bash security hole

Scott DuBois sdubois at
Sat Sep 27 15:55:01 UTC 2014

On 09/26/2014 01:13 PM, Steve Riley wrote:
> On 2014-09-26 01:05:49 Ralf Mardorf <kde.lists at> wrote:
>> I don't care about the link, anyway, bash is _not_ the default shell for
>> this distro.
> While it's true that /bin/sh points to /bin/dash, it is not true that Dash is the default shell when you open a Konsole window. Check for yourself:
> steve at t520:~$ ps -p $$
>   PID TTY          TIME CMD
> 18811 pts/1    00:00:00 bash
> --- AND ---
> steve at t520:~$ echo $SHELL
> /bin/bash
> Everyone needs to update now.
> ...Steve

Thanks Steve, but isn't dash public facing through the servers while
bash is not (at least by default anyway).

_from another mailing list_:

"If I understand correctly, the general path to execution is any external
calls to bash explicitly, or to /bin/sh in any fashion, most notably via
the system(3) syscall.  Amirite?  So, first point, /bin/sh doesn't need
to be bash.  On Debian[1]/*buntu[2] systems by default, it's been dash
(Debian Almquist shell, a variant of the lightweight Bourne-compatible
Almquist shell 'ash') for many years, because dash is smaller, faster, and
-- ta da!  -- less feature-bloated hence less likely to be involved in
security problems."

Scott DuBois
President EBLUG
BSIT Software Engineering
Freenode: Roguehorse

More information about the kubuntu-users mailing list