On Sep 26, 2014, at 3:59 PM, Vincent Lefevre <vincent-...@vinc17.net> wrote:
> On 2014-09-24 19:28:51 +0300, Stefan Sperling wrote: >> From what I understand after reading about the problem briefly: >> >> In an svn+ssh setup svn clients run 'svnserve -t' by default. >> But there is no reason this could not be changed to '/bin/bash' by >> an attacker. >> >> Note that forcing a command in the authorized_keys file will *not* >> work around the problem: http://seclists.org/oss-sec/2014/q3/651 > > How can this be possible? Do you mean that OpenSSH starts the command > with bash instead of some exec* function or /bin/sh (which is dash on > my machines)? If the child process is started using exec(), as you point out, then there shouldn't be a problem. If the process is started using system(), then there might be a problem if /bin/sh is actually a symlink to bash. On Mac OS X, 10.9.5: $ /bin/sh --version GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13) Copyright (C) 2007 Free Software Foundation, Inc.
