What about simply enabling Remote Login through system Preferences? "Remote Login lets users of other computers access this computer using SSH and SFTP."
Edit: OK, you addressed that more or less in a previous post. Thanks.
Last edited:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple: Most OS X Users Safe from 'Bash' Security Flaw, Software Update Coming Soon
- Thread starter MacRumors
- Start date
- Sort by reaction score
What about simply enabling Remote Login through system Preferences? "Remote Login lets users of other computers access this computer using SSH and SFTP."
Edit: OK, you addressed that more or less in a previous post. Thanks.
FWIW Installing Bash via Homebrew will leave the system-supplied version of Bash intact (and still potentially exploitable).
Apple needs to supply a patch, ASAP. Waiting for so long to patch critical security issues is ridiculous.
The commands following the brew upgrades replace the system-supplied Bash with the new one as the default shell. However, someone in the comments on that site said it's safer to just delete the system Bash and replace it with the Homebrew one because the system-supplied Bash could still be used somehow. It's not an issue with MacPorts.
Snow Leopard was a POS. It had memory management issues that were never resolved. Leopard was better in this respect.
Let me give you some history because this point seems lost on a lot of people here:
Back in the early 1990's, Sun had an operating system named SunOS. It was based on BSD. The final release of this family of the OS was in 1994, version number 4.1.4.
Then marketing got involved. Sun changed their OS to one based on SYSV, and decided to start calling it Solaris. Internally, the OS was still called SunOS, but Sun didn't call it that anymore. It was all Solaris, all the time. It has been that way since.
Now, take a look at the list the author I replied to posted:
Notice how it lists both SunOS and Solaris. This list was probably taken from the Bash documentation and it's so old that it lists both SunOS and Solaris. This dates it to the early 1990's when this transition took place. Further proof is that it lists Ultrix. Who the hell has used frigging Ultrix since the 1990s? It wasn't even popular then.
So, when I say that SunOS has not been updated in about 20 years, I am referring to the SunOS in that list, 4.1.4, and it has not been updated in 20 years.
The original author I replied to thought he'd be all dramatic and list all possible operating systems that this bash bug might apply to. Unfortunately for him, he also listed a bunch of defunct operating systems that haven't been popular in over a decade and so looked foolish in the process.
How many of those operating systems even came with bash as the standard system shell? Not many of them I can tell you. Ksh is much more common on non-Linux systems. Sure, you can build bash on pretty much anything, but does that mean that all installs of that operating system are going to be vulnerable to this bug? No, it doesn't.
Let's try to use our brains out there, okay kids?
Last edited:
Spreading FUD should be a crime... The vulnerability is incredibly lower than your panicked post entails and the people who actually could be "hit" by this have other options (read shells).
Umm.. SunOS and Solaris were two distinct derivatives of the Unix OS that Sun Microsystems had put out in the early 90s. I know that because I was administering them at that time. The OSes I listed I pulled out of my head, not any bash documentation, because that doesn't exist in any bash documentation: man page, website, GNU documentation, or otherwise. Those OSes were ones I had used at that time and/or still use to this day.
Each one of those has the ability to have bash installed, either from source, or from its very own software distribution. Solaris has it on its install ISOs. OS X does. It is included with OSF/1 (Tru64 Unix), HPUX, and AIX; each one of those I have used in the past 10 years.
AIX is more than alive in IBM's Zseries of servers.
HPUX is still up and running on HP9000s.
Solaris was still being used on Sun's Sunfire X series of hardware (one of the servers I currently maintain).
FreeBSD is still being used and actively developed.
Out of all the version of Unix I have used, Irix, Ultrix, and NeXt are the only ones not being used or in active development. Who used Ultrix? three universities I went to between 1992 and 2004, because each one of those didn't want to spend the money on new hardware from when they ran everything off of VMS.
Sorry to burst your bubble, but call me foolish all you want; the bug effects every Unix OS that has bash installed. You can not argue that. And the 20 years experience I have in those Unix derivatives tells me more than the single post you have made, trying to bash me (pun intended).
BL.
Umm... Yeah, no kidding. Did you even read what you quoted?
You're not the only one.
I never said otherwise about these operating systems, so you're arguing with yourself at this point.
I rhetorically asked who used Ultrix since the 1990s. The last update seems to have been in 1995, so I hope you didn't have them reachable by the internet for very long.
I have no idea what bubble you think you've burst. You listed several operating systems that are all but defunct at this point in time. Claiming that this bash bug is extra awful because it may affect people who have installed bash on NeXT, Irix, Ultrix, SunOS, and OSF/1 is just silly. First, there just aren't that many of them left anymore. Second, anyone hooking one of these systems (of non-hobbyist significance) up to be accessed by the internet is already taking a risk because they aren't actively supported anymore.
