Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month, online, via Jitsi Meet.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Shellshock



Bill Ricker wrote:
> Yes, it's a fair point that Gnu project is older than either Apache or
> Linux, but that doesn't exempt Bash from criticism.
> 
> Alas there is both a mis-guided feature and at least one bug in the
> feature (even assuming its intent ever made any sense)  -- as well as
> the environmental / combination problems.

The age thing is a bit of a red herring, and that this came about due to
 a bug in Bash is almost irrelevant. The responsibility lies squarely
with the application that provides the network interface. It should not
be handing off unsanitized data supplied by a client to a child process.

Of course it's not that simple. We have plenty of infrastructure that
depends on doing exactly that. Take CGI for example, where form data is
piped to a child process (in addition to setting a bunch of environment
variables). But in the case of CGI you are just moving the network/local
barrier a bit further down the stack. The CGI code is written with the
expectation that the inputs are tainted.

But still, there should have been a bit more deliberate effort put into
creating a sandboxed environment for running child processes, with very
controlled paths of communication between the network and the child process.


> It was NEVER safe either. even without Apache.  Any Setuid binary
> that used system() might pass ENV to BASH...

Yes, agreed, which is why I said "almost irrelevant" above, as Bash
still had a problem that shouldn't have been there.

 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org