Shellshock

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
robespierre
Posts: 1579
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: "Shellshock" Bash bug

Unread postby robespierre » Wed Oct 01, 2014 9:42 pm

please, the politically correct term is PTSD.
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

User avatar
josehill
Moderator
Moderator
Posts: 3334
Joined: Mon Jun 06, 2005 9:53 pm
Location: New England, USA
Contact:

Re: "Shellshock" Bash bug

Unread postby josehill » Wed Oct 01, 2014 10:13 pm

foetz wrote:a second shellshock thread now :shock:

Actually, this is the third thread. I keep merging them, and a new one appears! Kind of like patches to bash! :lol:

User avatar
foetz
Moderator
Moderator
Posts: 6593
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: "Shellshock" Bash bug

Unread postby foetz » Wed Oct 01, 2014 11:59 pm

josehill wrote:Kind of like patches to bash! :lol:

a good match then :D

User avatar
porter
Posts: 2917
Joined: Wed Nov 01, 2006 10:37 pm
Location: NZ

Re: Shellshock

Unread postby porter » Thu Oct 02, 2014 1:43 pm

I absolutely astounded that the authors of bash thought it a neat idea to

(a) export functions via environment variables
(b) execute contents of any environment variable with the script parser/handler

Its like somebody shooting themselves in the head with every revolver they find to see if they are loaded.

Plonkers!
Land of the Long White Cloud and no Software Patents.

User avatar
jwp
Posts: 156
Joined: Sun Nov 18, 2012 7:14 pm
Location: China

Re: Shellshock

Unread postby jwp » Thu Oct 02, 2014 6:53 pm

porter wrote:I absolutely astounded that the authors of bash thought it a neat idea to

(a) export functions via environment variables
(b) execute contents of any environment variable with the script parser/handler

Its like somebody shooting themselves in the head with every revolver they find to see if they are loaded.

Plonkers!

Part of the problem is that Bash is just too complex. The design of the Bourne shell was convoluted enough, and then they add on so many "special features." Glad that my "/bin/sh" is "/bin/dash", and I will use Bash only for custom shell scripts using Bash features.

Actually some of the extra features in Bash are useful, like in-process testing with "[[ ]]", and in-process arithmetic with "let". By switching over to Bash features, some of the programs I've written have become much more efficient. These are all available in ksh88 and mksh, though.

When a system relies on one component so much, that component has to be simple, safe, and sturdy. Even aside from this Shellshock vulnerability, Bash is very questionable for the role of "/bin/sh". It's too complex.
Debian GNU/Linux on a ThinkPad, running a simple setup with FVWM.

robespierre
Posts: 1579
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: Shellshock

Unread postby robespierre » Thu Oct 02, 2014 7:05 pm

Yes, we already know that you favor a "See Figure 1" approach to system usability. You really don't need to say it in every post.
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

User avatar
foetz
Moderator
Moderator
Posts: 6593
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Shellshock

Unread postby foetz » Thu Oct 02, 2014 8:59 pm

jwp wrote:Bash is very questionable for the role of "/bin/sh"

for sure. i've never been a bash fan but i wouldn't bash it too much here (pun :D ) either because the problem is linux. to be more precise it being way too spoiled.
system related scripts should never use more than what a real sh can provide. by that the dependency on one specific shell is reduced a lot and by that all bad things that can come out of that

User avatar
vishnu
Donor
Donor
Posts: 3189
Joined: Sun Mar 18, 2007 3:25 pm
Location: Minneapolis, Minnesota USA

Re: Shellshock

Unread postby vishnu » Fri Oct 03, 2014 7:06 pm

Just installed the latest patched bash to my Internet-facing firewall (running Slackware 14.0), of note, see highlight below:

Installing package bash-4.2.050-i486-1_slack14.0.txz:
PACKAGE DESCRIPTION:
# bash (sh-compatible shell)
#
# The GNU Bourne-Again SHell. Bash is a sh-compatible command
# interpreter that executes commands read from the standard input or
# from a file. Bash also incorporates useful features from the Korn
# and C shells (ksh and csh). Bash is ultimately intended to be a
# conformant implementation of the IEEE Posix Shell and Tools
# specification (IEEE Working Group 1003.2).
#
# Bash must be present for the system to boot properly.
#
Executing install script for bash-4.2.050-i486-1_slack14.0.txz.
Package bash-4.2.050-i486-1_slack14.0.txz installed.
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...

