Announcement

**kpedersen** · 27 September 2014, 06:39 AM

Originally posted by Rallos Zek View Post

When using a new *BSD system I and lot of people I talked to the first thing we do is install GNU tools and utils on the systems. GNU are of a much higher quality.

Urm.. the theme of this thread is a bug in a GNU shell has been found. csh, zsh and sh (the ones that come default on most BSD operating systems (no Mac OS X is not a BSD operating system)) are unaffected. I think you missed the plot.

That said, I like bash, I write scripts using /bin/sh but my interactive day to day shell is bash. However I dont really care if that gets "pwned" because as an unprivileged user, there is minimal damage that can be done. Honestly I feel this "security issue" is so minimal, I cant even be bothered to update the package haha.

**kpedersen** · 27 September 2014, 07:01 AM

Originally posted by Sonadow View Post

there's always OS X. =)

OS X has a strange mixture of BSD and GNU userland. I.e it has screen and bash (and other GNU stuff) in the default install. Oddly enough when I ssh into an OS X / Darwin machine, if the development toolchain wasnt so damn weird, I would feel oddly at home

I would say though that if you did install FreeBSD or even OpenBSD, many ports will drag in GNU tools and libraries anyway so it would be hard to stay away from them for long. I.e a lot of GNU software uses bash for shell scripts rather than sh (which should be outlawed for the sake of consistency!).

**caligula** · 27 September 2014, 11:22 AM

I'd say GPL and FSF are the main reasons for bash's poor quality. It's the worst of shells and for example dash is over 80% smaller. If bash had used less dependencies and BSD style programming languages with formally proved sandboxes and dependent typing, it would have kicked the bugs in the nuts. The FSF should learn to write more code and talk less.

**johnc** · 27 September 2014, 11:48 AM

Originally posted by emblemparade View Post

The "sorta useless" GNU is probably the reason why Linux has conquered the embedded, server, and mobile worlds. The GPL has forced upstream contribution from countless parties, leading to the most flexible operating system (or "kernel" depending on your point of view) we've ever had.

Not really. Linux is successful because Linus used a license where people had to return source contributions. It just so happened that the GPL was a good license to do that. If there was no FSF / GPL then Linus would have just used a different license that accomplished the same end, or made his own or whatever.

**curaga** · 27 September 2014, 01:04 PM

Originally posted by caligula View Post

I'd say GPL and FSF are the main reasons for bash's poor quality. It's the worst of shells and for example dash is over 80% smaller.

I find dash is not really a good example; it has much less features than busybox ash, and though I don't have sizes at hand, I bet it is larger.

**Luke_Wolf** · 27 September 2014, 02:47 PM

Originally posted by Sonadow View Post

there's always OS X. =)

That's not really an option for me, even if I could justify the cost I can't stand the hardware and the 1980s era GUI they slapped on top of it doesn't really sit well with me either, and I can't just use Plasma Shell to replace it.

Originally posted by kpedersen View Post

OS X has a strange mixture of BSD and GNU userland. I.e it has screen and bash (and other GNU stuff) in the default install. Oddly enough when I ssh into an OS X / Darwin machine, if the development toolchain wasnt so damn weird, I would feel oddly at home

I would say though that if you did install FreeBSD or even OpenBSD, many ports will drag in GNU tools and libraries anyway so it would be hard to stay away from them for long. I.e a lot of GNU software uses bash for shell scripts rather than sh (which should be outlawed for the sake of consistency!).

True, but hopefully I'll be able to just jail them. Although knowing that the base system I'll be building on top of is completely controlled by engineers as opposed to having politicians (FSF) control key parts will be a comfort by itself even if I do end up having to pull in the other's code.

**Luke_Wolf** · 27 September 2014, 04:31 PM

Originally posted by johnc View Post

Not really. Linux is successful because Linus used a license where people had to return source contributions. It just so happened that the GPL was a good license to do that. If there was no FSF / GPL then Linus would have just used a different license that accomplished the same end, or made his own or whatever.

Well, it's possible that the license had an effect on it's success, the idea that copyleft is what made Linux so successful however ignores a lot of facts and is really just looking at things through an FSF colored lens.

