[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
Solved

Bash script security/robustness

Posted on 2006-04-18
Medium Priority
444 Views
I have finished writing a bash script and I want to provide it with a little more robustness and security - all suggestions are welcome.

One of the things that I want to ensure is that the commands that are run (ex. "echo") are always run from a certain location (ex: "/bin or /usr/bin") - I think can do this by setting the path in the script - does anyone else have any ideas?

Thanks
jculkincys
0
Question by:jculkincys
• 6
• 4
• 3
• +2

LVL 15

Assisted Solution

m1tk4 earned 200 total points
ID: 16482485

pushd <your certain location> in the beginning of the script

popd at the end.

Both are bash internal commands.

0

LVL 15

Accepted Solution

DonConsolio earned 400 total points
ID: 16482886
- don't write REALLY sensitive programs as shell scripts
shells might do some "helpful" things behind your back to make life easier for you
- do not use untrusted input
special characters are possible sources of trouble. "X=rm -rf" may NOT be the thing you want to run.
- set environment variables to known values
PATH, IFS, etc. should be sed to well known values at the very start of your script
- use absolute pathnames whenever possible
"ls -la" may call al programm called "ls" in the current directory and not /bin/ls
overwriting a file called "passwd" in the wrong directory may lead you into trouble
- change your current directory to a safe place
"cd /tmp" can limit damage if your script goes berserk by accident
- quote all variables
e.g. pathnames may contain embedded spaces
- do not call programs with "escape to shell" functions
"vi", "less", etc to "just display or modify a config file" may open doors into your system
- plan for errors
check return codes of your commands whenever possible (even "cd /tmp/data" may fail and leave
you in the wrong place) - this will cnsiderably increase size and complexity of your script
- check what you pass to other programs you call
quote variables, remove unwanted special characters, etc.
0

LVL 51

Assisted Solution

ahoffmann earned 200 total points
ID: 16485053
> One of the things that I want to ensure is that the commands that are run ..
set your PATH proper, then unalias anything you use, then preceed all commands with \ like:
\cd ...
\rm ..

echo is a special case 'caus ethere exist various different implementations, each shell has its own, each OS has its own, sometimes there're more than one echo executable per OS. You need to decide which one you want to use.
0

LVL 3

Assisted Solution

DVB earned 200 total points
ID: 16485368
I call all shell commands with the absolute path.  This forces that exact command to be called, regardless of PATH settings..

If I use any variables, I set them in the script. Environment variables are not to be trusted.

Validate all input (as always).
0

LVL 51

Expert Comment

ID: 16485809
>  This forces that exact command to be called, regardless of PATH settings ..
.. and you're trapped by aliases (for built-in commands).
0

LVL 3

Expert Comment

ID: 16486051
Nope. Full paths disable aliases.

/bin/echo need not be the same as "echo".
0

LVL 51

Expert Comment

ID: 16486808
> Nope. Full paths disable aliases.
hmm, nice shell ... which shell does that (for example for cd, [, set, ...)? Please test before posting ;-)
I said built-in commands, see http:#16485809
0

LVL 2

Author Comment

ID: 16488557
m1tk4 - or anyone else

can you explain what pushd does?
0

LVL 15

Expert Comment

ID: 16488682
pushd saves the current directory to the "stack" and changes current directory to the directory that is its argument
popd changes current directory to the last directory in the "stack" and removes the last entry in the "stack".

Example

# current directory = /home/somewhere
pushd /tmp
# current directory: /tmp, stack: /home/somewhere
pushd /var
# current directory: /var, stack: /tmp, /home/somewhere
popd
# current directory: /tmp, stack: /home/somewhere
popd
# current directory: /home/somewhere, we're back to where we started.
0

LVL 2

Author Comment

ID: 16489428
Cool m1tk4 thanks

ok what is the verdict on full paths?
should I do "echo" or "/bin/echo"
0

LVL 51

Expert Comment

ID: 16489537
> should I do "echo" or "/bin/echo"
these are 2 different things, you need to check man-pages (shell and echo) which one you want to use
0

LVL 15

Expert Comment

ID: 16489596
here is what is typically done in rcinit scripts:

ECHO="/bin/echo"

$ECHO "hello world"$ECHO "hello hello"

and so on.

0

LVL 2

Author Comment

ID: 16499976
does anyone know how I could have pushd operate silently?

0

LVL 51

Expert Comment

ID: 16500064
depends on yopur shell, csh syntax:
pushd>&/dev/null
0

LVL 2

Author Comment

ID: 16500386
I believe it has something to do with setting the pushdsilent variable

according to http://www.ss64.com/osx/pushd.html

but I can't seem to get it to work
0

LVL 51

Expert Comment

ID: 16501386
pushd and popd are shell built-in commands, only csh and tcsh support pushdsilent shell variables
0

Featured Post

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
Suggested Courses
Course of the Month20 days, 14 hours left to enroll