[Xymon] 'Shell shock' mitigation
J.C. Cleaver
cleaver at terabithia.org
Sat Sep 27 02:32:31 CEST 2014
On Fri, September 26, 2014 4:57 pm, me at tdiehl.org wrote:
> On Fri, 26 Sep 2014, J.C. Cleaver wrote:
>
>>
>> /bin/sh to /bin/bash is standard on Red Hat-derived systems.
>>
>> dash is present as a package in RHEL6 and Fedora, but not EL7 or EL5.
>> Prior to that (<=EL4) 'ash' was available.
>
> So, is changing the shell in /etc/passwd for the xymon user to /bin/dash
> sufficient to get xymon to use dash or are other changes required.
>
The key exposure is the shebang line for the wrappers in
~/server/xymon-cgi/ and/or ~/server/xymon-seccgi/. After that, ensure that
SHELL= in xymonserver.cfg is set to /bin/dash (if you're using at least
4.3.12).
The /etc/passwd shell is what the system account will use, but there's no
real need for the xymon user to have a valid shell at all there (unless
you're doing a remote login or something. I typically use /sbin/nologin
there.
> I really do not want to change the symlink for /bin/sh to point to dash
> as I am not sure what other things might break.
>
> This is on a Centos 6.5 box.
>
I wouldn't advise switching /bin/sh to /bin/dash on a RH/CentOS box --
probably lots of small breakages here and there due to bashisms.
HTH,
-jc
More information about the Xymon
mailing list