Personally I consider these 3 factors to be far far more important
1). Linux was first to market in terms of a freely and publicly available open source UNIX-like kernel on the internet. If someone is first to market it's actually very hard to shift them, particularly when price is removed from the equation as you then have to get past the Good-Enough factor on technical merit. During the time period the BSDs actually had a chance on that front which leads us to the next point...

2). The AT&T vs Berkeley CSRG lawsuit, this lawsuit created legal uncertainty about BSD during a key period of adoption and while the case was eventually settled in Berkeley's favor, it set BSD back enough that Linux was able to remove much of BSD's edge against it.

3). Red Hat, and to a much lesser degree SUSE. These two companies are responsible for the successful commercialization of Linux, and the creation of the support industry that built up around them. This caused Linux to establish itself in enterprise and everything else has trickled down from there.

**steveriley** · 27 September 2014, 05:51 PM

Originally posted by johnc View Post

True but the example above -- DHCP scripts, etc. -- are all invoked with /bin/sh which links to dash on Debian systems. So bash is never used in those cases.

Hm...here on Ubuntu 14.04 it would appear otherwise...

Code:

steve@t520:~$ [B]cat /sbin/dhclient-script[/B] 
#!/bin/bash

# Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset
# various other variables. We need to do this so /sbin/dhclient cannot abuse
# the environment to escape AppArmor confinement via this script
# (LP: #1045986). This can be removed once AppArmor supports environment
# filtering (LP: #1045985)
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export ENV=
export BASH_ENV=
export CDPATH=
export GLOBIGNORE=
export BASH_XTRACEFD=
...

A cursory scan shows that /bin/bash is used quite a lot in various scripts.

Code:

steve@t520:~$ [B]grep -R '#!/bin/bash' /bin/*[/B]
/bin/gunzip:#!/bin/bash
/bin/gzexe:#!/bin/bash
/bin/gzexe:# WARNING: the first line of this file must be either : or #!/bin/bash
/bin/gzexe:# On Ultrix, /bin/bash is too buggy, change the first line to: #!/bin/bash5
/bin/gzexe:#!/bin/bash
/bin/uncompress:#!/bin/bash
/bin/zcat:#!/bin/bash
/bin/zcmp:#!/bin/bash
/bin/zdiff:#!/bin/bash
/bin/zegrep:#!/bin/bash
/bin/zfgrep:#!/bin/bash
/bin/zforce:#!/bin/bash
/bin/zgrep:#!/bin/bash
/bin/zless:#!/bin/bash
/bin/zmore:#!/bin/bash
/bin/znew:#!/bin/bash

Code:

steve@t520:~$ [B]grep -R '#!/bin/bash' /sbin/*[/B]
/sbin/dhclient-script:#!/bin/bash
/sbin/ip6tables-apply:#!/bin/bash
/sbin/iptables-apply:#!/bin/bash

Code:

