Hi all, first post here. I would like to know what would break, in ISPConfig 3, if I changed the default shell (the /bin/sh symlink) from bash to something else (e.g back to dash)? Also, if not dash, which alternative shell would break the least functionality? EDIT: Sorry, I should have explained I'm running Debian wheezy/nginx/php-fpm/dovecot etc
How did you guess ;-) As long as all my basic services (Nginx, MySQL, email etc) keep working as they are I can live without the rest for now, at least for the short term, until a better solution arrives. I'm happy using ssh for most things. I have set up backup2l for backups and cronapt to keep me notified of updates so I can live without ISPConfig for now. I just wanted to know if anything unexpected might break.
ISPConfig should work with another shell as well. the reason that we switch from dash to bash in the setup is that some compile scripts during install (e.g. jailkit) might fails when you use dash. So after you installed ispconfig, you should be able to switch to dash. But there are bash updates for wheezy available, so switching the shell should not be nescessary. At least you can be sure now that the bash code gets inspected in details, so it should be really safe when this is over
Let's hope you're right but in the meantime I'm going to be pessimistic: http://arstechnica.com/security/201...ties-in-bash-shellshock-becomes-whack-a-mole/ Thank you for your advice though
How do you know other shell is safer just because no exploit is exposed publicly? Multiple security measure is the most important.
Who knows whether any piece of software has security holes? We currently know that bash DOES have issues so I'm implementing an additional security measure by not using it as the default system shell.
I have query about Linux shell usage. Now, I have switched my shell to dash. If the hacker run a script beginning with this line: #!/bin/bash Can he still hurt my system with the recent bug?
Yes, this will still work. therefor the switch to dash will most likely not change that much security wise.
Why not? If dash* is invoked by some web facing service then it won't interpret the env variable in the first place so it'll never open a bash shell (by the time you've got protocol headers opening shells you're already f***ed anyway). * I'm assuming that dash isn't vulnerable in the same way bash is. EDIT: I'd also like to make clear that for any service/application that invokes bash directly, changing the default shell won't help. However there are loads of services/apps that invoke /bin/sh, which in some cases is symlinked to bash.
Worth mentioning, The latest Debian updates to Wheezy (and probably many other versions/distros) pass all the current shellshock vulnerability tests.
There are more vulnerabilities than just Apache/http, the most important thing is to make sure Bash is patched. If you are using one of the major distros (such as Debian/Ubuntu) make sure it's fully up-to-date (i.e apt-get update; apt-get upgrade). Once you've done that visit the link above and test to see if you're still vulnerable.
