[UFO Chicago] The Bash Bug and the OpenSSL Bug

Kevin Brandstatter icarusthecow at gmail.com
Fri Oct 31 10:43:22 PDT 2014


While it may not be the most frequently used shell (up in the air
really, bsd uses csh, mac uses bash, most linux uses bash, but "best
practice" is to make system scripts use /bin/sh which on systems like
debian point to dash, but some point to bash) It is a major problem
because of certain programs that make use of bash scripts. I remember
reading about one attack vector being the apache web server because it
uses bash scripts on the server side to launch certain tasks. injecting
a malicious environment can lead to remote code execution.

-Kevin

On 10/31/2014 11:49 AM, Neil R. Ormos wrote:
> jay at m5.chicago.il.us wrote:
>
>> Specifically, I have been wanting to have a
>> speaker at the Chicago C/C++ Users' Group who
>> would give a presentation on the bash bug, [...]
>> And if that topic is too short to devote an
>> entire meeting to it, we could couple it with a
>> presentation of the OpenSSL bug, [...]  This was
>> arguably worse than the bash bug, because the
>> bash bug affected only one program (albeit the
>> single most frequently-invoked program in all of
>> Unix), [...]
> It is true that bash is the single most
> frequently-invoked program in all of Unix?
>
> I'm not sure it's even the most frequently-invoked
> shell.
>
> If by "Unix" you're referring to commercial Unix,
> most "system" scripts (i.e., those not written by
> the end user) have traditionally invoked /bin/sh,
> which historically hasn't been bash, though
> perhaps commercial Unix products more recent than
> what I use have changed that.
>
> If you're referring to operating systems based on
> the Linux kernel, while some system scripts
> explicitly use bash, many more use /bin/sh, so the
> shell that's actually invoked is up to the
> distribution.  At least for Debian and its
> derivatives, I believe /bin/sh is symlinked to
> dash.
>
> I don't know what the various BSD flavors use.
>
> But "market share" doesn't really tell us which
> shell is actually (dynamically) invoked the
> most. I wonder how one could figure that out
> without some sort of instrumentation.
> _______________________________________________
> UFO Chicago -- Users of Free Operating Systems
> Free Software Rules -- Proprietary Drools!
> http://ufo.chicago.il.us/cgi-bin/mailman/listinfo/ufo


More information about the ufo mailing list