steve@t520:~$ [B]grep -R '#!/bin/bash' /usr/bin/*[/B]
/usr/bin/aptitude-create-state-bundle:#!/bin/bash
/usr/bin/aptitude-run-state-bundle:#!/bin/bash
/usr/bin/byobu-ugraph:#!/bin/bash
/usr/bin/byobu-ulevel:#!/bin/bash
/usr/bin/cautious-launcher:#!/bin/bash
/usr/bin/cpupower:#!/bin/bash
/usr/bin/editdiff:#!/bin/bash
/usr/bin/equivs-control:#!/bin/bash
/usr/bin/fakeroot:#!/bin/bash
/usr/bin/fakeroot-sysv:#!/bin/bash
/usr/bin/fakeroot-tcp:#!/bin/bash
Binary file /usr/bin/fig2dev matches
/usr/bin/init-checkconf:#!/bin/bash
/usr/bin/itweb-settings:#!/bin/bash
/usr/bin/javaws:#!/bin/bash
/usr/bin/lcf:#!/bin/bash
/usr/bin/lzcmp:#!/bin/bash
/usr/bin/lzdiff:#!/bin/bash
/usr/bin/lzegrep:#!/bin/bash
/usr/bin/lzfgrep:#!/bin/bash
/usr/bin/lzgrep:#!/bin/bash
/usr/bin/lzless:#!/bin/bash
/usr/bin/lzmore:#!/bin/bash
/usr/bin/perf:#!/bin/bash
/usr/bin/pnmindex:#!/bin/bash
/usr/bin/policyeditor:#!/bin/bash
/usr/bin/ppmquantall:#!/bin/bash
/usr/bin/turbostat:#!/bin/bash
/usr/bin/tzselect:#!/bin/bash
/usr/bin/ucf:#!/bin/bash
/usr/bin/usb-devices:#!/bin/bash
/usr/bin/X11/cautious-launcher:#!/bin/bash
/usr/bin/X11/lcf:#!/bin/bash
/usr/bin/X11/ucf:#!/bin/bash
/usr/bin/X11/usb-devices:#!/bin/bash
/usr/bin/X11/aptitude-create-state-bundle:#!/bin/bash
/usr/bin/X11/aptitude-run-state-bundle:#!/bin/bash
/usr/bin/X11/xzmore:#!/bin/bash
/usr/bin/X11/xzless:#!/bin/bash
/usr/bin/X11/xzgrep:#!/bin/bash
/usr/bin/X11/xzdiff:#!/bin/bash
/usr/bin/X11/xzfgrep:#!/bin/bash
/usr/bin/X11/xzegrep:#!/bin/bash
/usr/bin/X11/xzcmp:#!/bin/bash
/usr/bin/X11/lzmore:#!/bin/bash
/usr/bin/X11/lzless:#!/bin/bash
/usr/bin/X11/lzdiff:#!/bin/bash
/usr/bin/X11/lzcmp:#!/bin/bash
/usr/bin/X11/lzgrep:#!/bin/bash
/usr/bin/X11/lzegrep:#!/bin/bash
/usr/bin/X11/lzfgrep:#!/bin/bash
/usr/bin/X11/fakeroot-sysv:#!/bin/bash
/usr/bin/X11/fakeroot-tcp:#!/bin/bash
/usr/bin/X11/fakeroot:#!/bin/bash
/usr/bin/X11/equivs-control:#!/bin/bash
grep: warning: /usr/bin/X11/X11: recursive directory loop
/usr/bin/X11/editdiff:#!/bin/bash
/usr/bin/X11/ppmquantall:#!/bin/bash
/usr/bin/X11/pnmindex:#!/bin/bash
/usr/bin/X11/policyeditor:#!/bin/bash
/usr/bin/X11/javaws:#!/bin/bash
/usr/bin/X11/itweb-settings:#!/bin/bash
/usr/bin/X11/init-checkconf:#!/bin/bash
/usr/bin/X11/byobu-ulevel:#!/bin/bash
/usr/bin/X11/byobu-ugraph:#!/bin/bash
Binary file /usr/bin/X11/fig2dev matches
/usr/bin/X11/xmlto:#!/bin/bash
/usr/bin/X11/tzselect:#!/bin/bash
/usr/bin/X11/turbostat:#!/bin/bash
/usr/bin/X11/cpupower:#!/bin/bash
/usr/bin/X11/x86_energy_perf_policy:#!/bin/bash
/usr/bin/X11/perf:#!/bin/bash
/usr/bin/x86_energy_perf_policy:#!/bin/bash
/usr/bin/xmlto:#!/bin/bash
/usr/bin/xzcmp:#!/bin/bash
/usr/bin/xzdiff:#!/bin/bash
/usr/bin/xzegrep:#!/bin/bash
/usr/bin/xzfgrep:#!/bin/bash
/usr/bin/xzgrep:#!/bin/bash
/usr/bin/xzless:#!/bin/bash
/usr/bin/xzmore:#!/bin/bash

Code:

steve@t520:~$ [B]grep -R '#!/bin/bash' /usr/sbin/*[/B]
/usr/sbin/dkms:#!/bin/bash
/usr/sbin/dkms:#!/bin/bash
/usr/sbin/ip6tables-apply:#!/bin/bash
/usr/sbin/iptables-apply:#!/bin/bash
/usr/sbin/locale-gen:#!/bin/bash
/usr/sbin/make-ssl-cert:#!/bin/bash -e
/usr/sbin/mkrlconf.sh:#!/bin/bash
/usr/sbin/mvrefind.sh:#!/bin/bash
/usr/sbin/update-info-dir:#!/bin/bash

**caligula** · 27 September 2014, 06:05 PM

Originally posted by steveriley View Post

Hm...here on Ubuntu 14.04 it would appear otherwise...

Code:

steve@t520:~$ [B]cat /sbin/dhclient-script[/B] 
#!/bin/bash

# Explicitly set the PATH to that of ENV_SUPATH in /etc/login.defs and unset
# various other variables. We need to do this so /sbin/dhclient cannot abuse
# the environment to escape AppArmor confinement via this script
# (LP: #1045986). This can be removed once AppArmor supports environment
# filtering (LP: #1045985)
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export ENV=
export BASH_ENV=
export CDPATH
export GLOBIGNORE=
export BASH_XTRACEFD=
...

A cursory scan shows that /bin/bash is used quite a lot in various scripts.

Code:

steve@t520:~$ [B]grep -R '#!/bin/bash' /bin/*[/B]
/bin/gunzip:#!/bin/bash
/bin/gzexe:#!/bin/bash
/bin/gzexe:# WARNING: the first line of this file must be either : or #!/bin/bash
/bin/gzexe:# On Ultrix, /bin/bash is too buggy, change the first line to: #!/bin/bash5
/bin/gzexe:#!/bin/bash
/bin/uncompress:#!/bin/bash
/bin/zcat:#!/bin/bash
/bin/zcmp:#!/bin/bash
/bin/zdiff:#!/bin/bash
/bin/zegrep:#!/bin/bash
/bin/zfgrep:#!/bin/bash
/bin/zforce:#!/bin/bash
/bin/zgrep:#!/bin/bash
/bin/zless:#!/bin/bash
/bin/zmore:#!/bin/bash
/bin/znew:#!/bin/bash

Code:

steve@t520:~$ [B]grep -R '#!/bin/bash' /sbin/*[/B]
/sbin/dhclient-script:#!/bin/bash
/sbin/ip6tables-apply:#!/bin/bash
/sbin/iptables-apply:#!/bin/bash

Code:

