Bash script security/robustness

I have finished writing a bash script and I want to provide it with a little more robustness and security - all suggestions are welcome.

One of the things that I want to ensure is that the commands that are run (ex. "echo") are always run from a certain location (ex: "/bin or /usr/bin") - I think can do this by setting the path in the script - does anyone else have any ideas?

Thanks
jculkincys
LVL 2
jculkincysAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

m1tk4Commented:

pushd <your certain location> in the beginning of the script

popd at the end.

Both are bash internal commands.




DonConsolioCommented:
- don't write REALLY sensitive programs as shell scripts
shells might do some "helpful" things behind your back to make life easier for you
- do not use untrusted input
special characters are possible sources of trouble. "X=`rm -rf`" may NOT be the thing you want to run.
- set environment variables to known values
PATH, IFS, etc. should be sed to well known values at the very start of your script
- use absolute pathnames whenever possible
"ls -la" may call al programm called "ls" in the current directory and not /bin/ls
overwriting a file called "passwd" in the wrong directory may lead you into trouble
- change your current directory to a safe place
"cd /tmp" can limit damage if your script goes berserk by accident
- quote all variables
e.g. pathnames may contain embedded spaces
- do not call programs with "escape to shell" functions
"vi", "less", etc to "just display or modify a config file" may open doors into your system
- plan for errors
check return codes of your commands whenever possible (even "cd /tmp/data" may fail and leave
you in the wrong place) - this will cnsiderably increase size and complexity of your script
- check what you pass to other programs you call
quote variables, remove unwanted special characters, etc.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ahoffmannCommented:
> One of the things that I want to ensure is that the commands that are run ..
set your PATH proper, then unalias anything you use, then preceed all commands with \ like:
  \cd ...
  \rm ..

echo is a special case 'caus ethere exist various different implementations, each shell has its own, each OS has its own, sometimes there're more than one echo executable per OS. You need to decide which one you want to use.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

DVBCommented:
I call all shell commands with the absolute path.  This forces that exact command to be called, regardless of PATH settings..

If I use any variables, I set them in the script. Environment variables are not to be trusted.

Validate all input (as always).
ahoffmannCommented:
>  This forces that exact command to be called, regardless of PATH settings ..
.. and you're trapped by aliases (for built-in commands).
DVBCommented:
Nope. Full paths disable aliases.

/bin/echo need not be the same as "echo".
ahoffmannCommented:
> Nope. Full paths disable aliases.
hmm, nice shell ... which shell does that (for example for cd, [, set, ...)? Please test before posting ;-)
I said built-in commands, see http:#16485809
jculkincysAuthor Commented:
m1tk4 - or anyone else

can you explain what pushd does?
m1tk4Commented:
pushd saves the current directory to the "stack" and changes current directory to the directory that is its argument
popd changes current directory to the last directory in the "stack" and removes the last entry in the "stack".

Example

# current directory = /home/somewhere
pushd /tmp
# current directory: /tmp, stack: /home/somewhere
pushd /var
# current directory: /var, stack: /tmp, /home/somewhere
popd
# current directory: /tmp, stack: /home/somewhere
popd
# current directory: /home/somewhere, we're back to where we started.
jculkincysAuthor Commented:
Cool m1tk4 thanks

ok what is the verdict on full paths?
should I do "echo" or "/bin/echo"
ahoffmannCommented:
> should I do "echo" or "/bin/echo"
these are 2 different things, you need to check man-pages (shell and echo) which one you want to use
m1tk4Commented:
here is what is typically done in rcinit scripts:

ECHO="/bin/echo"

$ECHO "hello world"
$ECHO "hello hello"

and so on.

jculkincysAuthor Commented:
does anyone know how I could have pushd operate silently?

ahoffmannCommented:
depends on yopur shell, csh syntax:
pushd>&/dev/null
jculkincysAuthor Commented:
I believe it has something to do with setting the pushdsilent variable

according to http://www.ss64.com/osx/pushd.html


but I can't seem to get it to work
ahoffmannCommented:
pushd and popd are shell built-in commands, only csh and tcsh support pushdsilent shell variables
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux

From novice to tech pro — start learning today.