Hacker News new | ask | show | jobs
by billadoid 4287 days ago
If you're on Ubuntu or Debian your CGI scripts will probably use dash, not bash.
2 comments
ansible 4287 days ago
I've just our few Apache 2 systems that are Internet facing. Some of the site configs did have the standard Ubuntu CGI stanzas in them. However, the `/usr/lib/cgi-bin` directories were empty.

All this has made me a bit nervous though. I certainly didn't change the system to use bash instead of dash.

link
muyuu 4287 days ago
Debian yes, Ubuntu's default is bash. So is Mint's.
link
jewel 4287 days ago
On Ubuntu, /bin/sh is a symlink to dash. /bin/sh is what system() will invoke.
link
muyuu 4287 days ago
It is, however when you create a user its default shell is bash unless otherwise specified.
link
jewel 4287 days ago
Of course, but what's the exploit vector in that case?
link
muyuu 4287 days ago
That the users created for Apache, database daemons, etc, default to bash for cgi.
link
Zancarius 4287 days ago
The passwd file contains the login shell configured for that user. Operating in the context of a daemon for most sane applications, this configuration doesn't (or shouldn't?) matter unless the user logs in. [1]

For Apache, I believe /bin/sh (or the shell it points to) is what's at issue here. [2]

[1] http://unix.stackexchange.com/questions/38175/difference-bet...

[2] http://security.stackexchange.com/questions/68146/how-do-i-s...

(This is also discussed earlier in the thread.)

link
billadoid 4287 days ago
init scripts will probably run from dash[1]

[1] https://wiki.ubuntu.com/DashAsBinSh

link