:Tezro: :Octane2:

robespierre
Posts: 1579
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: Shellshock

Unread postby robespierre » Fri Oct 03, 2014 10:52 pm

that's a result of /bin/sh being a link to it. Only a few non-critical init scripts use it directly.
try

Code: Select all

grep -lr bash /etc/init.d
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

User avatar
jwp
Posts: 156
Joined: Sun Nov 18, 2012 7:14 pm
Location: China

Re: Shellshock

Unread postby jwp » Fri Oct 03, 2014 11:39 pm

robespierre wrote:Yes, we already know that you favor a "See Figure 1" approach to system usability. You really don't need to say it in every post.

I must say it in every post! :shock:
Debian GNU/Linux on a ThinkPad, running a simple setup with FVWM.

robespierre
Posts: 1579
Joined: Mon Sep 12, 2011 2:28 pm
Location: Boston

Re: Shellshock

Unread postby robespierre » Mon Oct 06, 2014 10:13 am

foetz wrote:
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh

fuggeddaboutit....

i did the same on osx but with zsh. might work for linux, too

In fact, osx can't boot using ksh. But zsh does seem to work.
(None of the system scripts in osx use bash)
:PI: :O2: :Indigo2IMP: :Indigo2IMP:

armanox
Posts: 206
Joined: Sun Feb 23, 2014 9:31 pm
Location: Baltimore, MD, USA

Re: Shellshock

Unread postby armanox » Thu Oct 09, 2014 8:28 am

robespierre wrote:
foetz wrote:
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh

fuggeddaboutit....

i did the same on osx but with zsh. might work for linux, too

In fact, osx can't boot using ksh. But zsh does seem to work.
(None of the system scripts in osx use bash)


Once upon a time OS X used zsh for the shell (IIRC). They switched to bash for Linux compatibility, because the Linux crowd believes they are the "One True Way."

With that said, I've updated bash on my IRIX systems manually (patched the source), we should consider making an update for nekoware....
"Apollo was astonished, Dionysus thought me mad."
:Octane: :Octane: :O2:

User avatar
josehill
Moderator
Moderator
Posts: 3334
Joined: Mon Jun 06, 2005 9:53 pm
Location: New England, USA
Contact:

Re: Shellshock

Unread postby josehill » Thu Oct 09, 2014 8:40 am

armanox wrote:Once upon a time OS X used zsh for the shell (IIRC).

The default shell in OS X versions 10.0 through 10.2.x is tcsh. Apple switched to bash in 10.3.

User avatar
foetz
Moderator
Moderator
Posts: 6593
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Shellshock

Unread postby foetz » Fri Oct 10, 2014 12:00 am

armanox wrote:we should consider making an update for nekoware....

how about banning it? :P
who would use bash voluntarily on a real unix? even more so since zsh, tcsh and multiple ksh variants are available.

nobody needs bash. it's always been a mystery to me why it became so popular except for being the dummy shell for linux

User avatar
smj
Donor
Donor
Posts: 1666
Joined: Mon Nov 12, 2007 7:54 pm
Location: Berkeley, CA, USA, NA, Earth, Sol
Contact:

Re: Shellshock

Unread postby smj » Fri Oct 10, 2014 2:49 am

foetz wrote:
armanox wrote:we should consider making an update for nekoware....

how about banning it? :P
who would use bash voluntarily on a real unix? even more so since zsh, tcsh and multiple ksh variants are available.

nobody needs bash. it's always been a mystery to me why it became so popular except for being the dummy shell for linux

Tempting on an emotional basis, perhaps. But because it is the only shell the Linux mob will ever think of, we will see complex scripts in packages that expect a current-ish version of bash. Better to have one with the proper security patches.

Also, folks coming from Linuxdom and picking up the SGI/IRIX habit will look around for bash pretty quickly. Might as well make it easier for them to indulge their new addiction, rather than creating an obstacle that prevents anybody from joining the club.

I saw the smiley, and I'm sure you can see these arguments for yourself. But what the heck, why not toss it in the thread for reference...
Then? :IRIS3130: ... Now? :O3x02L: :A3504L:- :A3502L: :1600SW:+MLA :Fuel: :Octane2: :Octane: :Indigo2IMP: :Indy: ... Other: DEC :BA213: :BA123: Sun, DG AViiON, NeXT :Cube:


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 0 guests