On 09/26/2014 05:11 PM, Doug Newgard wrote:
I should qualify that in that I don't think adding another package to
base is a good idea *unless* there is a significant benefit to doing
so. The plan to add dash to base when Arch was using initscripts made
sense, it doesn't now that we're using
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/27/2014 09:01 AM, Benjamin A. Shelton wrote:
On 09/26/2014 05:11 PM, Doug Newgard wrote:
I should qualify that in that I don't think adding another
package to base is a good idea *unless* there is a significant
benefit to doing so. The
On 09/27/2014 01:04 AM, Florian Pelz wrote:
Regardless of what's the default, could there be a cleaner way to use
dash as one's /bin/sh without preventing pacman from upgrading bash?
Manually replace /bin/sh as a symlink to /bin/dash and then set the
/etc/pacman.conf values:
NoUpgrade =
On Sat, 2014-09-27 at 01:21 -0600, Benjamin A. Shelton wrote:
I assumed NoExtract should have been enough
Correct! Or are we missing something?
On 09/27/2014 01:28 AM, Ralf Mardorf wrote:
On Sat, 2014-09-27 at 01:21 -0600, Benjamin A. Shelton wrote:
I assumed NoExtract should have been enough
Correct! Or are we missing something?
Oddly, using only NoExtract caused pacman to remove the usr/bin/sh
symlink, replacing it with nothing.
On 09/26/2014 02:57 PM, Doug Newgard wrote:
You're wanting it to hide functionality in certain circumstances,
which isn't wrong, but it isn't required. One way is not more correct
than the other.
I think not doing stupid things with env vars qualifies as more correct.
Smaller code bases can
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 09/27/2014 09:30 AM, Benjamin A. Shelton wrote:
On 09/27/2014 01:28 AM, Ralf Mardorf wrote:
On Sat, 2014-09-27 at 01:21 -0600, Benjamin A. Shelton wrote:
I assumed NoExtract should have been enough
Correct! Or are we missing something?
Arch cannot realistically switch away from bash as long as both its
package management depends on it for both package creation and package
management tasks.
cheers!
mar77i
On Fri, Sep 26, 2014 at 3:11 PM, Martti Kühne mysat...@gmail.com wrote:
Arch cannot realistically switch away from bash as long as both its
package management depends on it for both package creation and package
management tasks.
But we can switch away from using bash as /bin/sh.
On Fri, Sep 26, 2014 at 4:20 PM, Martti Kühne mysat...@gmail.com wrote:
[...]
Despite that I'm still not convinced as to why
the issue in question is such a big deal, I must say it's unlikely
we're better off with a less active, less used shell.
Put simply, bash has too much bloat. That
On Fri, Sep 26, 2014 at 6:06 PM, Mailing Lists
mailingli...@hawkradius.com wrote:
i just ran the checkbashisms script from the AUR on my /usr/bin using
the command from the wiki:
# checkbashisms -f -p $(grep -rlE '^#! ?/bin/(env )?sh' /usr/bin)
which revealed 470 instances of putative
On Fri, Sep 26, 2014, at 05:05 PM, lolilolicon wrote:
The grep would find some false positives -- e.g., some perl script might
include #!/bin/sh in its body (such as findimagedupes).
With dash you don't really need -p, which is more strict.
The following will reduce the count drastically:
On Fri, Sep 26, 2014 at 8:13 PM, Martti Kühne mysat...@gmail.com wrote:
On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists
mailingli...@hawkradius.com wrote:
Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
that much of a difference. From what I've read, most of the
On 26/09/14 07:06, Mailing Lists (???) wrote:
Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
that much of a difference. From what I've read, most of the problems
come from CGI scripts which invoke bash, and ssh post-authentication.
Anything that uses system(), popen(),
On 26/09/14 07:30, Drake Wilson wrote:
There is a _lot_ of magic behavior in bash. Debian bug #762839 mentions
how bash still imports shell functions from environment variables with magic
names, even when called as sh. The --posix option seems something of a joke.
