Package: dash Version: 0.5.7-3+nmu1 Severity: important Tags: security patch
I have been reading http://blog.cmpxchg8b.com/2013/08/security-debianisms.html and discovered that dash doesn't drop its privileges when run in a setuid context. This is a security measure that upstream's bash does implement however. Turning off the dropping of the privileges must be explicitly required with the -p command line option. It would be nice if dash could be enhanced to behave in the same way and thus avoid some security problems with the usage of popen/system in setuid programs. Tavis Ormandy even submitted a patch upstream: http://thread.gmane.org/gmane.comp.shells.dash/841/ The initial reactions were rather positive but it looks like the feature never got merged. -- System Information: Debian Release: jessie/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'stable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.12-1-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages dash depends on: ii debianutils 4.4 ii dpkg 1.17.6~20131221210620.235 ii libc6 2.17-97 dash recommends no packages. dash suggests no packages. -- debconf information: * dash/sh: true -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
