Security: Prevent Override of Bash Builtins?

Greetings Bash Hackers,

I have been using Bash daily for several years as both a noscripting/glue language, and as a more general-purpose programming language. Something that has bothered me for a long time is Bash's lack of reserved words. Before you continue reading, you'll want to put your tin foil hat on.

In some other languages, there is a relatively large set of builtin functions that cannot be overridden for security reasons. Bash, on the other hand, has relatively few of these (i.e. time, if, function, et cetera), and some of the things that you'd expect to be reserved (i.e. builtin, declare, readonly, et cetera), are not. Maybe I'm wrong, but to me: this seems like an oversight and a pretty big security hole. I can see the utility of being able to mock out some of these builtins temporarily for unit testing purposes, but not being able to toggle that behavior seems like a huge issue. Someone with malicious intent, for example, could try to inject function definitions in the environment inherited by the noscript, or could use improperly sanitized noscript parameters to define malicious functions of the same name as builtins.

Going through Bash's info page, there is a "restricted mode" that prevents shell builtins from being overridden with functions of the same name, but that also toggles off quite a few other nice bash features that most people would want to keep in place, even if they toggled off the ability to override builtins. Not all, but many of these features disabled by restricted mode, don't appear to have major security issues that would warrant disabling them; or the security issues are easy to mitigate with decent input sanitization or similar security practices.

So, I have a few questions:

Is it unreasonable to expect Bash users to be able to toggle off features in a piecemeal fashion, instead of the all-or-none approach that restricted mode provides? Are all of the features that it toggles off equally dangerous and as difficult to mitigate?
If this is not an unreasonable goal, is there a way to toggle off just the ability to override builtins that I have just not been able to figure out yet?

To better illustrate this issue, here is an example of something I have considered that doesn't quite work. Since 'function' is a reserved word, I have used that to create a function that wraps builtins, like so:

function readonly() { builtin readonly $@; }

This would work great, if someone hasn't already overridden the 'builtin' builtin. You could 'unset' any potentially set/inherited builtin functions prior to invoking them, (including the 'builtin' builtin), but 'unset' could have been overridden as well. You could exclude the use of the 'builtin' builtin inside of the function definition above, but then its just a function that calls itself over-and-over again. You could make sure that any function you set in the way illustrated above is readonly, using the 'readonly' or 'declare' builtin, but you still have the same chicken-and-egg problem. The 'readonly' and 'declare' builtins could easily be overridden with a function the noscript maliciously (or accidentally) inherits from the environment, making it untrusted as well.

Based on the experiment above, I don't see a way to prevent the overriding of builtins using just the reserved words Bash has available. I also have not found a shell option (shopt) or bash flag that can be passed when invoking Bash that lets you prevent builtin overrides, without also toggling off a bunch of other useful features. Is there another version of the bash '-r' (aka restricted mode) flag that only toggles off the ability to override builtins? Is there some other, completely different, way to do this that I have not considered? Am I crazy for even wanting to do this?

https://redd.it/yeucrq
@r_bash

How to escape single quotes?

I know this question has been asked many times already, however none of the answers have worked for me. I am trying to escape single quotes so I can use variables in this shell noscript. The noscript recognizes specific links from a text file, then sends a command that replaces a specific string in a different file with a image link. It works fine, however not when I try to add a variable. It just says "No such file or directory" whenever executed.

#!/bin/bash
bash -c 'examplelink.com() { sed -i -e "/e_embed.set_thumbnail(url/s/\".*\"/\"exampleimagelink.com\"/" '$1'/cogs/Embeds.py; }; cd '$var'/'$2'; . ./file.txt';
var="/to/folder";

I have tried several things.

'"'"'$var'"'"'
"'$var'"
\'$var'\''

As well as other stuff including different combinations of the shown examples.

https://redd.it/yewd51
@r_bash

Shell expansion question

I'm trying to noscript the publishing and promotion of content-views in RH Satellite (The Foreman), and the versions aren't always equal, so I need to have dynamically named variables, like repo1\_ver, repo2\_ver, etc. The versions evaluate to 1.0, or 5.0, or whatever, always in an x.y format.