Sorry, I mistyped; I meant
On Fri, Sep 26, 2014 at 8:40 PM, Drake Wilson dr...@dasyatidae.net wrote:
Aside: I'm not sure about the interpretation of checkbashisms re autotools
scripts (in particular libtool) because they do an awful lot of weird code
generation and shuffling to deal with multiple bogus shell
On Fri, Sep 26, 2014, at 05:43 PM, Martti Kühne wrote:
Removing bashisms would not have any inpact in security but rather
enable us switching /bin/sh away from /usr/bin/bash. Which we in
general appear to agree on?
cheers!
mar77i
We do, but let's hope a dev weighs in on this. Or rather,
On 2014-09-26 07:29, lolilolicon wrote:
On Fri, Sep 26, 2014 at 8:13 PM, Martti Kühne mysat...@gmail.com
wrote:
On Fri, Sep 26, 2014 at 2:06 PM, Mailing Lists
mailingli...@hawkradius.com wrote:
Even if we agree to shift /bin/sh to dash, I'm not sure that it'll
make
that much of a
On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard scim...@archlinux.info wrote:
The problem is on many systems /bin/sh is linked to bash -- which is why
this bug is so widespread / severe. /bin/sh is the single biggest
UNIX loophole, so let's make it a bit smaller by switching it to
something
On 2014-09-26 09:15, lolilolicon wrote:
On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard scim...@archlinux.info
wrote:
The problem is on many systems /bin/sh is linked to bash -- which is
why
this bug is so widespread / severe. /bin/sh is the single biggest
UNIX loophole, so let's make it a bit
On 26 September 2014 16:25, Doug Newgard scim...@archlinux.info wrote:
On 2014-09-26 09:15, lolilolicon wrote:
On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard scim...@archlinux.info
wrote:
The problem is on many systems /bin/sh is linked to bash -- which is why
this bug is so widespread /
On 2014-09-26 09:29, Maarten de Vries wrote:
On 26 September 2014 16:25, Doug Newgard scim...@archlinux.info
wrote:
On 2014-09-26 09:15, lolilolicon wrote:
On Fri, Sep 26, 2014 at 9:50 PM, Doug Newgard
scim...@archlinux.info
wrote:
The problem is on many systems /bin/sh is linked to bash
On Fri, Sep 26, 2014, at 08:10 PM, Maarten de Vries wrote:
So you do not find any program that calls system() specific and scary
enough? I do.
I guess specific examples really would help making a good case, you
know? Being a non-programmer/sysad here, I'd be able to better support
you if you
Hi,
On Fri, Sep 26, 2014 at 07:30:29AM -0500, Drake Wilson wrote:
[...]
On my own desktop system, when I realized sh was bash recently I immediately
relinked it to dash and intend to keep it that way as long as I reasonably
can (I assume some things may break, in the current state; I'm
On 26 September 2014 18:16, Leonid Isaev lis...@umail.iu.edu wrote:
---
So, yes ArchLinux core tools use and will continue to use 'bashisms'
because
they are convenient. The bugs which started this discussion are not a big
deal
anyway. They will only affect scripts that don't properly
On 2014-09-26 07:30, Drake Wilson wrote:
On 26/09/14 07:06, Mailing Lists (???) wrote:
Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
that much of a difference. From what I've read, most of the problems
come from CGI scripts which invoke bash, and ssh
On 2014-09-26 11:27, Hugo Osvaldo Barrera wrote:
On 2014-09-26 07:30, Drake Wilson wrote:
On 26/09/14 07:06, Mailing Lists (???) wrote:
Even if we agree to shift /bin/sh to dash, I'm not sure that it'll make
that much of a difference. From what I've read, most of the problems
come from CGI
On Fri, 2014-09-26 at 13:27 -0300, Hugo Osvaldo Barrera wrote:
I strongly agree with this. Programs that ask for sh should get sh, and
programs that ask for bash should get bash.
Programs that ask for bash and use bashisms are already broken for the Ubuntu
family (ie: Ubuntu and derivates),
On 09/26/2014 10:16 AM, Leonid Isaev wrote:
The bugs which started this discussion are not a big deal anyway. They
will only affect scripts that don't properly sanitize the input. Such
scripts have bigger problems to worry about IMHO. The SSH-related
issue is also insignificant because the bug
On 26/09/14 11:16, Leonid Isaev wrote:
$ head -n1 /usr/bin/mkinitcpio
#!/bin/bash
---
So, yes ArchLinux core tools use and will continue to use 'bashisms' because
they are convenient.
Right, and I'm more or less fine with that _because_ of the above shebang line,
and I'm also fine with
On 2014-09-26 11:46, Benjamin A. Shelton wrote:
On 09/26/2014 10:16 AM, Leonid Isaev wrote:
The bugs which started this discussion are not a big deal anyway. They
will only affect scripts that don't properly sanitize the input. Such
scripts have bigger problems to worry about IMHO. The
On Fri, Sep 26, 2014, at 10:29 PM, Doug Newgard wrote:
Now my question for everyone else is, what will people do *WHEN* a bug
is found in dash? Bash is the most tested shell code base we have, and I
don't buy into the fallacy that a smaller code base is inherently more
secure. Or are you
Op 26 sep. 2014 16:34 schreef Doug Newgard scim...@archlinux.info:
[...]
