[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Bash script security/robustness

Posted on 2006-04-18
16
Medium Priority
?
444 Views
Last Modified: 2010-04-20
I have finished writing a bash script and I want to provide it with a little more robustness and security - all suggestions are welcome.

One of the things that I want to ensure is that the commands that are run (ex. "echo") are always run from a certain location (ex: "/bin or /usr/bin") - I think can do this by setting the path in the script - does anyone else have any ideas?

Thanks
jculkincys
0
Comment
Question by:jculkincys
  • 6
  • 4
  • 3
  • +2
16 Comments
 
LVL 15

Assisted Solution

by:m1tk4
m1tk4 earned 200 total points
ID: 16482485

pushd <your certain location> in the beginning of the script

popd at the end.

Both are bash internal commands.




0
 
LVL 15

Accepted Solution

by:
DonConsolio earned 400 total points
ID: 16482886
- don't write REALLY sensitive programs as shell scripts
shells might do some "helpful" things behind your back to make life easier for you
- do not use untrusted input
special characters are possible sources of trouble. "X=`rm -rf`" may NOT be the thing you want to run.
- set environment variables to known values
PATH, IFS, etc. should be sed to well known values at the very start of your script
- use absolute pathnames whenever possible
"ls -la" may call al programm called "ls" in the current directory and not /bin/ls
overwriting a file called "passwd" in the wrong directory may lead you into trouble
- change your current directory to a safe place
"cd /tmp" can limit damage if your script goes berserk by accident
- quote all variables
e.g. pathnames may contain embedded spaces
- do not call programs with "escape to shell" functions
"vi", "less", etc to "just display or modify a config file" may open doors into your system
- plan for errors
check return codes of your commands whenever possible (even "cd /tmp/data" may fail and leave
you in the wrong place) - this will cnsiderably increase size and complexity of your script
- check what you pass to other programs you call
quote variables, remove unwanted special characters, etc.
0
 
LVL 51

Assisted Solution

by:ahoffmann
ahoffmann earned 200 total points
ID: 16485053
> One of the things that I want to ensure is that the commands that are run ..
set your PATH proper, then unalias anything you use, then preceed all commands with \ like:
  \cd ...
  \rm ..

echo is a special case 'caus ethere exist various different implementations, each shell has its own, each OS has its own, sometimes there're more than one echo executable per OS. You need to decide which one you want to use.
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 3

Assisted Solution

by:DVB
DVB earned 200 total points
ID: 16485368
I call all shell commands with the absolute path.  This forces that exact command to be called, regardless of PATH settings..

If I use any variables, I set them in the script. Environment variables are not to be trusted.

Validate all input (as always).
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16485809
>  This forces that exact command to be called, regardless of PATH settings ..
.. and you're trapped by aliases (for built-in commands).
0
 
LVL 3

Expert Comment

by:DVB
ID: 16486051
Nope. Full paths disable aliases.

/bin/echo need not be the same as "echo".
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16486808
> Nope. Full paths disable aliases.
hmm, nice shell ... which shell does that (for example for cd, [, set, ...)? Please test before posting ;-)
I said built-in commands, see http:#16485809
0
 
LVL 2

Author Comment

by:jculkincys
ID: 16488557
m1tk4 - or anyone else

can you explain what pushd does?
0
 
LVL 15

Expert Comment

by:m1tk4
ID: 16488682
pushd saves the current directory to the "stack" and changes current directory to the directory that is its argument
popd changes current directory to the last directory in the "stack" and removes the last entry in the "stack".

Example

# current directory = /home/somewhere
pushd /tmp
# current directory: /tmp, stack: /home/somewhere
pushd /var
# current directory: /var, stack: /tmp, /home/somewhere
popd
# current directory: /tmp, stack: /home/somewhere
popd
# current directory: /home/somewhere, we're back to where we started.
0
 
LVL 2

Author Comment

by:jculkincys
ID: 16489428
Cool m1tk4 thanks

ok what is the verdict on full paths?
should I do "echo" or "/bin/echo"
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16489537
> should I do "echo" or "/bin/echo"
these are 2 different things, you need to check man-pages (shell and echo) which one you want to use
0
 
LVL 15

Expert Comment

by:m1tk4
ID: 16489596
here is what is typically done in rcinit scripts:

ECHO="/bin/echo"

$ECHO "hello world"
$ECHO "hello hello"

and so on.

0
 
LVL 2

Author Comment

by:jculkincys
ID: 16499976
does anyone know how I could have pushd operate silently?

0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16500064
depends on yopur shell, csh syntax:
pushd>&/dev/null
0
 
LVL 2

Author Comment

by:jculkincys
ID: 16500386
I believe it has something to do with setting the pushdsilent variable

according to http://www.ss64.com/osx/pushd.html


but I can't seem to get it to work
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 16501386
pushd and popd are shell built-in commands, only csh and tcsh support pushdsilent shell variables
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses
Course of the Month20 days, 14 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question