by "public facing." The author
> of a script can specify whatever shell he/she wishes for executing
> any script. You'll see this in the first line. For instance,
> scripts that begin with
>
> #!/bin/bash
>
> Will use Bash to execute. Scripts that begin with
>
> #!/bin/sh
>
> Will use sh. On Debian/Ubuntu, /bin/sh is a symbolic link to
> /bin/dash. The #! notation is called a "shebang"; read more at
> https://en.wikipedia.org/wiki/Shebang_(Unix).
>
> Bash is the default login shell for Debian and Ubuntu. It's also
> used by quite a number of scripts in the system. You check this for
> yourself:
>
> user at host:~$ grep -R '#!/bin/bash' /bin /sbin /usr/bin /usr/sbin
>
> Notably, /sbin/dhclient-script is the one that seems to allow
> malicious DNS servers to attack a target machine.
>
>
As those of us who update regularly can see the devs are busy updating
bash so I think we desktop/server users are pretty safe.
As I understand it the future cause for concern is various hardware
using linux that are highly unlikely to be updated by manufacturers
and users. I have a router myself at home that is linux-based and I
very much doubt the manufacturer will update the firmware.
Not that I see myself as a possible target but you get the point.
kind regards
Sinclair
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlQnqaIACgkQdVb2AWQj/7YCwQCg0CO1h5Ej1fV1CzDiTUxHHbfg
hLYAn0UjHqbmZgz0dBazzPUWAo2v3HYH
=/dTb
-----END PGP SIGNATURE-----
More information about the kubuntu-users
mailing list