[ale] CRITICAL LINUX FLAW OPENS THE DOOR TO FULL ROOT ACCESS (RHE)

leam hall leamhall at gmail.com
Thu May 17 14:03:22 EDT 2018


On Thu, May 17, 2018 at 1:25 PM, Solomon Peachy <pizza at shaftnet.org> wrote:
> On Thu, May 17, 2018 at 11:59:25AM -0400, leam hall via Ale wrote:
>> > "Ayer added that the situation is a reminder for Linux teams and
>> > developers of the ???frailty??? of shell scripts. Shell, a commonly
>> > used programming language on Linux systems, is simply prone to
>> > allowing these kinds of flaws to be coded, he said."
>>
>> Yeah, Ayer lost all credibility at that point.
>
> No, he's completely correct.  This flaw (and those of its class) would
> not have been possible had that glue logic been implemented in just
> about anything other than a shell script.
>
> (That shell script basically took the DHCP results and used a shell
>  script to mash it up against a NetworkManager helper tool, which in
>  turn just makes a dbus invocation to notify NetworkManager of the
>  change.  A more modern DHCP client would have just made the dbus call
>  directly)
>

That's like blaming PHP the language for bad web pages. If you don't
filter input you put yourself at risk. Ayers lost credibility since
the same flaw couple be implemented in most other languages.


More information about the Ale mailing list