Discussion:
Bug#620898: Moving bash from essential/required to important
Add Reply
Troy Benjegerdes
2014-09-28 02:30:02 UTC
Reply
Permalink
So can we have a prerm script for bash that sets the root
shell back to /bin/sh, or at least asks the admin if they want
zsh or tcsh, and warns about any other users?

Any of this stuff of trying to have login figure out the
right shell seems like a new remote exploit in the making.
--
----------------------------------------------------------------------------
Troy Benjegerdes 'da hozer' ***@hozed.org
7 elements earth::water::air::fire::mind::spirit::soul grid.coop

Never pick a fight with someone who buys ink by the barrel,
nor try buy a hacker who makes money by the megahash
--
To UNSUBSCRIBE, email to debian-bugs-dist-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Balint Reczey
2017-01-21 20:00:01 UTC
Reply
Permalink
Control: tags -1 confirmed

Hi,
Post by Troy Benjegerdes
So can we have a prerm script for bash that sets the root
shell back to /bin/sh, or at least asks the admin if they want
zsh or tcsh, and warns about any other users?
Any of this stuff of trying to have login figure out the
right shell seems like a new remote exploit in the making.
It is too late for making changes related to this bug in Stretch. :-(
In the next cycle we will evaluate switching to login implementatiln in
util-linux per #833256. This bug may be solved by the switch or later in
util-linux.

Cheers,
Balint
Dmitry Bogatov
2019-03-10 19:20:02 UTC
Reply
Permalink
Post by Balint Reczey
Control: tags -1 confirmed
Hi,
Post by Troy Benjegerdes
So can we have a prerm script for bash that sets the root
shell back to /bin/sh, or at least asks the admin if they want
zsh or tcsh, and warns about any other users?
Any of this stuff of trying to have login figure out the
right shell seems like a new remote exploit in the making.
It is too late for making changes related to this bug in Stretch. :-(
In the next cycle we will evaluate switching to login implementatiln in
util-linux per #833256. This bug may be solved by the switch or later in
util-linux.
Hi! What is the current state of bug? There was fine (IMO) proposal,

So can we have a prerm script for bash that sets the root
shell back to /bin/sh, or at least asks the admin if they want
zsh or tcsh, and warns about any other users?

but as bash=5.0-2 it did not make its way. What is missing? Should I
submit patch, implementing this proposal?
--
Note, that I send and fetch email in batch, once every 24 hours.
If matter is urgent, try https://t.me/kaction
--
Bálint Réczey
2019-03-12 16:50:02 UTC
Reply
Permalink
Hi Dmitry,
Post by Dmitry Bogatov
Post by Balint Reczey
Control: tags -1 confirmed
Hi,
Post by Troy Benjegerdes
So can we have a prerm script for bash that sets the root
shell back to /bin/sh, or at least asks the admin if they want
zsh or tcsh, and warns about any other users?
Any of this stuff of trying to have login figure out the
right shell seems like a new remote exploit in the making.
It is too late for making changes related to this bug in Stretch. :-(
In the next cycle we will evaluate switching to login implementatiln in
util-linux per #833256. This bug may be solved by the switch or later in
util-linux.
Hi! What is the current state of bug? There was fine (IMO) proposal,
Only su moved to util-linux due to lack of time. :-(
Post by Dmitry Bogatov
So can we have a prerm script for bash that sets the root
shell back to /bin/sh, or at least asks the admin if they want
zsh or tcsh, and warns about any other users?
but as bash=5.0-2 it did not make its way. What is missing? Should I
submit patch, implementing this proposal?
I think submitting the patch against bash makes sense, but the timing
is unfortunate again, since the full freeze is about to start.
It bash gets patched after the release we can make it happen for Buster+1.

Cheers,
Balint
Chris Hofstaedtler
2024-06-23 09:00:01 UTC
Reply
Permalink
Control: tags -1 + moreinfo

Hi Dmitry et al,
Post by Bálint Réczey
Post by Dmitry Bogatov
Post by Balint Reczey
Post by Troy Benjegerdes
So can we have a prerm script for bash that sets the root
shell back to /bin/sh, or at least asks the admin if they want
zsh or tcsh, and warns about any other users?
Any of this stuff of trying to have login figure out the
right shell seems like a new remote exploit in the making.
It is too late for making changes related to this bug in Stretch. :-(
In the next cycle we will evaluate switching to login implementatiln in
util-linux per #833256. This bug may be solved by the switch or later in
util-linux.
Hi! What is the current state of bug? There was fine (IMO) proposal,
Only su moved to util-linux due to lack of time. :-(
Post by Dmitry Bogatov
So can we have a prerm script for bash that sets the root
shell back to /bin/sh, or at least asks the admin if they want
zsh or tcsh, and warns about any other users?
but as bash=5.0-2 it did not make its way. What is missing? Should I
submit patch, implementing this proposal?
I think submitting the patch against bash makes sense, but the timing
is unfortunate again, since the full freeze is about to start.
is there an open bug against bash for this?
Post by Bálint Réczey
It bash gets patched after the release we can make it happen for Buster+1.
Is there anything to be done in src:shadow for this at all?

I understand it was agreed to not patch shadow with a fallback for
an absent shell. Then, all that is to be done lies with bash?

Thanks,
Chris

Loading...