[svlug] bash vulnerability found

Steve Litt slitt at troubleshooters.com
Mon Sep 29 18:22:41 PDT 2014

Previous message: [svlug] bash vulnerability found
Next message: [svlug] bash vulnerability found
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 29 Sep 2014 17:00:28 -0700
Robert Hajime Lanning <lanning at lanning.cc> wrote:

> On 09/29/14 16:33, Steve Litt wrote:
> > I wish I'd believed the people I should use #!/bin/sh instead of
> > #!/bin/bash for my shebang:
> >
> > slitt at mydesq2:/d$ find . -type f -exec grep '#!/bin/bash' {} + | wc
> > -l 1786
> > slitt at mydesq2:/d$
> >
> > I've got my work cut out for me.
> 
> You can script the update, but....
> 
> If your script depends on bash'isms, leave it as /bin/bash.
> When called as /bin/sh, bash become semi POSIX compliant, or /bin/sh 
> isn't bash at all (for those dash/nash folks out there...)
> 
> So, watch that code compatibility... :)
> 

:-)

This was about 600 shellscripts. I did it in less than an hour. You
know how I detected bash/nash/dash/ksh/zsh incompatibilities? LOL, I'll
wait til something errors out. That's my due diligence :-)

This is my desktop, by the way. It's not a website, so funny stuff on
my machine won't mess up customers before I can fix it.

Here's my bash to sh converter:

====================================
#!/bin/sh
orgname=$1
bakname=$1.b4_bashdel
mylog=/tmp/nobash.log

cp -pf $orgname $bakname
truncate -s0 $orgname

timestamp=$(date +%Y%m%d__%H:%M:%S)
echo $timestamp, debashing $orgname, backup at $bakname
echo $timestamp, debashing $orgname, backup at $bakname >> $mylog
cat $bakname | sed -e 's+\s*#!/bin/bash+#!/bin/sh+' >> $orgname
====================================

Ugly!

I did find . -type f | xargs grep to find everything containing a bash
shebang, redirected it to file danger.sh, edited it by hand to insert
my nobash.sh command and also to fix any dangerous stuff I found, then
ran it.

Yeah, I did a backup first. I'm not *that* crazy.

If I have any more bash-shebang shellscripts, they're in dark and dusty
corners of my filesystem. Next step, change my root and slitt shells,
and perhaps rename bash to bash.dontrun, although doing that might mess
up system software.

SteveT

Steve Litt                *  http://www.troubleshooters.com/
Troubleshooting Training  *  Human Performance

Previous message: [svlug] bash vulnerability found
Next message: [svlug] bash vulnerability found
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the svlug mailing list