-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi Daniel,
Am Do den 23. Jun 2016 um 5:00 schrieb Daniel Kahn Gillmor: > > And no further upgrade is possible anymore. > > That does indeed bad, but i'm unable to replicate it. Can you help me > better understand how you ran into this? Sure. > > Simply adding "-s /bin/sh" here fixes the problem. > > I'm surprised to hear this. The monkeysphere user is normally manually > configured to use /bin/bash. Well, I have a hardened system with system users without a shell. That isn't a problem for monkeysphere too until now. > I also note on your system that /bin/sh is linked to /bin/dash, and > monkeysphere scripts are not compatible with dash, for whatever that's > worth. That's also intended. And frankly that saved my ass some time ago when this bash bug came out. > Can you show me the output of: > > getent passwd monkeysphere monkeysphere:x:124:135:monkeysphere authentication user,,,:/var/lib/monkeysphere:/bin/false > > Note that this bug is maybe related to #778833 and #635711. About #778833, I do not understand it. What is about the court notice??? > I don't think these are the same. Those bugs were related to issues > around pipeline failures (premature closing of the tail of a pipeline), > and would not have been solved by adding "-s /bin/sh". Yes, I also don't think they are the same. About /bin/sh or /bin/bash.. I think it doesn't matter in su call as the script itself pulls /bin/bash afterwards via she bang line. It is just the smallest possibility and when it comes to security, it is always about using not more than needed. Regards Klaus - -- Klaus Ethgen http://www.ethgen.ch/ pub 4096R/4E20AF1C 2011-05-16 Klaus Ethgen <kl...@ethgen.ch> Fingerprint: 85D4 CA42 952C 949B 1753 62B3 79D0 B06F 4E20 AF1C -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: Charset: ISO-8859-1 iQGcBAEBCgAGBQJXa3nYAAoJEKZ8CrGAGfasjAYL/j+6INawfOYLMP4aAB6KG40q /qzYwEyuuYsBtQ4+42i6FtKlYPvKUuZcHKH//yxl2CuSs7vsHw2ErMZWO4gI3N8q aO6RBN0wWFGukVA59RUCp0oBygXaqGQubLfBGQDu6Pnj91zUQlWCYT9LtZd5hwsQ i/K4SqmcJX1dk17W3Aw06tryJgyiku4Rgg0ond2KH9N1JfgsBr/mP3IcJx6dvTtz Necymf2ZjTYoAV9bIeZMpU+oMcoxkx0sePU2utQ61qSE8ll+GpRyXRDBhE2+mSFf kttL00PaSIMzNcT0XQBB04UnMgJ8BIEjaqnauRpCoIYwHTTeyy/ILmxCn72TfJwg 7QcukKp7Z34J6mPll0mOGJorMrIwvL1zZtkfzAPZ/fpbEOq9UZpTJz5PRb+id0JY bh+IMTPni27pQx1vg3sEx6NjWjTu01DDfrlDmWuYAHa0QWXIvo79jYzACi+A6ULU AyQ4q6rD1kqUmh0gkhw3z0GDXvLM7tJkwaHNyIuOuA== =lVd2 -----END PGP SIGNATURE-----
