Saturday, 27 September 2014

dhclient-script shell


In light of the recent bash vulnerability, perhaps it would make sense to
evaluate whether /sbin/dhclient-script really requires bash or if it can perhaps
be made POSIX compatible instead?

$ head -n1 /sbin/dhclient-script

My own opinion is that as long as bash supports function definitions in
environment variables, it is not sane for use in security-sensitive contexts.
That Debian/Ubuntu use dash as /bin/sh makes them quite a bit better off than
some other distros, but we should probably be looking to evaluate where bash is
invoked via shebang lines and take action to limit exposure that way.

Forest Bond