Can bash be replaced entirely in OS X?

macos bash security

First, you don't need to do this unless you are are offering web services to the public internet from your Mac. If you are not, wait until there is an official security update from Apple.

However, if you are offering web services, you might want to update.

Official Patch

Apple has released an Official Bash Security Update Here

Checking whether you are vulnerable

First confirm that you are using an outdated bash:

$ which bash
/bin/bash
$ /bin/bash --version
GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
Copyright (C) 2007 Free Software Foundation, Inc.

The most current bash is 4.3.25

If you don't have Xcode installed, you'll need the Xcode command line tools, which can be installed by

$ xcode-select --install

Or from the developer portal.

To install Brew (http://brew.sh):

$ ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)"

Then do:

$ brew doctor

Follow any instructions if there are problems. Many common problems are addressed here.

Then update brew to the latest list of packages:

$ brew update

To get the latest bash 4.3.25:

$ brew install bash

This installs bash into /usr/local/Cellar/bash/4.3.25/bin/bash

The old bash and sh still exists at /bin, so after installing you'll rename the old executables to a new file.

$ sudo mv /bin/bash /bin/bash_old
$ sudo mv /bin/sh /bin/sh_old

If you are very paranoid, you can remove execute permissions on the bash_old

$ sudo chmod a-x /bin/bash_old /bin/sh_old

Then create a symbolic link to the new bash 4.3.25 that brew installed.

$ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/bash
$ sudo ln -s /usr/local/Cellar/bash/4.3.25/bin/bash /bin/sh

Reboot and it is complete.

A warning — this may break some existing shell scripts that might rely on bash 3.2 or the differences that the Mac sh has over the linux sh. There is a much more sophisticated answer to replacing bash and sh from sources in this post.

In most cases it is best to wait for official updates.


As @webmarc said, no. You can replace /bin/bash with some other shell but you will certainly break some programs because bash has several differences in his syntax that made it incompatible. I couldn’t find a bash-compatible alternative shell. However I symlinked dash to /bin/sh and found no issues so far.

Regarding the DHCP here there is a proof of concept attack. The article is about dhcpcd (a Linux client). I’m not sure about Mac OS X. In the discussion on Hacker News they say OS X client doesn't use bash at all.

Another vector could be sshd. But the attack require authentication. So, unless you are running some ssh service like a git server you should be safe.


dash contains only a tiny subset of the commands found in bash and even sh (which itself is a sub-set of things in bash). Replacing either with dash will surely yield inoperable scripts on your system and possibly break your system more than it protects your system.

You can recompile bash to mitigate some (at the time this was written) of potential danger or wait for Apple to release and official fix.


Unfortunately, no... various shells have differing syntaxes making the scripts written for one shell possibly incompatible with another shell.

I haven't seen the DHCP based infection you're speaking of, can you provide a link in your question?

Related

Jetbrains'IDE can't start after upgrading to OS X Yosemite
How to reference Microsoft.Web.Administration?
Using a USA charger in Europe
Terminal not beeping on bell character
Does iPhone have a Wi-Fi & Bluetooth toggle widget in Notification Center?
How to create custom Keyboard Shortcuts?
I have two Macs on the same Apple ID. Sharing issue
How can I turn off 'Find My iPhone' after selling the phone?
Use SVG as og:image
Error configuring mcrypt after upgrading to El Capitan
mupdf command does not install with homebrew
How do I install gnu sc on my mac?