​

Here's a simplified version of what I'm doing

CV_LIST=(test0 test1 test2 test_space)

get_version() {
echo -e "===============\nWhat this does\n==============="
for CV in "${CV_LIST[@]}" ; do
declare -g ${CV}_VER=$(hammer --csv --no-headers content-view version list --content-view $CV | sed -n '1'p | awk -F, '{ print $3 }')
echo "${CV}_VER"
done

echo -e "\n\n===============\nWhat I want this to do\n==============="

echo $test0_VER
echo $test1_VER
echo $test2_VER
echo $test_space_VER

}

get_version

The output is

===============
What this does
===============
test0_VER
test1_VER
test2_VER
test_space_VER


===============
What I want this to do
===============
1.0
1.0
1.0
2.0

I want it to do that because I want to take the output of ${CV}\_VER and use it in the next hammer command to promote the content views to the next version in another loop, like

​

for ENV in Dev QA Mgmt PreProd Prod ; do hammer content-view version promote --content-view $CV --to-lifecycle-environment $ENV --version ${CV}_VER ; done

I know I could create another array and do like this

NEWVERS=(${test0_VER} ${test1_VER} ${test2_VER} ${test_space_VER})
for CV in "${CV_LIST[@]}" ; do
for VER in "${NEWVERS[@]}" ; do
for ENV in Dev QA Mgmt PreProd Prod ; do hammer content-view version promote --content-view $CV --to-lifecycle-environment $ENV --version $VER ; done
done
done

In fact, that's what I did. I just want to know if what I would prefer to do is possible, or if I'm trying to do something that can't be done.

https://redd.it/yf9kbp
@r_bash

Help reading a file that consists of single lines of commands, and then running those commands.

My aim is a noscript that reads lines of commands from a file, execute each line and then add the exit code from each to an array. Some lines have multiple commands. Forgive my mobile formatting, or lack thereof. My noscript is something like:

arr=()
while IFS= read -r line
do
#execute line
"${line}"
#add exit code from command to array
arr+=($?)
done < config.txt

And config.txt has commands like:
! -z $variable
crontab -l | grep -q "dothething.txt"
-d "/some/folder/path"
$inferesting_info > file.txt; #do some other things here; And one more thing here
...
My problem is, the commands are not being executed properly, and I'm thinking there's got to be a way to encapsulate each line of command(s) to have it parse correctly and then unwrap it to run iI: with a combination of parenthesis or quotations, or something. I just can't figure it out. Any help is greatly appreciated!

[https://redd.it/yfbnln
@r_bash

Part of my noscript is not working i need some help

am trying to automate image creation, am a total noob still, i know my code is probably an abomination too lol, anyway am trying to move 3 images from the source folder then apply some image processing then add the 3 images into one thumbnail and outputting it, everything worked just fined but the part that has " `# this part is not working i dont know why` " before maeking the code specify directories it was working, i appreciate the help :DD

&#x200B;

am here in the terminal trying to use the 3 directories in the noscript

~/coding/Fullnoscript$ ls
out processing sources 'test (copy).sh' test.sh

&#x200B;

#!/bin/bash

imgsu=sources
target=processing
outfold=out

i=0

ls -Q $imgsu/ | head -3 | xargs -i mv $imgsu/{} $target/


echo "Initiating"


for file in $target/* ; do
if [ -e "$file" ] ; then
mv "$file" $target/fileinput_$i.png
i=$((i+1))
fi
done

echo "Naming Finished!"

for file in $target/* ; do # this part is not working i dont know why
if [ -e "$file" ] ; then
convert $target/$file -resize 910x910 -fuzz 1% -trim +repage $target/$file
fi
done

echo "Resize Finished!"

convert -size 1920x1080 canvas:black \
-gravity southwest $target/fileinput_1.png -geometry +40+10 -composite \
-gravity southeast $target/fileinput_2.png -geometry +40+10 -composite \
-gravity north $target/fileinput_0.png -geometry +0+10 -composite \
$outfold/out.png

https://redd.it/yfmasz
@r_bash

Using python within readarray

I'm having issues trying to use python within readarray.. the error I get is "unexpected EOF while looking for matching ')'. This happens to be the first line of readarray. Any advice?

readarray -t ARR < <(python3 - <<-EOF
import os, itertools
....
....
EOF
)

https://redd.it/yfr3ts
@r_bash

Isolate first colum of output ?

