[OpenIndiana-discuss] Bash bug issue
Jonathan Adams
t12nslookup at gmail.com
Thu Sep 25 18:27:50 UTC 2014
I know I created the original post that sparked this debate, but I have to
say that we've been checking our servers all day, and we cannot get any of
them to act compromised ... we don't use bash scripts in our cgi-bin and
nothing seems to try to run bash at all (fuser `which bash` only returns my
shells)
The ssh things could be an issue, but we're nuking all ssh authorized_keys
wherever we find them, and we don't have accounts restricted to running
specific applications via ssh, so the users who can ssh in should know what
they're doing, or not know so much that they aren't a threat.
I do have bash scripts on our system that users run manually, but that is
because the old Solaris 10 /bin/sh is brain-dead, csh is a nasty piece of
work for scripting and ksh scripts don't seem as portable to Linux/old
Solaris boxes.
Jon
On 25 September 2014 18:18, Gary Gendel <gary at genashor.com> wrote:
> I believe we mostly skirt the issue because, unlike Linux, the default
> shell (/bin/sh) is ksh93 not bash. This means that under normal conditions
> we shouldn't have an issue. Only if your cgi scripts actually request bash
> will apache be a problem. As for ssh, it depends upon the login shell for
> the user.
>
> On 09/25/2014 01:04 PM, Tim Mooney wrote:
>
>> In regard to: Re: [OpenIndiana-discuss] Bash bug issue, Bob
>> Friesenhahn...:
>>
>> Unfortunately, 'dash' is not completely compatible with scripts written
>>> for 'bash'. It is not clear to my why people write shell scripts targeting
>>> bash, but it seems to happen often.
>>>
>>
>> Two reasons:
>>
>> - It's the "all the world's a VAX" syndrome for the current generation.
>>
>> - bash (and ksh) do provide some handy features that traditional Bourne
>> shell does not, and for a large portion of inexperienced programmers,
>> convenience/laziness trumps portability
>>
>> Both things drive me crazy, but they've been going on for my entire
>> career in computing, so I have no reason to expect that either are going
>> to ever disappear.
>>
>> Tim
>>
>
>
> _______________________________________________
> openindiana-discuss mailing list
> openindiana-discuss at openindiana.org
> http://openindiana.org/mailman/listinfo/openindiana-discuss
>
More information about the openindiana-discuss
mailing list