Once upon a time, Daniel Jackson <fdj@mindspring.com> said:
On 09/24/2014 07:22 PM, Jim Popovitch wrote:
That won't automatically invoke bash on Debian/Ubuntu....unless someone intentionally changed default shells....
People seem not to know that Debian and derivatives use a variant Almquist shell rather than bash for system accounts.
It doesn't have much to do with default shells or system account settings; it has everything to do with what is /bin/sh. I think /bin/sh has been dash (derived from NetBSD's Almquist shell) on Debian-derived systems for a while now. Other major Linux distributions, e.g. RHEL/Fedora family and IIRC SuSE, use bash as /bin/sh though, so should be patched ASAP (especially if they are web servers). Has anybody looked to see if the popular web software the users install and don't maintain (e.g. Wordpress, phpBB, Joomla, Drupal) use system() or the like to call out to external programs? What about service provider type stuff like RT? I know Nagios calls out to shell scripts for notifications and such, and passes some things in environment variables (don't know if it can be tricked in this fashion though). -- Chris Adams <cma@cmadams.net>