Slackware This Forum is for the discussion of Slackware Linux.
|
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
10-08-2014, 05:56 PM
|
#31
|
Member
Registered: Jun 2014
Distribution: Slackware
Posts: 497
Rep:
|
Dave Wheeler has an excellent, level-headed write-up here. One thing he points out, is that the bug was in there for 25 years(!) before it was caught. It's good that it was found and fixed, but the number of observed exploits in the wild over that time was essentially nil.
Another thing he points out, is that now more of the "incidental" code is going to get a lot closer scrutiny.
|
|
1 members found this post helpful.
|
10-09-2014, 09:24 AM
|
#32
|
LQ Veteran
Registered: May 2008
Posts: 7,010
|
Quote:
Originally Posted by metaschima
That's interesting, maybe submit it to the bash devs. The ability to turn off this useless feature would be most useful.
|
Nah, judging by what I've read on 'bug-bash' they simply wouldn't be open to the idea. Someone already suggested disabling the feature when bash was invoked as 'sh' and was met with a dismissive comment. As far as Chet is concerned shell-shock is fixed by the BASH_FUNC_ prefix, and while they're still finding and fixing parsing issues, they simply don't see function importing as a threat any more.
When I wrote that patch it was simply so I could do away with that horrid bash-wrapper I was using as a short term fix. Then I thought "Hmmm, I wonder how hard it would be to add a configure option", and the patch I posted above was the result of me finding out. it was never intended for upstream (it'd need some more work for that: update documentation, GNU code styling and so on), and as I said, above, there wouldn't be any point as they just wouldn't see a need for it anyway.
Medium term, I'm going to work towards moving away from bash as the system /bin/sh on my local boxes, which is not only about this function importing stuff, there are other reasons beyond that to do so.
|
|
|
10-09-2014, 02:44 PM
|
#33
|
Member
Registered: Sep 2012
Distribution: Slackware
Posts: 185
Rep:
|
Quote:
Originally Posted by GazL
Medium term, I'm going to work towards moving away from bash as the system /bin/sh on my local boxes, which is not only about this function importing stuff, there are other reasons beyond that to do so.
|
Keep us posted; I'm sure I'm not the only one who would be interested in your progress.
Others in the forum seem to have had success with ksh as /bin/sh; another option which I have used and liked in the past is mksh
Cheers
|
|
|
10-10-2014, 01:31 AM
|
#34
|
Member
Registered: Oct 2009
Distribution: Slackware
Posts: 534
|
Quote:
Originally Posted by GazL
You know what they say... If you want something doing...
We've had a couple of rainy days here so I spent a little time coming up with a patch for bash to make it work the way I want it to. In short, I've added a new configure option that can be used to set whether function loading is done by default, and added command-line arguments to override whatever default you set on the configure.
On the off-chance that anyone is still interested, here are the patches to be used against the 4.3.27 in -current.
Full details are in the patchfile.
|
Hmmm... It seams that the FreeBSD guys already did something like this here.. You seem to have a different approach, but I like the 'no-import-functions' addition...
|
|
|
10-10-2014, 08:32 AM
|
#35
|
LQ Veteran
Registered: May 2008
Posts: 7,010
|
Yep, I think the original idea came from one of the NetBSD guys, FreeBSD followed suit, and I wouldn't be at all surprised if OpenBSD haven't done something similar too.
I pretty much just did what they did, but I got a little carried away and wrapped it all in configure options.
The problem with --no-import-functions is that it doesn't protect you from calls to system() or popen() or any other call to bash that won't specify it. It might be useful on the #! line of CGI scripts: though anyone in their right mind shouldn't be writing CGI in bash or any other shell script in the first place, so its probably of limited value.
As I said in one of the posts above, mostly it was just to see if I could do it.
|
|
|
10-10-2014, 09:37 AM
|
#36
|
Senior Member
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982
|
I think the BSD guys actually care about security, I mean look at this bash issue, libressl, and the handling of the kernel breach (much better than Linux did).
I think I'll dual boot FreeBSD for a while.
|
|
|
10-10-2014, 06:35 PM
|
#37
|
Senior Member
Registered: Nov 2013
Location: Brazil
Distribution: Slackware
Posts: 1,223
Rep:
|
Quote:
Originally Posted by metaschima
I think the BSD guys actually care about security, I mean look at this bash issue, libressl, and the handling of the kernel breach (much better than Linux did).
