Re: CVE-2014-6271: remote code execution through bash

[Tim <tim-security () sentinelchicken org>]

>  >> I see no good workaround. Starting the forced command with
>  >> "unset >SSH_ORIGINAL_COMMAND &&" does not help - we'd need
>  >> to unset the variable before starting bash, not from bash.
>
>  > Won't installing dash and setting the shell of users who have
>  > forced commands to dash mitigate this somehow?
>
> Possibly, that will require making /bin/sh symlink to point at
> dash (or zsh, or whatever) as well...

Right, and it makes sense to do this.  Bash doesn't belong as /bin/sh
to begin with.  It's slow to load, uses 5 times as much memory as dash
and doesn't exactly encourage you to write posix-compliant shell
scripts.  Bash's redeeming qualities lie in it's UI, not in it's
non-interactive scripting.

tim