Instead of theorizing that many will do this, give a real world example
of where this happens and would have reduced the attack surface of the bug
in question.
One of the very few examples that sound reasonable, is
The flaw is not patched correctly. Tavis Ormandy has shown it to be still
exploitable.
Chester
On 26 September 2014 11:23:59 GMT-07:00, Guus Snijders gsnijd...@gmail.com
wrote:
Op 26 sep. 2014 16:34 schreef Doug Newgard scim...@archlinux.info:
[...]
Instead of theorizing that many will do
I've requested it as a feature. Hope it gets traction.
https://bugs.archlinux.org/task/42134
--
Cheers!
Savya
On 09/26/2014 10:59 AM, Doug Newgard wrote:
OK, we're finally getting some examples of where the sh symlink could
be used to trigger this exploit. Thank you.
There are samples that have been available for the past 2-3 days, and
there's a fairly steady stream of new information on various
On Sat, Sep 27, 2014, at 01:30 AM, Benjamin A. Shelton wrote:
On 09/26/2014 10:59 AM, Doug Newgard wrote:
OK, we're finally getting some examples of where the sh symlink could
be used to trigger this exploit. Thank you.
There are samples that have been available for the past 2-3 days,
On 2014-09-26 15:00, Benjamin A. Shelton wrote:
On 09/26/2014 10:59 AM, Doug Newgard wrote:
OK, we're finally getting some examples of where the sh symlink could
be used to trigger this exploit. Thank you.
There are samples that have been available for the past 2-3 days, and
there's a
Hi,
On Fri, Sep 26, 2014 at 03:57:54PM -0500, Doug Newgard wrote:
Yes, it's this paranoia that I've been trying to cut through in this thread
to get people to start discussing things rationally.
Just an FYI for people running their own DHCP servers:
On 2014-09-26 15:57, Doug Newgard wrote:
On 2014-09-26 15:00, Benjamin A. Shelton wrote:
On 09/26/2014 10:59 AM, Doug Newgard wrote:
What technical reasons are there against switching out /bin/sh?
Thusfar, I haven't encountered anything particularly noisome (the
ST2's subl launch script being
On Fri, Sep 26, 2014 at 05:37:57AM +0800, lolilolicon wrote:
With the disclosure of the new bash bug (CVE-2014-6271, CVE-2014-7169),
it seems timely to bring this up.
Dan added dash to core/base around seven years ago [1], intending the
eventually link /bin/sh to dash instead of bash.
[1]
On Fri, Sep 26, 2014 at 05:37:57AM +0800, lolilolicon wrote:
With the disclosure of the new bash bug (CVE-2014-6271, CVE-2014-7169),
it seems timely to bring this up.
Dan added dash to core/base around seven years ago [1], intending the
eventually link /bin/sh to dash instead of bash.
On Fri, Sep 26, 2014 at 6:06 AM, Leonid Isaev lis...@umail.iu.edu wrote:
Is there anything preventing us from making the switch from bash to dash
as /bin/sh now? We can then have dash provide sh instead.
Yes -- due to the same reasons.
Care to elaborate?
Is there a wiki page tracking
On Fri, Sep 26, 2014 at 6:06 AM, Leonid Isaev lis...@umail.iu.edu wrote:
Has anyone proven a theorem saying that no such bugs exist in dash
(zsh, ksh, etc.)?
Oh, such bugs really only exist in bash. I believe no other shell
processes an env var with a magic token into a function definition.
On Fri, Sep 26, 2014 at 6:54 AM, Ralf Mardorf
ralf.mard...@rocketmail.com wrote:
On Fri, 2014-09-26 at 06:24 +0800, lolilolicon wrote:
Anything that has the #!/bin/sh line should be written in pure sh.
If you want bash, ask for bash.
I absolutely agree with your statement and that is why I
On Fri, 2014-09-26 at 07:04 +0800, lolilolicon wrote:
/bin/sh has to exist. The question is what should really be? My
answer is whatever is closest to what pure sh is supposed to be, thus
dash (definitely not bash).
+1
*buntu a long time ago switched to dash, Arch should do this too.
46 matches
Mail list logo