Shellshock

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
duck
Donor
Donor
Posts: 727
Joined: Mon Oct 27, 2003 5:22 pm
Location: Jakobstad, Finland
Contact:

Re: Shellshock

Unread postby duck » Sun Oct 12, 2014 7:15 am

As we're talking about our favourite shells, I used to be a zsh adherent after abandoning linux, but I've recently gone to pdksh and feel quite comfortable. zsh went out the door when they started doing "easy install" things on first login.
:Octane: halo, octane Image knightrider, d i g i t a l AlphaPC164, pond, soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.

User avatar
foetz
Moderator
Moderator
Posts: 6542
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Shellshock

Unread postby foetz » Sun Oct 12, 2014 7:31 am

duck wrote:zsh went out the door when they started doing "easy install" things on first login.

jus stick to an older version then :-)

User avatar
duck
Donor
Donor
Posts: 727
Joined: Mon Oct 27, 2003 5:22 pm
Location: Jakobstad, Finland
Contact:

Re: Shellshock

Unread postby duck » Sun Oct 12, 2014 7:58 am

foetz wrote:
duck wrote:zsh went out the door when they started doing "easy install" things on first login.

jus stick to an older version then :-)


Hah, yes! Suggested in this of all threads ;-)
:Octane: halo, octane Image knightrider, d i g i t a l AlphaPC164, pond, soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.

User avatar
foetz
Moderator
Moderator
Posts: 6542
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Shellshock

Unread postby foetz » Sun Oct 12, 2014 8:05 am

duck wrote:
foetz wrote:
duck wrote:zsh went out the door when they started doing "easy install" things on first login.

jus stick to an older version then :-)


Hah, yes! Suggested in this of all threads ;-)

hehe, no prob if it's not your webserver unless you have other users on it you don't trust. given that the zsh version you like does have nasty security issues at all

User avatar
duck
Donor
Donor
Posts: 727
Joined: Mon Oct 27, 2003 5:22 pm
Location: Jakobstad, Finland
Contact:

Re: Shellshock

Unread postby duck » Sun Oct 12, 2014 8:23 am

foetz wrote:
duck wrote:Hah, yes! Suggested in this of all threads ;-)

hehe, no prob if it's not your webserver unless you have other users on it you don't trust. given that the zsh version you like does have nasty security issues at all


Of course. It's not like it's replacing sh.
:Octane: halo, octane Image knightrider, d i g i t a l AlphaPC164, pond, soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.

User avatar
kjaer
Posts: 424
Joined: Wed May 07, 2008 7:47 pm
Location: Seattle, WA
Contact:

Re: Shellshock

Unread postby kjaer » Sun Oct 12, 2014 11:51 am

The ksh source was opened by AT&T maybe five or six years ago. Before that it was free for end-user download since the end of the '90s approximately, though the build environment was not entirely friendly.
:OnyxR: :IRIS3130: :IRIS2400: :Onyx: :ChallengeL: :4D220VGX: :Indigo: :Octane: :Cube: :Indigo2IMP: :Indigo2: :Indy:

User avatar
foetz
Moderator
Moderator
Posts: 6542
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Shellshock

Unread postby foetz » Sun Oct 12, 2014 10:15 pm

kjaer wrote:though the build environment was not entirely friendly.

oh what an understatement :P

User avatar
jwp
Posts: 156
Joined: Sun Nov 18, 2012 7:14 pm
Location: China

Re: Shellshock

Unread postby jwp » Thu Oct 16, 2014 7:12 am

Pretty early on I read the essay, "Csh Programming Considered Harmful," so I never bothered learning csh or tcsh. Since I was using Linux, bash was the default shell typically, and it seemed to do interactive editing and scripting pretty well.

Later when I was doing a lot of shell scripting on HP-UX, I used ksh88, and I really liked that as well. It has the important things that bash has, but without the bloat. When I was using it, though, there were some really annoying compatibility issues between ksh88 and pdksh. With ksh88, the following script prints "1", and on pdksh and mksh, it prints "0". Bash also prints "0".