Hi all,

&#x200B;

I'm currently writin a noscript to enable vpn connections on certain conditions on Ubuntu 20.04 machines exclusively, and to do so i need to get the exact name of the VPN connection.

&#x200B;

I use this command to grep all the vpn connection of the machine :

nmcli con | grep vpn

And the output looks like that :

VPN-Name xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx vpn --

&#x200B;

&#x200B;

What i would like is to get only the name in a text file.

I tried to use the awk command like so :

nmcli con | grep vpn | awk '{ print $1, $NF }'

But if the VPN name is two words then it gets only the first word :

For a VPN called "VPN Company Name" it will output "VPN" only.

&#x200B;

What i want is get the full name of the VPN but i couldn't find any option that could isolate names with the nmcli connection command.

https://redd.it/yfkb40
@r_bash

I created a noscript combining a few ssh commands

Hi everyone,

I combined my frequently used ssh, scp and sshfs commands into a simple noscript.
Github

Feel free to criticize

https://redd.it/yg0diu
@r_bash

Is it possible to iterate through array elements without using FOR or WHILE?

I wonder WHY:

printf 'Each element: %s\n' "${foo[@]}" will print each element of the array foo[@] but I still need to loop through the same array with for i in "${foo[@]}"? Is this because of printf()'s built-in logic? E.g.: sudo apt install "${foo[@]}" would be nice but it doesn't work for me.

Thanks!

https://redd.it/yg1t1k
@r_bash

dd from image to SD card: "short write on character device"

Hi,

I'm using MACOS but I think the OS is not the problem here.I tried to backup my 64GB SD card using DD, with:

sudo dd if=/dev/rdisk2 of=Miyoo64Gb.dmg status=progress bs=16M

That goes well. I put in another SD card (same size) and try to restore that same image with:sudo dd if=Miyoo64Gb.dmg of=/dev/rdisk2 status=progress bs=1m

However, it fails and I then get the error"short write on character device"

When I try to restore the image to SD card using the desktop (Disk Utility.app) it fails.

Another thing I tried is to mount both the .dmg image as wel as the new SD card and just copy the content from the image to the SD card, but then I get the error destination is full!

I've tried several SD cards, the image is fine, I can mount it and browse succesfully/any thoughts what can be the issue?

Another thing I was thinking of is the blocksize in the command (1M in my case), but then, I used the same blocksize for writing as reading, so I guess that cannot be the problem.

PLEASE HELP, I tried everything and I'm desperate howto get my SD card cloned.

https://redd.it/yg0sqt
@r_bash

Using output of one curl request in the next noscript

Hey guys, sorry if this has been asked here before, but I couldn’t find anything specific to my scenario and I don’t use bash that much.

I use a curl post request to get an address from an api, that I’m currently copy pasting as the location for the noscript I use next. The issue is the first noscript outputs other stuff too like status codes, upload speeds etc and I just need the url and without the quotation marks and then use it for the second noscript, what’s the simplest way to go about this in a bash file?

https://redd.it/yg7qcl
@r_bash

How to determine what block device is mapped to /dev/mapper/

I have an external drive mapped to /dev/mapper/backup.

My question is how do I verify what block device said mapping is mapped to?

My backup drive appears as /dev/sda, what would the command/noscript look like in order to verify that /dev/mapper/backup is in fact /dev/sda?