I made no claim that the bash bug is not significant. If you're going to make an argument, at least argue against what I said.
As I said, 99.9% of MacOS X users are not affected in any way. 0.1% of the users however _do_ need to take some very urgent action. On the other hand, these 0.1% of users shouldn't take advice from MacRumors, and they shouldn't be waiting for Apple to fix this problem.
Linux is a kernel, not a full operating system and even if you meant GNU/Linux desktop operating systems, it still wouldn't be true.
Code:
$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1033720 Sep 26 09:48 /bin/bash
$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Jan 10 2014 /bin/sh -> dash
$ ls -l /bin/dash
-rwxr-xr-x 1 root root 117176 Jan 10 2014 /bin/dash
$ uname -osrv
Linux 3.16-2-amd64 #1 SMP Debian 3.16.3-2 (2014-09-20) GNU/Linux
$ cat /etc/debian_version
jessie/sidEach day it seems that people are finding new attack vectors. First it was web servers using cgi, then it was found that some DHCP implementations could be used (might not affect OS X) and now it appears that there might be an attack vector using qmail (not likely to be installed on a Mac).
Perhaps there will be more attack vectors available tomorrow.
This appears to be one of the better sites for keeping track of the actual bash issues:
https://shellshocker.net/
If someone here runs a Mac mini or some other *nix based server, it would be worthwhile running the website tester provided on that site.
EDIT: just noticed that AlecZ already posted a link to the shellshocker.net site.
Last edited:
And most likely (hopefully?) those 0.1% of users are tech savvy enough to know what all this means and have the expertise to patch their system.
It certainly affects every system that has Bash installed, but the attack vectors are reduced for systems that don't come with it by default. I think the distinction is important.
For example, my Arch Linux laptop uses bash for everything. It's the defaut shell, every system shell script runs off of it, and just about every user application, programming language, etc that runs a shell script looks for bash. That's a huge attack surface, and worried me enough to check for updates to it 2-3 times per day. Bash is far more prevalent in Linux than in other Unix like systems.
My OpenBSD laptop did not come with bash installed at all; the default shell in OpenBSD is ksh. Now, I never installed bash, but had I done so, every system script would still be written to use ksh, not bash. I would be vulnerable to people who already have a bash shell on my machine (through SSH for example), or through applications I configure to use bash. Thats a much reduced attack surface. Still potentially catastrophic, especially if I had Apache running on it with bash CGI scripts, but most of the attack vectors people are mentioning would require manual configuration to make use of bash.
So yes, it is a genuine problem for all systems with bash, but it is likely much less exploitable on systems that did not come with it by default.
(not directing this at you specifically bradl, just making a general comment)
Again, it will leave the system-supplied bash in place. Many scripts just use a hardcoded "/bin/sh" or "/bin/bash" reference to launch external programs, which means that upgrading just from Homebrew or MacPorts will leave you vulnerable.
I wouldn't delete system-supplied files as stuff might break in unexpected ways. Apple needs to ship a fix.
i have a question...
is this a matter of "weakest link" where if one system is affected (forward facing services) all others are also compromised?
----------
sorry and one more thing, if the HW firewall blocks ports to the services that are forward facing are you still at risk?
and of so how would one go about testing their own vulnerability from the outside?
is this a matter of "weakest link" where if one system is affected (forward facing services) all others are also compromised?
----------
sorry and one more thing, if the HW firewall blocks ports to the services that are forward facing are you still at risk?
and of so how would one go about testing their own vulnerability from the outside?
Yeah, and I have roughly 15 years doing so as well. So what?
Currently only Red Hat has an effective patch released. It (wisely) removes a fundamental "feature" from bash, and so has NOT been accepted by the upstream maintainers of bash yet. The initial patch - the one most distros have already deployed - has been shown to be incomplete and ineffective.
I agree on that. And there are solutions. Very few thing I run on Unix have very strong shell dependencies. To much of a pain when you want to switch them out. If there was a major security bug in Perl, well that woud really suck for me
; one time I had to patch a bug myself because I couldn't stand (I am angsty) waiting for the official fix (came the next day. Work done for nothing .
They mean that most people won't even know what this is about, because they don't use anything at the CLI. In short, they don't know anything about Unix, so they won't even bother to use it.
We won't know until they release it.
BL.
I already have a modern MacBook Pro and MacBook Air -- but I can say that the old 2006 iMac on Snow Leopard runs as fast as it did when I got it, and it does email and surfs the web very nicely ... on Snow Leopard; but alas no updates for Snow Leopard today for Bash.
----------
Where would I find out about such patches, and how would I know if it is stable, or if it would jeopardize the stability of the old Mac?