Code: Select all

x=0
echo onetime | while read line; do
    x=1
done
echo $x

It's something stupid related to pipes and processes. The programmer needs to know that anything happening in the body of a loop is happening in another context -- but only when something is being piped into the loop. Why this behavior is reasonable, I have no idea. ksh88 handles it just fine, and did so decades ago. I don't know why these other shells like pdksh, mksh, and bash put the burden of remembering arcane details like this onto the programmer.

When AT&T opened up ksh93, I wish they had also released ksh88. My impression has been that ksh88 is a good all-around shell. It doesn't hurt that it's a long-time standard on commercial Unix systems either.
Debian GNU/Linux on a ThinkPad, running a simple setup with FVWM.

armanox
Posts: 206
Joined: Sun Feb 23, 2014 9:31 pm
Location: Baltimore, MD, USA

Re: Shellshock

Unread postby armanox » Thu Oct 16, 2014 9:41 am

jwp wrote:Pretty early on I read the essay, "Csh Programming Considered Harmful," so I never bothered learning csh or tcsh. Since I was using Linux, bash was the default shell typically, and it seemed to do interactive editing and scripting pretty well.

Later when I was doing a lot of shell scripting on HP-UX, I used ksh88, and I really liked that as well. It has the important things that bash has, but without the bloat. When I was using it, though, there were some really annoying compatibility issues between ksh88 and pdksh. With ksh88, the following script prints "1", and on pdksh and mksh, it prints "0". Bash also prints "0".

Code: Select all

x=0
echo onetime | while read line; do
    x=1
done
echo $x

It's something stupid related to pipes and processes. The programmer needs to know that anything happening in the body of a loop is happening in another context -- but only when something is being piped into the loop. Why this behavior is reasonable, I have no idea. ksh88 handles it just fine, and did so decades ago. I don't know why these other shells like pdksh, mksh, and bash put the burden of remembering arcane details like this onto the programmer.

When AT&T opened up ksh93, I wish they had also released ksh88. My impression has been that ksh88 is a good all-around shell. It doesn't hurt that it's a long-time standard on commercial Unix systems either.


That's an easy one - variable scope. Consider the following C++ program

Code: Select all


#include <iostream>
using namespace std;

int main( int argc, char* argv[])
{
  int i = 2;
  for (int i = 0; i < 2; i++)
        cout << i << endl; // Prints 0 then 1
  cout << i << endl; // Prints 2
  return 0;
}



The variable inside of the loop expires when the loop ends, and is in a different scope then the variable outside of the loop, despite having the same name. My guess is the developers of the other shells felt that variable scope was important, where as ksh88 doesn't have the concept.
"Apollo was astonished, Dionysus thought me mad."
:Octane: :Octane: :O2:

User avatar
jwp
Posts: 156
Joined: Sun Nov 18, 2012 7:14 pm
Location: China

Re: Shellshock

Unread postby jwp » Thu Oct 16, 2014 3:51 pm

armanox wrote:That's an easy one - variable scope. [...] The variable inside of the loop expires when the loop ends, and is in a different scope then the variable outside of the loop, despite having the same name. My guess is the developers of the other shells felt that variable scope was important, where as ksh88 doesn't have the concept.

Ah, but this only happens when piping to a loop. Otherwise, all the shells act the same way with variables, loops, and scope. The inconsistency is with pdksh, mksh, and bash. If the script were to be rewritten this way, then it would work the exact same way on all shells:

Code: Select all

x=0
echo onetime > /tmp/onetime
while read line; do
    x=1
done < /tmp/onetime
echo $x

This sort of incompatibility means that pdksh and mksh cannot be used as serious replacements for ksh. The only real path for developing or running ksh88 scripts with open-source software is to try them under ksh93, which is more compatible (and follows ksh88 behavior for this pipe / loop stuff).

Most people happily use pdksh and mksh as ksh replacements, because they don't do a lot of shell scripting, or otherwise don't have to worry about shell scripting compatibility. Sadly, it seems that many shells follow the same behavior as pdksh and mksh, despite there being no rationale other than the implementation details of the shell.
Debian GNU/Linux on a ThinkPad, running a simple setup with FVWM.

armanox
Posts: 206
Joined: Sun Feb 23, 2014 9:31 pm
Location: Baltimore, MD, USA

Re: Shellshock

Unread postby armanox » Thu Oct 16, 2014 4:35 pm

jwp wrote:
armanox wrote:That's an easy one - variable scope. [...] The variable inside of the loop expires when the loop ends, and is in a different scope then the variable outside of the loop, despite having the same name. My guess is the developers of the other shells felt that variable scope was important, where as ksh88 doesn't have the concept.

