By Tzach Livyatan
A new bash bug is ‘bigger than Heartbleed’ and puts millions of websites. In short, Shellshock can take advantage of any server which call Bash. You can find a good insight into Shellshock on Michal Zalewski’s blog.
A Bash patch is already available, but there is a bigger question: Why do you want Bash on a production server in the first place? By its nature Bash is a dangerous beast, wouldn’t it be better to keep him on the cage and off your system?
What did you say?
“I need my Bash for troubleshooting?”
Do you now?
I assume your production server already writes logs and send traps to to a remote machine. If not, you probably do not have many production servers. What if in addition you had a secure remote REST API which allows you to probe files, get traces and any other information element you need? Do you still need Bash? And if you don’t, than wouldn’t it be better not to have it on the first place?
Don Marti writes that the need for fast, reliable VM builds is the important lesson from this bug, but I disagree. Why not just remove the shell from the server?
OSv takes a different approach from other OSs on the subject.
Recognizing that most cloud servers only run one application, it is designed to run one and only one process.
Every interaction with OSv is done via a set of REST APIs, over SSL.
You can find the current list of supported endpoints on the OSv site.
fork is inherently not allowed, there is not way for a Shellshock-like bug to exist.
Sure, bugs in OSv may still lead to code injection via the API, but the surface of attack is much smaller, and dangerous APIs can be easily disabled.
OSv still supports a CLI, but its run outside the OS, and administrators can use the secure API to access it, just like everybody else.