On Sep 26, 2014, at 3:59 PM, Vincent Lefevre <vincent-svn_at_vinc17.net> wrote:
> On 2014-09-24 19:28:51 +0300, Stefan Sperling wrote:
>> From what I understand after reading about the problem briefly:
>>
>> In an svn+ssh setup svn clients run 'svnserve -t' by default.
>> But there is no reason this could not be changed to '/bin/bash' by
>> an attacker.
>>
>> Note that forcing a command in the authorized_keys file will *not*
>> work around the problem: http://seclists.org/oss-sec/2014/q3/651
>
> How can this be possible? Do you mean that OpenSSH starts the command
> with bash instead of some exec* function or /bin/sh (which is dash on
> my machines)?
If the child process is started using exec(), as you point out, then there
shouldn't be a problem. If the process is started using system(), then
there might be a problem if /bin/sh is actually a symlink to bash.
On Mac OS X, 10.9.5:
$ /bin/sh --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.
Received on 2014-09-27 01:09:09 CEST