[guardian-dev] Update your servers for real

Lee Azzarello lee at guardianproject.info
Thu Sep 25 22:54:17 EDT 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Weird. I'm using a Wheezy base install built via debootstrap on an
Open Hosting container. It uses bash by default for the root user.
Perhaps debootstrap or my platform build scripts override the default
shell for root to be bash?

Anyhoo, I think most people prefer Bash because it is very close to a
real programming language. This shellshock shitstorm might be a
setback for popular programming culture.

- -lee

On 9/25/14, 9:48 PM, Hans-Christoph Steiner wrote:
> 
> That's for "Lenny users:".  See this section:
> 
> Squeeze users:
> 
> * Dash is always installed. * /bin/sh is dash by default (even for
> upgraded systems).
> 
> .hc
> 
> Lee Azzarello wrote:
>> I'm confused. The article you linked is instructions to install
>> dash and configure a base system to use it as default. Am I
>> misunderstanding something?
>> 
>> -lee
>> 
>> On Thursday, September 25, 2014, Hans-Christoph Steiner < 
>> hans at guardianproject.info> wrote:
>> 
>>> 
>>> dash is still the default /bin/sh, for speed and security, but
>>> you can change that to bash if you want: 
>>> https://wiki.debian.org/DashAsBinSh
>>> 
>>> Ubuntu also uses dash by default: 
>>> https://wiki.ubuntu.com/DashAsBinSh
>>> 
>>> .hc
>>> 
>>> Lee Azzarello wrote:
>>>> This output is from a Debian stable base system built with
>>>> debootstrap and no additional packages installed.
>>>> 
>>>> root at debian:~# ls -l /bin/sh lrwxrwxrwx 1 root root 4 Jun 17
>>>> 21:47 /bin/sh -> bash
>>>> 
>>>> I don't think Debian has used Dash since Sarge.
>>>> 
>>>> -lee
>>>> 
>>>> On 9/25/14, 1:36 PM, Dev Random wrote:
>>>>> This seems mitigated by the fact that /bin/sh is -> dash on
>>>>> debian. So unless something does explicitly #!/bin/bash,
>>>>> things should be okay.
>>>> 
>>>>> BTW, there's a related vuln that's not fixed yet -
>>>>> CVE-2014-7169 https://news.ycombinator.com/item?id=8365158
>>>> 
>>>>> On Thu, 2014-09-25 at 08:48 -0400, Lee Azzarello wrote:
>>>>>> A remote code execution bug was found in the GNU Bash
>>>>>> shell.
>>>>>> 
>>>>>> http://seclists.org/oss-sec/2014/q3/650
>>>>>> 
>>>>>> I tested it on Debian stable from two days ago and
>>>>>> indeed, I could execute code after a function definition
>>>>>> in an environment variable. A server I updated yesterday
>>>>>> evening was not vulnerable, as the Debian team got a
>>>>>> patch released quite fast.
>>>>>> 
>>>>>> This effects any server you run any code on, though the
>>>>>> remote code execution attack vector is unlikely for many
>>>>>> contemporary application servers. Read the write up for
>>>>>> details about a proof of concept.
>>>>>> 
>>>>>> Good Morning!
>>>>>> 
>>>>>> -lee _______________________________________________
>>>>>> Guardian-dev mailing list
>>>>>> 
>>>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;> List
>>>>>> info: 
>>>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>>>> 
>>>>>> To Unsubscribe Send email to: 
>>>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>>>>> <javascript:;> Or visit:
>>>>>> 
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/c1.android%40niftybox.net
>>>>>>
>>>>>>
>>>>>>
>>>>
>>> 
You are subscribed as: c1.android at niftybox.net <javascript:;>
>>>> 
>>>> 
>>>> _______________________________________________ Guardian-dev
>>>> mailing list
>>>> 
>>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;> List
>>>> info:
>>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>>> 
>>>> To Unsubscribe Send email to:
>>>> Guardian-dev-unsubscribe at lists.mayfirst.org
>>> <javascript:;>
>>>> Or visit:
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/hans%40guardianproject.info
>>>>
>>>>
>>> 
You are subscribed as: hans at guardianproject.info <javascript:;>
>>>> 
>>> 
>>> -- PGP fingerprint: 5E61 C878 0F86 295C E17D  8677 9F0F E587
>>> 374B BE81 _______________________________________________ 
>>> Guardian-dev mailing list
>>> 
>>> Post: Guardian-dev at lists.mayfirst.org <javascript:;> List info:
>>> https://lists.mayfirst.org/mailman/listinfo/guardian-dev
>>> 
>>> To Unsubscribe Send email to:
>>> Guardian-dev-unsubscribe at lists.mayfirst.org <javascript:;> Or
>>> visit: 
>>> https://lists.mayfirst.org/mailman/options/guardian-dev/lee%40guardianproject.info
>>>
>>>
>>> 
You are subscribed as: lee at guardianproject.info <javascript:;>
>>> 
>> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJUJNVZAAoJEKhL9IoSyjdlQVQP/iQYtoX6gUgUf8Q2MoExajx7
Q1ul0s/R0xn6eAl3Fe9hDgKF7/H4jM7CyTxyRpeWkhgaJ4gTiMcqblABoGszMiDp
HrpPHhXhcgq2IKSAELRzfkvHooJIRVE9QyQb1K4+W2kqRbDD1JWCZj4KVFt8dTBK
9KFsGZ8nJdqM8t63YA4u5INVYbRWa/gCPesjMaOrL95t8F5OvMsFKgxMtuZj44XK
tiOhevYcp9zWP1XIoMRpazGkFUTx9KY6hRVz4QD6yw9/LL1B2qI7M7IkqV3+i0dK
7K2mQAoVRE+P6c7QGID5HLH8T5sWNll8cQnuasZo8ElQbHLPv4SWjqRBMXFgFV1P
eDz3mpDVjC4gi1AP7BBTvqaYOMj42U8coP9RI0/CTbCsR+DX1IkjkkcWDqPOj2Gi
zLdGRP4N9hfMfcERtp7FeS8tG6lW8px2EstU3UwLTMRBXtmnREXJOBPGK8L6Wb/T
dp0VXO+kjrPV8xArD5GbvzqCs+ZvH6kTh2z6vU6TuldA+6LhY+15rvMzey5BwnOK
M2ZwTOBLCx8wmyJVvH5qObYVYFAleV+oYL55LINOfo4b+xwZr7L9Vj6vpUTWVybI
xx3F9csoklTFfycIGg5qdvQnqulq1yOcdagIHpKratKkmE+igcflAXD2WQMrZO3P
DxKtFq25bpwMo5HOxuBn
=gzNg
-----END PGP SIGNATURE-----

More information about the Guardian-dev mailing list