Fortysomething Geek: bash

Showing posts with label bash. Show all posts

Monday, October 6, 2014

Fixing the BASH Shellshock vulnerability on OSX 10.5.8 and 10.6.8

Apple released a BASH update that addresses the vulnerabilities of ShellShock but they neglected operating systens older than 10.7 Lion.

Well, I happen to know people who are running various 10.5.8 and 10.6.8 Snow Leopard machines in production. They are used in automation and rely heavily on BASH. Thus, I upgraded over a dozen legacy Mac OSX Servers and it was pretty straightforward.

I'm not going to take the credit but most of what you need is at this link:
http://www.macissues.com/2014/09/25/how-to-unofficially-fix-the-shell-shock-bash-vulnerability-in-os-x/

You will need to download the latest Xcode for each respective OS.
The only gotcha as 10.5.8 and cURL. 10.5.8's built in cURL does not support SSL so you will need to add a -k (insecure SSL) flag in the instructions.

Here is an example:
For 10.6.8

curl https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -

For 10.5.8

curl -k https://opensource.apple.com/tarballs/bash/bash-92.tar.gz | tar zxf -

That is it. For 10.5, add the -k flag for each cURL request you download from Apple's servers.

Once finish, you should be able to address all of these vulnerabilities:

CVE-2014-6271

CVE-2014-7169

CVE-2014-6277

CVE-2014-6278

CVE-2014-7186

CVE-2014-7187

Bash should be updated to 3.2.55(1)

Once you are patched, it is time to test.

You can go to shellshocker.net and download a bash script that run through all the vulnerabilities.

Or run it from the shell via cURL.

curl https://shellshocker.net/shellshock_test.sh | bash

I hope this helps.

Once you compile it, you can easily tar the files up and use it for re-distribution to similar machines. I only had to compile BASH twice (one for 10.5 and one for 10.6). I then took my Releasebuild binaries and rsync them across various OSX machines from my iPad.

I tested it extensively on some VMs and then to production servers. I was a bit worried about going the homebrew route as that method will install newer 4.3. That is a major generational change and there would be some major breakage somewhere. Thus, sticking with a 3.2.XX version of BASH with all the updates will be the most painless. I have OS X servers running MailMan listservs, some are used for production automation that runs rsynch, mounting NFS shares, CalDAV, and the likes. So far, nothing has broken.

Posted by fortysomethinggeek at 5:55 PM No comments:

Email This BlogThis! Share to X Share to Facebook Share to Pinterest

Labels: bash, OS X, osx, Shellshock, UNIX

Wednesday, March 13, 2013

Pimp and personalize your Terminal Prompt

Around 16 years ago during the dot-com boom, I was getting my first exposure to remote console access. Logging into a UNIX server back in those days was a real treat. It had much more intimacy as sysadmins would often personalize their lair.
Today, with Puppets, Chefs and virtualization, scores of machines and servers are created on-the-fly. Virtualization and cloud computing has desensitized the experience.

Today, I don't even know what I'm logging into. Single VM instances run small web applications unlike before when a massive server would handle a variety of tasks. This is what I typically see:

Which brings me to today's blog post. Personalization in the console. With things like ASCII art, MOTDs, and even editing bash profiles, you can bring some of that intimacy back.

Now, doesn't these screenshots below look more personal.

MOTD (Message of the Day) is a text file sysadmins usually personalize for end users login in. Today, MOTDs are often system auto-generated to display stats.
You can re-claim that back rather easily. Or, you can append to the default MOTD by adding a file /etc/motd.tail on most *NIX operating systems.

I normally head over to several ASCII sites and download some goofy ascii art to give the servers some more bling.

Some interesting tools.

There are a few things in Linux you can use to customize your MOTDs.

First, there is linux_logo (apt-get install linux_logo on Debian or pacman -S linux_logo on arch).

This will give you the ability to generate a few great system logos.

To list available logos, type in: linux_logo -L list

Then to choose, type linux_logo -L X (number from the list)

If you want to pipe it out to a text file, you can do: linux_logo -L 26 > ubuntu.motd.txt

Another tool is figlet which is an ascii text banner creator. Figlet is pretty straightforward and instructions in the man pages is to the point.

Here, I have a centered logo with a slight slant:

figlet -cf slant "my text"

-c = center

-f = format

Now combine the some ascii art with ascii text decorations, you can have something like these:

As you can see, with little effort, you can stylize your terminal login prompts.

Posted by fortysomethinggeek at 4:11 PM No comments:

Email This BlogThis! Share to X Share to Facebook Share to Pinterest

Labels: bash, console, MOTD, personalization, SSH

Blog Archive

2015 (3)
- February (3)

2014 (82)
- December (1)
- November (2)
- October (4)
- September (10)
- August (12)
- July (7)
- June (2)
- May (4)
- April (14)
- March (7)
- February (12)
- January (7)

2013 (123)
- December (4)
- November (6)
- October (16)
- September (5)
- August (7)
- July (7)
- June (5)
- May (16)
- April (19)
- March (15)
- February (11)
- January (12)

2012 (116)
- December (18)
- November (11)
- October (19)
- September (9)
- August (11)
- July (14)
- June (16)
- May (18)

About Me

fortysomethinggeek: California, United States; I like toys and gadgets. These are the musing of a 40 something tech geek. I also work in the tech field.

View my complete profile

Subscribe To

Posts

Atom

Posts

All Comments

Atom

All Comments