Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 28 Sep 2014 21:13:22 +1000
From: Michael Samuel <mik@...net.net>
To: oss-security@...ts.openwall.com
Cc: Chester Ramey <chet.ramey@...e.edu>
Subject: Re: Fwd: Non-upstream patches for bash

On 28 September 2014 01:06, Solar Designer <solar@...nwall.com> wrote:
> This also means that we should treat any programs that generate bash
> scripts with (sanitized) untrusted input in them as unsafe, and patch
> those to use safer mechanisms to pass (sanitized) inputs to scripts
> (preferably use env vars with fixed names).

The problem with this approach is that a sh is useful for both system(3)
and wrapping things like java.

This problem came up because bash was parsing environment variables
even when the script wasn't referencing them.  I don't think anyone lets
network users set completely arbitrary environment variable names.

I think Debian's approach of dash as /bin/sh, and bash as an interactive
shell is the right balance.

I switched a Fedora box to using dash as /bin/sh, and so far have only
logged one bug for something that broke, and it pretty much deserved
to break (BZ #1146733).

Regards,
  Michael

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