Ah, but this only happens when piping to a loop. Otherwise, all the shells act the same way with variables, loops, and scope. The inconsistency is with pdksh, mksh, and bash. If the script were to be rewritten this way, then it would work the exact same way on all shells:

Code: Select all

x=0
echo onetime > /tmp/onetime
while read line; do
    x=1
done < /tmp/onetime
echo $x

This sort of incompatibility means that pdksh and mksh cannot be used as serious replacements for ksh. The only real path for developing or running ksh88 scripts with open-source software is to try them under ksh93, which is more compatible (and follows ksh88 behavior for this pipe / loop stuff).

Most people happily use pdksh and mksh as ksh replacements, because they don't do a lot of shell scripting, or otherwise don't have to worry about shell scripting compatibility. Sadly, it seems that many shells follow the same behavior as pdksh and mksh, despite there being no rationale other than the implementation details of the shell.


Interesting. I'll admit that shell scripting is not an area that I consider myself an expert in. I always considered the lack of variable declaration a potential source of confusion in a lot of scripting languages (in my C++ example, it's clear that I am declaring a new i in the for loop. If I do not declare i, it uses the variable from outside of the loop's scope (so for( i = 0; i < 2; i++)) rather then using a local one).
"Apollo was astonished, Dionysus thought me mad."
:Octane: :Octane: :O2:

User avatar
foetz
Moderator
Moderator
Posts: 6542
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Shellshock

Unread postby foetz » Thu Oct 16, 2014 5:09 pm

armanox wrote:That's an easy one - variable scope. Consider the following C++ program

Code: Select all


#include <iostream>
using namespace std;

int main( int argc, char* argv[])
{
  int i = 2;
  for (int i = 0; i < 2; i++)
        cout << i << endl; // Prints 0 then 1
  cout << i << endl; // Prints 2
  return 0;
}

.

declaring i twice, putting in args that are never used and using c++ for something that trivial at all? :shock:

just pulling your leg, the point was clear anyway :P

armanox
Posts: 206
Joined: Sun Feb 23, 2014 9:31 pm
Location: Baltimore, MD, USA

Re: Shellshock

Unread postby armanox » Thu Oct 16, 2014 5:58 pm

foetz wrote:
armanox wrote:That's an easy one - variable scope. Consider the following C++ program

Code: Select all


#include <iostream>
using namespace std;

int main( int argc, char* argv[])
{
  int i = 2;
  for (int i = 0; i < 2; i++)
        cout << i << endl; // Prints 0 then 1
  cout << i << endl; // Prints 2
  return 0;
}

.

declaring i twice, putting in args that are never used and using c++ for something that trivial at all? :shock:

just pulling your leg, the point was clear anyway :P


Declaring i twice was needed for the demo :) The args are a habit, even if they aren't needed. And I happen to like C++, thank you very much. :p
"Apollo was astonished, Dionysus thought me mad."
:Octane: :Octane: :O2:

User avatar
vishnu
Donor
Donor
Posts: 3174
Joined: Sun Mar 18, 2007 3:25 pm
Location: Minneapolis, Minnesota USA

Re: Shellshock

Unread postby vishnu » Fri Oct 17, 2014 7:25 pm

Not to be picayune, but dumping std into the global namespace is considered harmful... ;)

Code: Select all

#include <iostream>

int main(int argc, char ** argv)
{
    using namespace std;

    ...
    return 0;
}


Okay, so I am being picayune... :P
Project:
Temporarily lost at sea...
Plan:
World domination! Or something...

:Tezro: :Octane2:

User avatar
foetz
Moderator
Moderator
Posts: 6542
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Shellshock

Unread postby foetz » Sat Oct 18, 2014 5:14 am

haha, poor armanox :P

but since we're on it already why messing with c++ at all?

Code: Select all

   PROGRAM test
      INTEGER i = 2
   
      DO 10 i = 0, 1
         print *, i
10      continue
   
      print *, i
   END


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 0 guests