Page 2 of 6

Re: Shellshock

Posted: Fri Sep 26, 2014 11:23 am
by duck
VenomousPinecone wrote:Whaddya' mean? that's not what the floppy drive is for? All these years of my life spent in confusion.


French-kissing floppy drives is a thing I hadn't yet imagined, but alas it is now quite hard to forget.

Re: Shellshock

Posted: Fri Sep 26, 2014 12:04 pm
by foetz
duck wrote:
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh


fuggeddaboutit....


On linux this will likely break things badly. Remember that these kids have been thinking that sh = bash since they first licked a beige box.

i did the same on osx but with zsh. might work for linux, too

Re: Shellshock

Posted: Fri Sep 26, 2014 12:11 pm
by duck
foetz wrote:
robespierre wrote:

Code: Select all

# ln -f /bin/ksh /bin/sh


i did the same on osx but with zsh. might work for linux, too


That might work better, and osx probably has less of a dependency on it wrt. system scripts.

Re: Shellshock

Posted: Fri Sep 26, 2014 12:42 pm
by josehill
duck wrote:
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh

fuggeddaboutit....

On linux this will likely break things badly. Remember that these kids have been thinking that sh = bash since they first licked a beige box.

Yeah, duck is right. I'd be cautious about about simply replacing bash with ksh as "sh" on a production machine, especially if it's a multi-user machine. If you can be sure that every script is limited to basic Bourne functions, you'll probably be okay, but ksh and bash are not 100% interchangeable. They are both supersets of sh functionality, but the extra features do not completely overlap each other, and if anything calls a unique function, the results may be quite unexpected.

There is also the problem of scripts which explicitly call /bin/bash, which is usually the "correct" thing to do if you are using superset functionality.

Re: Shellshock

Posted: Fri Sep 26, 2014 1:14 pm
by jan-jaap
Debian has 'dash' as /bin/sh, but of course /bin/bash is there so that won't save you. I just installed the third bash update in 2 days :(

Re: Shellshock

Posted: Fri Sep 26, 2014 8:09 pm
by hamei
VenomousPinecone wrote:Whaddya' mean? that's not what the floppy drive is for? All these years of my life spent in confusion.

Madame Chiang ! Madame Chiang ! Is it really true ? :P

Re: Shellshock

Posted: Sat Sep 27, 2014 12:57 pm
by ClassicHasClass
What are you saying, VP? That the floppy makes your internal drives hard?

Thank you, I'll be here all week.

Re: Shellshock

Posted: Sat Sep 27, 2014 1:48 pm
by josehill
ClassicHasClass wrote:What are you saying, VP? That the floppy makes your internal drives hard?

Thank you, I'll be here all week.

I'm tempted to issue a Moderator's Warning for corniness. :D

Re: Shellshock

Posted: Sat Sep 27, 2014 9:13 pm
by ClassicHasClass
Hey, I'm just staying classy.

Re: Shellshock

Posted: Mon Sep 29, 2014 10:10 am
by ClassicHasClass

Re: Shellshock

Posted: Mon Sep 29, 2014 10:45 am
by josehill
Thanks, CHC. Much appreciated!

"Shellshock" Bash bug

Posted: Tue Sep 30, 2014 3:09 am
by jwp
Everyone has criticized the Bourne syntax and its ambiguity for the last 30 years, and now I guess the chickens are coming home to roost. It doesn't help that Bash is more complex and adds numerous features (basically a superset of ksh88). Fortunately BSD and Debian-derived systems are mostly safe from it ("/bin/sh" is not Bash on those systems).

Updating is easy and only takes a few seconds, but it's unfortunate that it has to happen at all. I wouldn't be sad if Linux distros just replaced Bash with mksh for a standard shell (upgrade to "rc"?). Really, the features of ksh88 were always good enough. We don't need SSH host autocompletion or other stupid things. Unfortunately part of the GNU strategy in the 1980s was to extend Unix programs by adding more features so everyone would want the "super" versions. Some of their improvements were good, like removing artificial limits, and using more efficient algorithms, but adding features led to bloat.

Edsger Dijkstra wrote:How do we convince people that in programming simplicity and clarity —in short: what mathematicians call "elegance"— are not a dispensable luxury, but a crucial matter that decides between success and failure?

Edsger Dijkstra wrote:Simplicity is a great virtue but it requires hard work to achieve it and education to appreciate it. And to make matters worse: complexity sells better.

On Debian 7:

Code: Select all

$ ls -l /bin/{bash,dash,ksh93,mksh} /usr/bin/rc
-rwxr-xr-x 1 root root  975488 Sep 25 14:49 /bin/bash
-rwxr-xr-x 1 root root  106920 Mar  1  2012 /bin/dash
-rwxr-xr-x 1 root root 1489008 Jan  2  2013 /bin/ksh93
-rwxr-xr-x 1 root root  293648 Feb 15  2013 /bin/mksh
-rwxr-xr-x 1 root root   89720 Feb 24  2012 /usr/bin/rc
$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Mar  1  2012 /bin/sh -> dash

Re: "Shellshock" Bash bug

Posted: Wed Oct 01, 2014 12:26 am
by Kumba
Ironically, I *think* NetWare 6.5 is affected, too. It comes with bash-3.0 and several other GNU/BSD utilities built as NLMs (NetWare Loadable Modules). I tested the original CVE-2014-6271 exploit on it, and it doesn't work immediately, but if you exit and reload BASH.NLM, it seems to suddenly process the environment var set and partially execute the bug. Haven't seen a patch from Novell yet to address the issue. I might go badger them just for fun...

Re: "Shellshock" Bash bug

Posted: Wed Oct 01, 2014 9:37 am
by ClassicHasClass
4.3.28 is out, and the 10.4+ universal binary is updated, which should fix all five CVEs finally.

http://tenfourfox.blogspot.com/2014/09/ ... dated.html

Re: "Shellshock" Bash bug

Posted: Wed Oct 01, 2014 9:07 pm
by foetz
a second shellshock thread now :shock: