[PATCH] treewide: more portable bash shebangs

Janne Johansson icepic.dz at gmail.com
Tue Jul 16 22:07:43 CEST 2019

Den tis 16 juli 2019 kl 19:34 skrev Jordan Glover <
Golden_Miller83 at protonmail.ch>:

> > While /usr/bin/env is more or less available on all POSIX systems
> > /bin/bash might not be. This is particular the case on NixOS and the BSD
> > family (/usr/local/bin/bash). Downstream packagers would often rewrite
> > those shebangs back automatically as they can rely on absolute paths
> > but having portable shebangs in the repository helps to run the code
> > without any further modification.
> >
> The reason almost everyone hardcodes bash to /bin/bash is the potential
> environment attack where someone create malicious "bash" and export it in
> https://developer.apple.com/library/archive/documentation/OpenSource/Conceptual/ShellScripting/ShellScriptSecurity/ShellScriptSecurity.html

Well, if they rewrite your env and PATH you can't trust anything you do on
that box ever. If wg is started with a malicious environment where IFS is
set to "/" so that
"/bin/bash" (or any absolute-path-named-program) turns into " bin bash"
then an evil PATH pointing to that "bin" would still start a bad script for


May the most significant bit of your life be positive.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.zx2c4.com/pipermail/wireguard/attachments/20190716/6b0da26a/attachment.html>

More information about the WireGuard mailing list