good idea for current whonix but whonix in general needs to have seperate branches, one for current whonix (stable) and other for “experiments” where maintainers can just put ash or dash or bash or zsh without starting a discussion then putting a download link to for testing/bug hunting under some kind “Experimental” page in wiki/download page
the shell in that version (experimental) should be ash due low amount of code and good security track when compared to bash/zsh
What has a greater attack surface:
dash (ash for debian), with known vulnerabilities. Dash man page was last written in 2003.zsh where security bugs are still being fixedNot sure what you mean by a more secure version called experimental, but if that version is ash almost all shells can run in Posix Compliant mode, the same code can be run on all of them, an attacker does not care if your interactive shell is Zsh, Bash, Dash, Ash, Sh, Ksh, Csh, as long as their code is POSIX, it will be able to exploit your machine.
But if you are saying a targeted exploit to your interactive shell called Zsh, but no other shell, then that is a targeted attack, and if you have an enemy that can use that kinda of attack, that no shell will protect you, not Zsh nor Ash.
Whonix can’t make a restrictive shell user friendly. Try rbash (Restrictive Bash, read the man).
Open to be proven wrong.
posix is not bible lol all of these shells have different code and wont run ur script unless its pretty basic, though most code works fine across them, quite few do not work well if just slam shell code to another shell lol
ash is minimal in terms of code and thus reduced attack surface
your many eyes bash had a bug in it called shellshock, not very secure huh?
i am talking pure security here, ash is not dash and is actively maintained
Provide references to the Ash shell you are talking about.
as for “experimental” i meant that currently whonix doesnt release “Experimental” builds where the maintainers are given more freedom to add and remove stuff as they see fit and things that stick long enough get moved to next “stable” whonix release i mean
ash is fork of dash actively maintained low size because low code but less shell specific features
Almquist shell - Wikipedia
Ash (mainly the Dash fork) is also fairly popular in embedded Linux systems.
The bad arrangement of words gives you a false impression that Ash is a Dash fork. Let me reword it: Ash, mainly its fork named Dash, is also fairly popular in embedded Linux systems.
$ man dash
HISTORY
dash is a POSIX-compliant implementation of /bin/sh that aims to be as small as possible. dash is a
direct descendant of the NetBSD version of ash (the Almquist SHell), ported to Linux in early 1997.
It was renamed to dash in 2002.
No, it is a standard, but if you are talking in books, it is a dictionary, a regiment.
Attack surface is not only amount of lines of code.
True, shells should never ever had networking capabilities, but now they have, web era.
Dash came from Ash.
And about being actively maintained:
https://www.in-ulm.de/~mascheck/various/ash/recent_changes.html
13-02-2021:
VMWare ESX 6.7.0 has busybox 1.x as system shell
11-10-2014:
explicitly mention that ash accepts "{ ...; }" as body in a "for" loop like many other shells (undocumented). Not only that dash threw this out.
11-05-2014:
"local -" (make $- local in functions) apparently is the second characteristic feature of ash, thanks to Jilles Tjoelker
added some fixes on FreeBSD 9.0, thanks to Jilles Tjoelker
11-05-2014: improved picture concerning android
12-04-2014:
added Android
What is 7 years without updates?
That is the link gathered from the reference you made to wikipedia.
ash is not dash it is a fork mainly specific to alpine and embedded usage, also calling alpine shell unmaintained ? i wont write paragraph on why that is not true, if u check any github or docker file it will be running alpine, alot of companies use alpine, everything in alpine is small and is easier to review, including shell.
the wikipedia links are not up to date because wikipedia is historic not a git comit history lol
instead of arguing with me why not go to any major (and small) tech company or cybersec company and call them out on their use of a “outdated” shell (untrue) ? i am sure they will be all ears as they make their living off tech and last thing they want is to get hacked from using bad ash
Ash is not a user facing shell, it is to run scripts fast, not meant to be a secure shell, it is just small because there is no further development to it.
Including nobody uses that shell except minimal distros, and Whonix is not and does not aim to be.
You gave me the link, I am just using it.
Ash is minimal indeed, but not user facing, not even Debian use it to be interactive, just on the background. Alpine uses, but common people are limited on Alpine.
Instead of focusing which shell is more secure, because I’m aware that Zsh is much bigger than Ash, convince one major distro (Debian, Ubuntu, Fedora) to default to Ash instead of Bash and Zsh and let’s if they find it usable, useful…
Indeed they do not focus on security, but if Whonix starts using Ash, many scripts are still being written in Bash and bash will still be installed, so you haven’t limited that yet.
If Whonix ever has a minimal version released, I will myself make it use Ash, but for the time being, it will still be Zsh or Bash.
No offense but you come off as somebody who never wrote a shell script in their entire lives and definitely does not know what he is talking about. t. busybox contributor
Ash does not receive many updates or fixes because there is nothing to fix or improve on, unlike all other shells you mentioned who are cluttered with security issues, bugs and possibly more
They do not claim to be security-focused operating systems, unlike Whonix who does.
Ash switch would be a small improvement when compared to current security issues Whonix has. Xfce xorg? that stuff hasn’t updated in years, might as well be older than you.
They work great with few to no modifications when ran on ash. have you read a single script before? now is the time
you don’t have a say in that and you are not a developer, and won’t be due fact you cannot code nor script shown by your clear lack of ability to comprehend that ash is more POSIX compliant than Bash and Zsh and is not cluttered with bugs. it is not too late to start learning basic scripting but mean time stay away from security stuff.