Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Shellshock

Bill Ricker wrote:
> Yes, it's a fair point that Gnu project is older than either Apache or
> Linux, but that doesn't exempt Bash from criticism.
> Alas there is both a mis-guided feature and at least one bug in the
> feature (even assuming its intent ever made any sense)  -- as well as
> the environmental / combination problems.

The age thing is a bit of a red herring, and that this came about due to
 a bug in Bash is almost irrelevant. The responsibility lies squarely
with the application that provides the network interface. It should not
be handing off unsanitized data supplied by a client to a child process.

Of course it's not that simple. We have plenty of infrastructure that
depends on doing exactly that. Take CGI for example, where form data is
piped to a child process (in addition to setting a bunch of environment
variables). But in the case of CGI you are just moving the network/local
barrier a bit further down the stack. The CGI code is written with the
expectation that the inputs are tainted.

But still, there should have been a bit more deliberate effort put into
creating a sandboxed environment for running child processes, with very
controlled paths of communication between the network and the child process.

> It was NEVER safe either. even without Apache.  Any Setuid binary
> that used system() might pass ENV to BASH...

Yes, agreed, which is why I said "almost irrelevant" above, as Bash
still had a problem that shouldn't have been there.


Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /