Bash question

Discussion in 'General' started by rHBa, Sep 28, 2014.

  1. rHBa

    rHBa New Member

    Hi all, first post here.

    I would like to know what would break, in ISPConfig 3, if I changed the default shell (the /bin/sh symlink) from bash to something else (e.g back to dash)?

    Also, if not dash, which alternative shell would break the least functionality?

    EDIT: Sorry, I should have explained I'm running Debian wheezy/nginx/php-fpm/dovecot etc
     
    Last edited: Sep 28, 2014
  2. laptop_user

    laptop_user Member

    You want to change because the recent security problem?
     
  3. rHBa

    rHBa New Member

    How did you guess ;-)

    As long as all my basic services (Nginx, MySQL, email etc) keep working as they are I can live without the rest for now, at least for the short term, until a better solution arrives.

    I'm happy using ssh for most things. I have set up backup2l for backups and cronapt to keep me notified of updates so I can live without ISPConfig for now. I just wanted to know if anything unexpected might break.
     
    Last edited: Sep 28, 2014
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig should work with another shell as well. the reason that we switch from dash to bash in the setup is that some compile scripts during install (e.g. jailkit) might fails when you use dash. So after you installed ispconfig, you should be able to switch to dash.

    But there are bash updates for wheezy available, so switching the shell should not be nescessary. At least you can be sure now that the bash code gets inspected in details, so it should be really safe when this is over :)
     
  5. rHBa

    rHBa New Member

  6. concept21

    concept21 Member

  7. rHBa

    rHBa New Member

    Who knows whether any piece of software has security holes?

    We currently know that bash DOES have issues so I'm implementing an additional security measure by not using it as the default system shell.
     
  8. concept21

    concept21 Member

    I have query about Linux shell usage. :rolleyes:

    Now, I have switched my shell to dash. If the hacker run a script beginning with this line:
    #!/bin/bash


    Can he still hurt my system with the recent bug? :rolleyes:
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, this will still work. therefor the switch to dash will most likely not change that much security wise.
     
  10. rHBa

    rHBa New Member

    Why not?

    If dash* is invoked by some web facing service then it won't interpret the env variable in the first place so it'll never open a bash shell (by the time you've got protocol headers opening shells you're already f***ed anyway).

    * I'm assuming that dash isn't vulnerable in the same way bash is.

    EDIT: I'd also like to make clear that for any service/application that invokes bash directly, changing the default shell won't help. However there are loads of services/apps that invoke /bin/sh, which in some cases is symlinked to bash.
     
    Last edited: Oct 4, 2014
  11. rHBa

    rHBa New Member

    Worth mentioning,

    The latest Debian updates to Wheezy (and probably many other versions/distros) pass all the current shellshock vulnerability tests.
     
  12. concept21

    concept21 Member

    If I disable apache cgi-bin module, is my site secured from this bug's web attack?? :confused:
     
  13. rHBa

    rHBa New Member

    There are more vulnerabilities than just Apache/http, the most important thing is to make sure Bash is patched.

    If you are using one of the major distros (such as Debian/Ubuntu) make sure it's fully up-to-date (i.e apt-get update; apt-get upgrade).

    Once you've done that visit the link above and test to see if you're still vulnerable.
     
    Last edited: Oct 6, 2014

Share This Page