Mailinglist Archive: opensuse-bugs (5243 mails)

< Previous Next >
[Bug 806628] Bash doesn't execute a script w/o the #! line as user's shell but as /bin/sh

--- Comment #15 from L. A. Walsh <suse@xxxxxxxxx> 2013-03-18 15:20:02 PDT ---
(In reply to comment #14)
Security team has have reviewed the rbash vector and
consider it not relevant. rbash is not really a security protection
anyway (think perl -e 'system("./a.out");')
Also werner has submitted a bash
that disables the patch for openSUSE Factory.

Certainly if you wanted rbash to provide any security, anything that allows
arbitrary command execution causes a problem.

As I find it difficult to imagine anyone using rbash as a security mechanism, I
will not disagree with it being it being inadequate -- to the point that I
asked why it shouldn't be removed on the bash list.

One issue mentioned was "rbash is an optional feature. You can easily
remove it by configuring bash with --disable-restricted". If suse doesn't
it is useful, they don't have to supply it. It's not required by POSIX (nor by
me for that matter).

Others followed up with the idea that maybe the wording emphasizing it's low
security usefulness should be added to the manpage... no commitments (or
comments) after that point....

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >