• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 448
  • Last Modified:

Bash script security/robustness

I have finished writing a bash script and I want to provide it with a little more robustness and security - all suggestions are welcome.

One of the things that I want to ensure is that the commands that are run (ex. "echo") are always run from a certain location (ex: "/bin or /usr/bin") - I think can do this by setting the path in the script - does anyone else have any ideas?

Thanks
jculkincys
0
jculkincys
Asked:
jculkincys
  • 6
  • 4
  • 3
  • +2
4 Solutions
 
m1tk4Commented:

pushd <your certain location> in the beginning of the script

popd at the end.

Both are bash internal commands.




0
 
DonConsolioCommented:
- don't write REALLY sensitive programs as shell scripts
shells might do some "helpful" things behind your back to make life easier for you
- do not use untrusted input
special characters are possible sources of trouble. "X=`rm -rf`" may NOT be the thing you want to run.
- set environment variables to known values
PATH, IFS, etc. should be sed to well known values at the very start of your script
- use absolute pathnames whenever possible
"ls -la" may call al programm called "ls" in the current directory and not /bin/ls
overwriting a file called "passwd" in the wrong directory may lead you into trouble
- change your current directory to a safe place
"cd /tmp" can limit damage if your script goes berserk by accident
- quote all variables
e.g. pathnames may contain embedded spaces
- do not call programs with "escape to shell" functions
"vi", "less", etc to "just display or modify a config file" may open doors into your system
- plan for errors
check return codes of your commands whenever possible (even "cd /tmp/data" may fail and leave
you in the wrong place) - this will cnsiderably increase size and complexity of your script
- check what you pass to other programs you call
quote variables, remove unwanted special characters, etc.
0
 
ahoffmannCommented:
> One of the things that I want to ensure is that the commands that are run ..
set your PATH proper, then unalias anything you use, then preceed all commands with \ like:
  \cd ...
  \rm ..

echo is a special case 'caus ethere exist various different implementations, each shell has its own, each OS has its own, sometimes there're more than one echo executable per OS. You need to decide which one you want to use.
0
Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
DVBCommented:
I call all shell commands with the absolute path.  This forces that exact command to be called, regardless of PATH settings..

If I use any variables, I set them in the script. Environment variables are not to be trusted.

Validate all input (as always).
0
 
ahoffmannCommented:
>  This forces that exact command to be called, regardless of PATH settings ..
.. and you're trapped by aliases (for built-in commands).
0
 
DVBCommented:
Nope. Full paths disable aliases.

/bin/echo need not be the same as "echo".
0
 
ahoffmannCommented:
> Nope. Full paths disable aliases.
hmm, nice shell ... which shell does that (for example for cd, [, set, ...)? Please test before posting ;-)
I said built-in commands, see http:#16485809
0
 
jculkincysAuthor Commented:
m1tk4 - or anyone else

can you explain what pushd does?
0
 
m1tk4Commented:
pushd saves the current directory to the "stack" and changes current directory to the directory that is its argument
popd changes current directory to the last directory in the "stack" and removes the last entry in the "stack".

Example

# current directory = /home/somewhere
pushd /tmp
# current directory: /tmp, stack: /home/somewhere
pushd /var
# current directory: /var, stack: /tmp, /home/somewhere
popd
# current directory: /tmp, stack: /home/somewhere
popd
# current directory: /home/somewhere, we're back to where we started.
0
 
jculkincysAuthor Commented:
Cool m1tk4 thanks

ok what is the verdict on full paths?
should I do "echo" or "/bin/echo"
0
 
ahoffmannCommented:
> should I do "echo" or "/bin/echo"
these are 2 different things, you need to check man-pages (shell and echo) which one you want to use
0
 
m1tk4Commented:
here is what is typically done in rcinit scripts:

ECHO="/bin/echo"

$ECHO "hello world"
$ECHO "hello hello"

and so on.

0
 
jculkincysAuthor Commented:
does anyone know how I could have pushd operate silently?

0
 
ahoffmannCommented:
depends on yopur shell, csh syntax:
pushd>&/dev/null
0
 
jculkincysAuthor Commented:
I believe it has something to do with setting the pushdsilent variable

according to http://www.ss64.com/osx/pushd.html


but I can't seem to get it to work
0
 
ahoffmannCommented:
pushd and popd are shell built-in commands, only csh and tcsh support pushdsilent shell variables
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 6
  • 4
  • 3
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now