I think I'll dual boot FreeBSD for a while.
|
Go for OpenBSD then.
|
|
|
10-27-2014, 05:04 AM
|
#38
|
LQ Veteran
Registered: May 2008
Posts: 7,010
|
Quote:
Originally Posted by Loomx
Keep us posted; I'm sure I'm not the only one who would be interested in your progress.
Others in the forum seem to have had success with ksh as /bin/sh; another option which I have used and liked in the past is mksh
Cheers
|
I hit a couple of problems using the AT&T ksh that slackware ships. Though it has many of the features that bash has, there are some differences:
Unlike bash, "eval" seems to work argument by argument in ksh, so that:
Code:
eval LUKSARRAY=( $line )
needs to be written as:
Code:
eval "LUKSARRAY=( $line )"
or you get a syntax error. This is in rc.S in the cryptsetup handling. Luckily using the quotes doesn't break bash, so quote it and it'll work in both shells, but its a difference non the less. Anyway, I've since rewritten that part of rc.S, so that doesn't really concern me, but the same issue could turn up in other scripts.
A second issue I discovered in AT&T ksh, is that it seems to break installpkg! Now, this one is odd, as it seems to be intermittent, but more often breaks than works. In /sbin/installpkg there is this section of code:
Code:
# Test tarball integrity and get uncompressed package size:
if [ "$MODE" = "install" ]; then
echo "Verifying package $(basename $package)."
fi
cat $package | $packagecompression -dc | dd 2> $TMP/tmpsize$$ | $TAR tf - 1> $TMP/tmplist$$ 2> /dev/null
TARERROR=$?
if [ ! "$TARERROR" = "0" ]; then
EXITSTATUS=1 # tar file corrupt
if [ "$MODE" = "install" ]; then
echo "Unable to install $package: tar archive is corrupt (tar returned error code $TARERROR)"
fi
rm -f $TMP/tmplist$$ $TMP/tmpsize$$
continue
fi
UNCOMPRESSED="$(expr $(cat $TMP/tmpsize$$ | head -n 1 | cut -f 1 -d +) / 2)"
if [ $UNCOMPRESSED -lt 1024 ]; then
UNCOMPRESSED="${UNCOMPRESSED}K"
elif [ $UNCOMPRESSED -lt 10239 ]; then
UNCOMPRESSED="$(expr $UNCOMPRESSED \* 1000 / 1024 | cut -b1).$(expr $UNCOMPRESSED \* 1000 / 1024 | cut -b2)M"
else
UNCOMPRESSED="$(expr $UNCOMPRESSED / 1024)M"
fi
rm -f $TMP/tmpsize$$
What seems to happen is that the tmpsize$$ file is left empty, which then means that UNCOMPRESSED is left empty, which causes a syntax error in the test. But, it occasionally works, and I haven't been able to determine why.
A final issue with ksh stems from its default aliases, specifically 'stop' which unfortunately seems to be a fairly common function name in many scripts and will result in ksh trying to run a kill command rather than the intended function.
mksh looks interesting and will be something I'm going to be looking at, though I've not been playing with it long enough to get a feel for how well it works. It does have a much smaller memory footprint that bash, which is nice.
Anyway, that's what I've discovered so far.
|
|
1 members found this post helpful.
|
10-27-2014, 11:39 AM
|
#39
|
Senior Member
Registered: Dec 2013
Distribution: Slackware
Posts: 1,982
|
Yeah, I've also noticed that installpkg and upgradepkg aren't safe to switch to ksh, like you said they work sometimes but not other times.
|
|
|
10-28-2014, 01:38 AM
|
#40
|
Slackware Contributor
Registered: Apr 2008
Distribution: Slackware
Posts: 1,595
|
Quote:
Originally Posted by metaschima
Yeah, I've also noticed that installpkg and upgradepkg aren't safe to switch to ksh, like you said they work sometimes but not other times.
|
Why would you want to switch the package tools to use Ksh? I don't see the reason for this. What attack vector is there?
|
|
|
10-28-2014, 05:27 AM
|
#41
|
LQ Veteran
Registered: May 2008
Posts: 7,010
|
Quote:
Originally Posted by drmozes
Why would you want to switch the package tools to use Ksh? I don't see the reason for this.
|
There's no reason at-all to use ksh for pkgtools, you're kind of missing the point. I was just using ksh because it was installed. The goal of my experiment was to identify issues that occur when I change /bin/sh to any shell other than bash, and the pkgtools just happen to specify #!/bin/sh and so were impacted. I started with ash first, and then moved onto ksh because it was already installed. Next on my list is mksh.
Ideally I'd like to be able to have the system be agnostic with regard to what provides /bin/sh, but I accept that this may be too problematic given the amount of scripts out there that just assume bash. Dismiss it as scratching an itch if you want, but I don't see what's so wrong with having a go and seeing what happens!
I was surprised by this particular issue with installpkg given that I believe the pkgtools are designed to be usable with 'ash' and as such I wasn't expecting any problems. Given the intermittent nature of the problem, I suspect its some sort of race condition/bug in ksh rather than any problem with the installpkg script itself, which seems to be in keeping with POSIX and seems to work fine with any other shell, including mksh (which I tested briefly).
Last edited by GazL; 10-28-2014 at 05:42 AM.
|
|
|
10-28-2014, 05:48 AM
|
#42
|
LQ Addict
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,167
Rep:
|
...And those of us who use KornShell rather than BASH can change the shebang of the scripts in concern, one way or another.
I didn't try but other than just editing each involved script, that could be replacing the symlink /bin/sh with a script that chooses a different shell in the few cases it's needed.
PS I should have tried... "Bad interpreter", of course.
I know that I should think before I type, and check before I post, but sometimes I forget. Sorry for the noise.
Last edited by Didier Spaier; 10-28-2014 at 06:05 AM.
Reason: PS added.
|
|
|
10-29-2014, 06:38 AM
|
#43
|
Senior Member
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
|
I'm getting to where I've got some time to fiddle around and see what I can break.
I'm going to do a clean install (Slackware 64-bit, 14.1) then change the /bin/sh symbolic link from bash to ksh. Then I'm going to install all the patches and see what happens (if anything).
As I understand it, BASH or KornShell when executed as sh are supposed to magically become only Bourne Shell (with no "extras") and it might be interesting to see if that's actually completely true. The #!/bin/sh should execute any of the Bourne compatible shells as sh (just as #!/bin/ksh or #!/bin/bash should execute as either of those).
If stuff works, I'll start adding data bases and a couple of applications (like, oh, say, OpenOffice) and see what happens (shouldn't be anything happening in those cases, they're not shell programs).
I kind of suspect that linking /bin/ksh to /bin/sh won't do much of anything and I won't be changing anything that explicitly has the BASH shebang embedded (that would be an actual BASH shell program and I'll just leave that alone for the moment). I have done a little bit of fiddling around with BASH programs, running them as KornShell, and mostly they just work (the grammar and syntax are pretty much the same for most stuff but not for the exotic BASHisms).
This might just be an interesting exercise in futility, eh?
|
|
|
10-29-2014, 07:02 AM
|
#44
|
LQ Veteran
Registered: May 2008
Posts: 7,010
|
Quote:
Originally Posted by tronayne
As I understand it, BASH or KornShell when executed as sh are supposed to magically become only Bourne Shell (with no "extras") and it might be interesting to see if that's actually completely true.
|
It's not. While running bash as 'sh' (or with --posix or POSIXLY_CORRECT=y ) does change some of its behaviours to be more in keeping with the POSIX standard, it doesn't disable any of its extensions. A shell can be POSIX compliant while still providing extensions, but a shell-script isn't POSIX compliant if it uses any of them.
|
|
1 members found this post helpful.
|
10-29-2014, 10:28 AM
|
#45
|
Senior Member
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541
|
Quote:
Originally Posted by GazL
It's not. While running bash as 'sh' (or with --posix or POSIXLY_CORRECT=y ) does change some of its behaviours to be more in keeping with the POSIX standard, it doesn't disable any of its extensions. A shell can be POSIX compliant while still providing extensions, but a shell-script isn't POSIX compliant if it uses any of them.
|
Well, alrighty then, that puts the kibosh on that. Bah, humbug.
Looks to me like my choice is to stick with KornShell for all shell programming (which is what I do anyway) and hope that system BASH shell programs don't carry ebola along with 'em.
Hobson's choice.
|
|
|
All times are GMT -5. The time now is 09:49 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|