steve@t520:~$ [B]grep -R '#!/bin/bash' /usr/bin/*[/B]
/usr/bin/aptitude-create-state-bundle:#!/bin/bash
/usr/bin/aptitude-run-state-bundle:#!/bin/bash
/usr/bin/byobu-ugraph:#!/bin/bash
/usr/bin/byobu-ulevel:#!/bin/bash
/usr/bin/cautious-launcher:#!/bin/bash
/usr/bin/cpupower:#!/bin/bash
/usr/bin/editdiff:#!/bin/bash
/usr/bin/equivs-control:#!/bin/bash
/usr/bin/fakeroot:#!/bin/bash
/usr/bin/fakeroot-sysv:#!/bin/bash
/usr/bin/fakeroot-tcp:#!/bin/bash
Binary file /usr/bin/fig2dev matches
/usr/bin/init-checkconf:#!/bin/bash
/usr/bin/itweb-settings:#!/bin/bash
/usr/bin/javaws:#!/bin/bash
/usr/bin/lcf:#!/bin/bash
/usr/bin/lzcmp:#!/bin/bash
/usr/bin/lzdiff:#!/bin/bash
/usr/bin/lzegrep:#!/bin/bash
/usr/bin/lzfgrep:#!/bin/bash
/usr/bin/lzgrep:#!/bin/bash
/usr/bin/lzless:#!/bin/bash
/usr/bin/lzmore:#!/bin/bash
/usr/bin/perf:#!/bin/bash
/usr/bin/pnmindex:#!/bin/bash
/usr/bin/policyeditor:#!/bin/bash
/usr/bin/ppmquantall:#!/bin/bash
/usr/bin/turbostat:#!/bin/bash
/usr/bin/tzselect:#!/bin/bash
/usr/bin/ucf:#!/bin/bash
/usr/bin/usb-devices:#!/bin/bash
/usr/bin/X11/cautious-launcher:#!/bin/bash
/usr/bin/X11/lcf:#!/bin/bash
/usr/bin/X11/ucf:#!/bin/bash
/usr/bin/X11/usb-devices:#!/bin/bash
/usr/bin/X11/aptitude-create-state-bundle:#!/bin/bash
/usr/bin/X11/aptitude-run-state-bundle:#!/bin/bash
/usr/bin/X11/xzmore:#!/bin/bash
/usr/bin/X11/xzless:#!/bin/bash
/usr/bin/X11/xzgrep:#!/bin/bash
/usr/bin/X11/xzdiff:#!/bin/bash
/usr/bin/X11/xzfgrep:#!/bin/bash
/usr/bin/X11/xzegrep:#!/bin/bash
/usr/bin/X11/xzcmp:#!/bin/bash
/usr/bin/X11/lzmore:#!/bin/bash
/usr/bin/X11/lzless:#!/bin/bash
/usr/bin/X11/lzdiff:#!/bin/bash
/usr/bin/X11/lzcmp:#!/bin/bash
/usr/bin/X11/lzgrep:#!/bin/bash
/usr/bin/X11/lzegrep:#!/bin/bash
/usr/bin/X11/lzfgrep:#!/bin/bash
/usr/bin/X11/fakeroot-sysv:#!/bin/bash
/usr/bin/X11/fakeroot-tcp:#!/bin/bash
/usr/bin/X11/fakeroot:#!/bin/bash
/usr/bin/X11/equivs-control:#!/bin/bash
grep: warning: /usr/bin/X11/X11: recursive directory loop
/usr/bin/X11/editdiff:#!/bin/bash
/usr/bin/X11/ppmquantall:#!/bin/bash
/usr/bin/X11/pnmindex:#!/bin/bash
/usr/bin/X11/policyeditor:#!/bin/bash
/usr/bin/X11/javaws:#!/bin/bash
/usr/bin/X11/itweb-settings:#!/bin/bash
/usr/bin/X11/init-checkconf:#!/bin/bash
/usr/bin/X11/byobu-ulevel:#!/bin/bash
/usr/bin/X11/byobu-ugraph:#!/bin/bash
Binary file /usr/bin/X11/fig2dev matches
/usr/bin/X11/xmlto:#!/bin/bash
/usr/bin/X11/tzselect:#!/bin/bash
/usr/bin/X11/turbostat:#!/bin/bash
/usr/bin/X11/cpupower:#!/bin/bash
/usr/bin/X11/x86_energy_perf_policy:#!/bin/bash
/usr/bin/X11/perf:#!/bin/bash
/usr/bin/x86_energy_perf_policy:#!/bin/bash
/usr/bin/xmlto:#!/bin/bash
/usr/bin/xzcmp:#!/bin/bash
/usr/bin/xzdiff:#!/bin/bash
/usr/bin/xzegrep:#!/bin/bash
/usr/bin/xzfgrep:#!/bin/bash
/usr/bin/xzgrep:#!/bin/bash
/usr/bin/xzless:#!/bin/bash
/usr/bin/xzmore:#!/bin/bash

Code:

steve@t520:~$ [B]grep -R '#!/bin/bash' /usr/sbin/*[/B]
/usr/sbin/dkms:#!/bin/bash
/usr/sbin/dkms:#!/bin/bash
/usr/sbin/ip6tables-apply:#!/bin/bash
/usr/sbin/iptables-apply:#!/bin/bash
/usr/sbin/locale-gen:#!/bin/bash
/usr/sbin/make-ssl-cert:#!/bin/bash -e
/usr/sbin/mkrlconf.sh:#!/bin/bash
/usr/sbin/mvrefind.sh:#!/bin/bash
/usr/sbin/update-info-dir:#!/bin/bash

But doesn't dash replace bash on Ubuntu or is it just the default for the users shell?

**Luke_Wolf** · 27 September 2014, 06:13 PM

Originally posted by caligula View Post

But doesn't dash replace bash on Ubuntu or is it just the default for the users shell?

AFAIK dash is linked to /bin/sh but bash is still the default login shell for debian and ubuntu

Announcement

FSF Issues Statement On Shellshock Bash Vulnerability

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment