Once upon a time, Rahul Sundaram <methe...@gmail.com> said: > Is it worth considering using Dash as the default (non-interactive) shell > in Fedora? Other distributions including Ubuntu and Debian ( > https://lwn.net/Articles/343924/) have been using dash as the default shell > and Android uses mksh. While this appears to have been done primary to > increase bootup efficiency (which is not relevant with systemd), it might > help with security
To clarify what I think you are proposing, you want to put dash in the core package set, and change the /bin/sh symlink (used as the script interpreter) from bash to dash. Here's my opinion (for the nothing that it is worth) about changing /bin/sh for security: first somebody would need to do a security review of dash to "prove" (for some value of "prove") that it is better (for some value of better) than bash. After all, bash has been around for a long time now, and as far as I can remember, this is the first security incident with it that relates to using it as the /bin/sh script interpreter. It now has a significant amount of attention to look for more of course. To be proven better (and worthy of replacing bash as /bin/sh), dash would need at least as much scrutiny. dash is roughly the same age as bash (both just over 25 years old), so "newer" or "older" isn't really a factor. One thing that might be a good topic for consideration: is there a reasonable way to allow different implementations to take the /bin/sh symlink? Could this be handled through the alternatives system, so that admins could choose bash vs. dash vs. whatever? In theory now, /bin/sh is not as critical to system startup with systemd (although I expect there are still scripts that called in various places). -- Chris Adams <li...@cmadams.net> -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
