blog @spotflux
These are the thoughts and opinions written by the spotflux team and our colleagues.
Show MenuHide Menu

Patching the shellshock bug in OS X

September 25, 2014

The shellshock bug, announced yesterday, has left a lot of sysadmins scrambling to patch their copies of bash.

Patches are readily available for most flavors of Linux, but OS X is lagging behind a bit waiting for Cupertino to put out an update. Unfortunately, manual steps to rebuild the distributed copy of bash require XCode command line tools and can be a little intimidating.

Luckily, there is a slightly easier way, using Homebrew. It requires running some commands in the terminal, but we’ve got full instructions for you.

Testing the Vulnerability

To see if you’re exposed, run the following command in the terminal.

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If your copy of bash is at risk, you will see the following:
vulnerable
hello

If you’ve been successfully patched, you will see this:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello

If you’re at risk, continue with these steps to get patched as soon as possible.

All commands should be run in Terminal, and you should make sure you’re using an Administrator account, as we’ll be using sudo.

WARNING: It is possible to break the configuration for OS X if these instructions are followed incorrectly. Worst case, you can be prevented from logging back in entirely. Use these instructions at your own risk. Should you find yourself locked out, you can restore OS X by rebooting and holding CMD+R, which will bring you into the recovery screen. Reinstall OS X and you will get your settings back without losing data.

1. Install Homebrew

Homebrew is a handy package manager for OSX, run the below command to install if you’re not already using it.

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

2. Get the latest version of bash

Run the following to update your Homebrew package lists and get the latest, safe version of bash.

brew update
brew install bash

This will install bash and create a link at /usr/local/bin/bash. However, the default copy of bash (which we want to replace) is located at /bin/bash. So we need to put our new copy of bash in charge.

3. Replace your default shell

First, let’s get rid of the vulnerable copy of bash:

sudo mv /bin/bash /bin/bash.shellshock

Note we’re using sudo, so you may need to enter your password.

This will rename the default bash executable to bash.shellshock. You can always get it back by renaming the file to bash again.

We then need to create a link to our new executable:

sudo ln -s /usr/local/bin/bash /bin/bash

It is important to note that this alias may be replaced on running an OSX update (which is why we changed the shell explicitly).

You can check if the link is still in place with this command:
ls -la /bin/bash
Note the reference to /usr/local/bin/bash.

That should do it! Restart your terminal (exit it and relaunch), then run the test again from earlier:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

And you should see:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
hello

Congratulations! You’re patched. Be sure to reboot to get rid of any bash sessions you didn’t know about.

Uploading files in Python 3

April 3, 2014

Here at Spotflux, we use Python 3 in our client build process to script some of our automated tests. A new test recently required us to post a file to a web service, using HTTP. We found a nice little snippet at ActiveState to do it, but, as with many Python examples at the moment, it was written for version 2, which has many incompatible differences.

read more …

Spotflux 2.10 – New Look, No Java

March 7, 2014

Some of you may already have noticed that Spotflux 2.10.0 for Windows was released earlier today, our biggest and best client update yet. With a brand new UI, greater stability and absolutely no Java dependency. 

We’ve been working our socks off for the past few months to completely overhaul the Spotflux Client for Windows, and we think you’re going to love it.

Click here to Download

or read on to take a look at what’s new:

read more …

Tech Tips: Automated High Availability in the Cloud with Zabbix + KVM

December 3, 2013

zabbix

At Spotflux we use Zabbix for not just monitoring our entire infrastructure but for automating recovery from failures and managing high availability.  As with most implementations of Zabbix there are some significant performance  and management considerations in placing Zabbix reporting agents on a large amount of virtualized instances across a large amount of physical servers. While leveraging Zabbix Proxy is a good path for addressing some of the performance challenges, the current state of Zabbix did not allow for us to easily control the state of virtualized instances from the hypervisor, meaning they would have to be controlled through a complicated set of customized scripts. read more …

Where we stand on Privacy

October 25, 2013

Over the past few years users have asked us a lot about Privacy and where we stand on the subject. This is a complicated answer but I will try to be as thorough as possible for our users in this post. While every VPN operator would love to assure you that you have 100% anonymity online (and many do) through their service, we feel that this level of marketing is deceptive and false.  It should be noted that for the most part this post applies to our paid and premium customers as we do offer a free/ad-supported version of our product for people looking for a “trial”.   read more …