bash security hole
Scott DuBois
sdubois at linux.com
Sat Sep 27 15:55:01 UTC 2014
On 09/26/2014 01:13 PM, Steve Riley wrote:
> On 2014-09-26 01:05:49 Ralf Mardorf <kde.lists at yahoo.com> wrote:
>>
>> I don't care about the link, anyway, bash is _not_ the default shell for
>> this distro.
>
> While it's true that /bin/sh points to /bin/dash, it is not true that Dash is the default shell when you open a Konsole window. Check for yourself:
>
>
> steve at t520:~$ ps -p $$
> PID TTY TIME CMD
> 18811 pts/1 00:00:00 bash
>
> --- AND ---
>
> steve at t520:~$ echo $SHELL
> /bin/bash
>
>
> Everyone needs to update now.
>
> ...Steve
>
>
Thanks Steve, but isn't dash public facing through the servers while
bash is not (at least by default anyway).
_from another mailing list_:
"If I understand correctly, the general path to execution is any external
calls to bash explicitly, or to /bin/sh in any fashion, most notably via
the system(3) syscall. Amirite? So, first point, /bin/sh doesn't need
to be bash. On Debian[1]/*buntu[2] systems by default, it's been dash
(Debian Almquist shell, a variant of the lightweight Bourne-compatible
Almquist shell 'ash') for many years, because dash is smaller, faster, and
-- ta da! -- less feature-bloated hence less likely to be involved in
security problems."
--
Scott DuBois
President EBLUG
BSIT Software Engineering
Freenode: Roguehorse
More information about the kubuntu-users
mailing list