Solved

# Bash script security/robustness

Posted on 2006-04-18
408 Views
I have finished writing a bash script and I want to provide it with a little more robustness and security - all suggestions are welcome.

One of the things that I want to ensure is that the commands that are run (ex. "echo") are always run from a certain location (ex: "/bin or /usr/bin") - I think can do this by setting the path in the script - does anyone else have any ideas?

Thanks
jculkincys
0
Question by:jculkincys

LVL 15

Assisted Solution

pushd <your certain location> in the beginning of the script

popd at the end.

Both are bash internal commands.

0

LVL 14

Accepted Solution

- don't write REALLY sensitive programs as shell scripts
shells might do some "helpful" things behind your back to make life easier for you
- do not use untrusted input
special characters are possible sources of trouble. "X=rm -rf" may NOT be the thing you want to run.
- set environment variables to known values
PATH, IFS, etc. should be sed to well known values at the very start of your script
- use absolute pathnames whenever possible
"ls -la" may call al programm called "ls" in the current directory and not /bin/ls
overwriting a file called "passwd" in the wrong directory may lead you into trouble
- change your current directory to a safe place
"cd /tmp" can limit damage if your script goes berserk by accident
- quote all variables
e.g. pathnames may contain embedded spaces
- do not call programs with "escape to shell" functions
"vi", "less", etc to "just display or modify a config file" may open doors into your system
- plan for errors
check return codes of your commands whenever possible (even "cd /tmp/data" may fail and leave
you in the wrong place) - this will cnsiderably increase size and complexity of your script
- check what you pass to other programs you call
quote variables, remove unwanted special characters, etc.
0

LVL 51

Assisted Solution

> One of the things that I want to ensure is that the commands that are run ..
set your PATH proper, then unalias anything you use, then preceed all commands with \ like:
\cd ...
\rm ..

echo is a special case 'caus ethere exist various different implementations, each shell has its own, each OS has its own, sometimes there're more than one echo executable per OS. You need to decide which one you want to use.
0

LVL 3

Assisted Solution

I call all shell commands with the absolute path.  This forces that exact command to be called, regardless of PATH settings..

If I use any variables, I set them in the script. Environment variables are not to be trusted.

Validate all input (as always).
0

LVL 51

Expert Comment

>  This forces that exact command to be called, regardless of PATH settings ..
.. and you're trapped by aliases (for built-in commands).
0

LVL 3

Expert Comment

Nope. Full paths disable aliases.

/bin/echo need not be the same as "echo".
0

LVL 51

Expert Comment

> Nope. Full paths disable aliases.
hmm, nice shell ... which shell does that (for example for cd, [, set, ...)? Please test before posting ;-)
I said built-in commands, see http:#16485809
0

LVL 2

Author Comment

m1tk4 - or anyone else

can you explain what pushd does?
0

LVL 15

Expert Comment

pushd saves the current directory to the "stack" and changes current directory to the directory that is its argument
popd changes current directory to the last directory in the "stack" and removes the last entry in the "stack".

Example

# current directory = /home/somewhere
pushd /tmp
# current directory: /tmp, stack: /home/somewhere
pushd /var
# current directory: /var, stack: /tmp, /home/somewhere
popd
# current directory: /tmp, stack: /home/somewhere
popd
# current directory: /home/somewhere, we're back to where we started.
0

LVL 2

Author Comment

Cool m1tk4 thanks

ok what is the verdict on full paths?
should I do "echo" or "/bin/echo"
0

LVL 51

Expert Comment

> should I do "echo" or "/bin/echo"
these are 2 different things, you need to check man-pages (shell and echo) which one you want to use
0

LVL 15

Expert Comment

here is what is typically done in rcinit scripts:

ECHO="/bin/echo"

$ECHO "hello world"$ECHO "hello hello"

and so on.

0

LVL 2

Author Comment

does anyone know how I could have pushd operate silently?

0

LVL 51

Expert Comment

depends on yopur shell, csh syntax:
pushd>&/dev/null
0

LVL 2

Author Comment

I believe it has something to do with setting the pushdsilent variable

according to http://www.ss64.com/osx/pushd.html

but I can't seem to get it to work
0

LVL 51

Expert Comment

pushd and popd are shell built-in commands, only csh and tcsh support pushdsilent shell variables
0

## Featured Post

### Suggested Solutions

How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.