[PATCH] treewide: more portable bash shebangs

[Janne Johansson]

Den tis 16 juli 2019 kl 19:34 skrev Jordan Glover <
Golden_Miller83 at protonmail.ch>:

> > While /usr/bin/env is more or less available on all POSIX systems
> > /bin/bash might not be. This is particular the case on NixOS and the BSD
> > family (/usr/local/bin/bash). Downstream packagers would often rewrite
> > those shebangs back automatically as they can rely on absolute paths
> > but having portable shebangs in the repository helps to run the code
> > without any further modification.
> >
>
> The reason almost everyone hardcodes bash to /bin/bash is the potential
> environment attack where someone create malicious "bash" and export it in
> PATH:
>
>
> https://developer.apple.com/library/archive/documentation/OpenSource/Conceptual/ShellScripting/ShellScriptSecurity/ShellScriptSecurity.html


Well, if they rewrite your env and PATH you can't trust anything you do on
that box ever. If wg is started with a malicious environment where IFS is
set to "/" so that
"/bin/bash" (or any absolute-path-named-program) turns into " bin bash"
then an evil PATH pointing to that "bin" would still start a bad script for
you.

https://books.google.se/books?id=-aIKj0lbADIC&pg=PT182&lpg=PT182&dq=set+IFS+to+slash&source=bl&ots=cNQdBQUJEv&sig=ACfU3U0apkUJWhJRjnJMgKlRBFBPD5nZ6g&hl=en&sa=X&ved=2ahUKEwiP0Ka8nrrjAhVOwsQBHZOtC08Q6AEwBHoECAgQAQ#v=onepage&q=set%20IFS%20to%20slash&f=false


-- 
May the most significant bit of your life be positive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190716/6b0da26a/attachment.html>