Page 3 of 6

Re: "Shellshock" Bash bug

Posted: Wed Oct 01, 2014 9:42 pm
by robespierre
please, the politically correct term is PTSD.

Re: "Shellshock" Bash bug

Posted: Wed Oct 01, 2014 10:13 pm
by josehill
foetz wrote:a second shellshock thread now :shock:

Actually, this is the third thread. I keep merging them, and a new one appears! Kind of like patches to bash! :lol:

Re: "Shellshock" Bash bug

Posted: Wed Oct 01, 2014 11:59 pm
by foetz
josehill wrote:Kind of like patches to bash! :lol:

a good match then :D

Re: Shellshock

Posted: Thu Oct 02, 2014 1:43 pm
by porter
I absolutely astounded that the authors of bash thought it a neat idea to

(a) export functions via environment variables
(b) execute contents of any environment variable with the script parser/handler

Its like somebody shooting themselves in the head with every revolver they find to see if they are loaded.

Plonkers!

Re: Shellshock

Posted: Thu Oct 02, 2014 6:53 pm
by jwp
porter wrote:I absolutely astounded that the authors of bash thought it a neat idea to

(a) export functions via environment variables
(b) execute contents of any environment variable with the script parser/handler

Its like somebody shooting themselves in the head with every revolver they find to see if they are loaded.

Plonkers!

Part of the problem is that Bash is just too complex. The design of the Bourne shell was convoluted enough, and then they add on so many "special features." Glad that my "/bin/sh" is "/bin/dash", and I will use Bash only for custom shell scripts using Bash features.

Actually some of the extra features in Bash are useful, like in-process testing with "[[ ]]", and in-process arithmetic with "let". By switching over to Bash features, some of the programs I've written have become much more efficient. These are all available in ksh88 and mksh, though.

When a system relies on one component so much, that component has to be simple, safe, and sturdy. Even aside from this Shellshock vulnerability, Bash is very questionable for the role of "/bin/sh". It's too complex.

Re: Shellshock

Posted: Thu Oct 02, 2014 7:05 pm
by robespierre
Yes, we already know that you favor a "See Figure 1" approach to system usability. You really don't need to say it in every post.

Re: Shellshock

Posted: Thu Oct 02, 2014 8:59 pm
by foetz
jwp wrote:Bash is very questionable for the role of "/bin/sh"

for sure. i've never been a bash fan but i wouldn't bash it too much here (pun :D ) either because the problem is linux. to be more precise it being way too spoiled.
system related scripts should never use more than what a real sh can provide. by that the dependency on one specific shell is reduced a lot and by that all bad things that can come out of that

Re: Shellshock

Posted: Fri Oct 03, 2014 7:06 pm
by vishnu
Just installed the latest patched bash to my Internet-facing firewall (running Slackware 14.0), of note, see highlight below:

Installing package bash-4.2.050-i486-1_slack14.0.txz:
PACKAGE DESCRIPTION:
# bash (sh-compatible shell)
#
# The GNU Bourne-Again SHell. Bash is a sh-compatible command
# interpreter that executes commands read from the standard input or
# from a file. Bash also incorporates useful features from the Korn
# and C shells (ksh and csh). Bash is ultimately intended to be a
# conformant implementation of the IEEE Posix Shell and Tools
# specification (IEEE Working Group 1003.2).
#
# Bash must be present for the system to boot properly.
#
Executing install script for bash-4.2.050-i486-1_slack14.0.txz.
Package bash-4.2.050-i486-1_slack14.0.txz installed.

Re: Shellshock

Posted: Fri Oct 03, 2014 10:52 pm
by robespierre
that's a result of /bin/sh being a link to it. Only a few non-critical init scripts use it directly.
try

Code: Select all

grep -lr bash /etc/init.d

Re: Shellshock

Posted: Fri Oct 03, 2014 11:39 pm
by jwp
robespierre wrote:Yes, we already know that you favor a "See Figure 1" approach to system usability. You really don't need to say it in every post.

I must say it in every post! :shock:

Re: Shellshock

Posted: Mon Oct 06, 2014 10:13 am
by robespierre
foetz wrote:
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh

fuggeddaboutit....

i did the same on osx but with zsh. might work for linux, too

In fact, osx can't boot using ksh. But zsh does seem to work.
(None of the system scripts in osx use bash)

Re: Shellshock

Posted: Thu Oct 09, 2014 8:28 am
by armanox
robespierre wrote:
foetz wrote:
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh

fuggeddaboutit....

i did the same on osx but with zsh. might work for linux, too

In fact, osx can't boot using ksh. But zsh does seem to work.
(None of the system scripts in osx use bash)


Once upon a time OS X used zsh for the shell (IIRC). They switched to bash for Linux compatibility, because the Linux crowd believes they are the "One True Way."

With that said, I've updated bash on my IRIX systems manually (patched the source), we should consider making an update for nekoware....

Re: Shellshock

Posted: Thu Oct 09, 2014 8:40 am
by josehill
armanox wrote:Once upon a time OS X used zsh for the shell (IIRC).

The default shell in OS X versions 10.0 through 10.2.x is tcsh. Apple switched to bash in 10.3.

Re: Shellshock

Posted: Fri Oct 10, 2014 12:00 am
by foetz
armanox wrote:we should consider making an update for nekoware....

how about banning it? :P
who would use bash voluntarily on a real unix? even more so since zsh, tcsh and multiple ksh variants are available.

nobody needs bash. it's always been a mystery to me why it became so popular except for being the dummy shell for linux

Re: Shellshock

Posted: Fri Oct 10, 2014 2:49 am
by smj
foetz wrote:
armanox wrote:we should consider making an update for nekoware....

how about banning it? :P
who would use bash voluntarily on a real unix? even more so since zsh, tcsh and multiple ksh variants are available.

nobody needs bash. it's always been a mystery to me why it became so popular except for being the dummy shell for linux

Tempting on an emotional basis, perhaps. But because it is the only shell the Linux mob will ever think of, we will see complex scripts in packages that expect a current-ish version of bash. Better to have one with the proper security patches.

Also, folks coming from Linuxdom and picking up the SGI/IRIX habit will look around for bash pretty quickly. Might as well make it easier for them to indulge their new addiction, rather than creating an obstacle that prevents anybody from joining the club.

I saw the smiley, and I'm sure you can see these arguments for yourself. But what the heck, why not toss it in the thread for reference...