bash security hole

[Steve Riley]

On 2014-09-27 08:55:01 Scott DuBois <sdubois at linux.com> wrote:
>
> Thanks Steve, but isn't dash public facing through the servers while
> bash is not (at least by default anyway).
> 
> _from another mailing list_:
> 
> "If I understand correctly, the general path to execution is any external
> calls to bash explicitly, or to /bin/sh in any fashion, most notably via
> the system(3) syscall.  Amirite?  So, first point, /bin/sh doesn't need
> to be bash.  On Debian[1]/*buntu[2] systems by default, it's been dash
> (Debian Almquist shell, a variant of the lightweight Bourne-compatible
> Almquist shell 'ash') for many years, because dash is smaller, faster, and
> -- ta da!  -- less feature-bloated hence less likely to be involved in
> security problems."

Not exactly sure what you may mean by "public facing." The author of a script can specify whatever shell he/she wishes for executing any script. You'll see this in the first line. For instance, scripts that begin with

#!/bin/bash

Will use Bash to execute. Scripts that begin with

#!/bin/sh

Will use sh. On Debian/Ubuntu, /bin/sh is a symbolic link to /bin/dash. The #! notation is called a "shebang"; read more at https://en.wikipedia.org/wiki/Shebang_(Unix).

Bash is the default login shell for Debian and Ubuntu. It's also used by quite a number of scripts in the system. You check this for yourself:

user at host:~$ grep -R '#!/bin/bash' /bin /sbin /usr/bin /usr/sbin

Notably, /sbin/dhclient-script is the one that seems to allow malicious DNS servers to attack a target machine.


...Steve