My god the amount of research I've done trying to figure how to do this is insane. Please send help, thank you

https://redd.it/yg91x4
@r_bash

How to test for connections excluding ping's

Hi

i am trying to run a minecraft(game) server, and make it start the server when someone tries to connect.

so, i tried using netcat -l 25565 and it work when i tried to connect, but that also accepted a ping connection and exited.

so, my question is, how to test for a connection that is not ping (or test if a connection is ping, to ignore it.)

https://redd.it/yh6wd3
@r_bash

if something > do something

hey so I have this noscript here and I was wondering about the reposonse from git pull "Already up to date."... Is there anyway I can just continue (break) if git pull returns "Already up to date." and if not continue to pull the next repo? like automate those two pulls so I dont have to press y or n to confirm to continue? Thanks alot!

&#x200B;

#!/bin/bash

cd ~/github/ares; git pull
while true; do
read -p "##### ares-update? ##### " yn
case $yn in
yes ) ares-update; break;;
[Nn] ) break;;
) echo "Please answer yes or no.";;
esac
done
cd ~/github/dhewm3; git pull
while true; do
read -p "##### dhewm3-update? ##### " yn
case $yn in
[Yy] ) dhewm3-update; break;;
Nn ) break;;
) echo "Please answer yes or no.";;
esac
done

&#x200B;

https://redd.it/yhbvcv
@r_bash

Standard place to define PATH and other environment variables

I've noticed that almost every installation noscript that adds something to PATH, and almost every guide that instructs the reader to define environment variables, chooses .bashrc for that. But if you want to be able to run commands over SSH non-interactively which depend on those modifications, .bashrc has no effect. In fact, at least on Ubuntu, .bashrc comes with code at the top to prevent you from sourcing it even explicitly in a non-interactive shell.

I can see the value of keeping non-interactive SSH commands quick by not loading more than is necessary, but I would think there would be a noscript where you could define things that you always want, like custom PATH additions. I haven't found a standard solution for this, and it's often annoying and surprising when my commands don't work because PATH isn't getting populated like I thought it would.

Am I missing something? How do you solve this problem?

https://redd.it/yhlriw
@r_bash

Workspace ONE Delivers the MacOS Updater Utility (MUU): Does it Finally Solve the Patching Woes of WS1 Mac Software Updates?
https://mobile-jon.com/2022/10/31/workspace-one-delivers-the-macos-updater-utility-does-it-finally-solve-the-patching-woes-of-ws1-mac-software-updates/

https://redd.it/yi0gv5
@r_bash

How can I get simple output from cURL download progress data?

I'm trying to "marry" `cURL` with `grep`|`awk`|`sed` to extract from the cURL output the real-time download percentage without using extra tools like `pv` and without showing the progress bar.

Preferred format: **Installing file... 55%** ### incrementing on the same position.

This is what I've tried so far after some research:

curl -L --output-dir ${apps_dir} "${url}" -o "${file_name}" 2>&1 | awk 'FNR == 2 '{print $1}' ### fails to show any data

Then I tried this:

curl -# -L --output-dir ${apps_dir} "${url}" -o "${file_name}" 2>&1 | stdbuf -o L tr '\r' '\n' | stdbuf -o L grep -Eo '[0-9.]*%'

The problem with the last line of code (note `-#`) is that it shows what I want but:
* prints out data on new line
* I don't know how to put the printout next to the string "Installing file..." (shame on me!)

Thank you!

https://redd.it/yi8sou
@r_bash

If first word starts with a vowel?

Hi, I’m trying to make a if statement that prints the 10 first lines if the first word in the file starts with a vowel. If not, it should print the 15 first lines in the file.

$first is the first word in the text file

words-sorted.txt is a text file containing a lot of random words

This is what I have tried:

if [[ "$first" == [^aeiou]* ]]
then
cat words-sorted.txt | head -n10
else
cat words-sorted.txt | head -n15
fi

I think there is something wrong with the «[^aeiou]*» part, but I don’t quite understand it.

Now it just prints the first 10 lines of the file, even if the first word starts with a consonant.

If I remove the «*» it print the first 15 lines, even if the first word starts with a vowel.

Any help is appreciated :)

https://redd.it/yidruk
@r_bash

My first noscript, would appriacate feedback!

I wrote my first bash noscript for users and groups management, I've been studying on my own for around two weeks and thought I should try to write somthing.

The noscript is around 95% bash with little bit of awk.

I would appriacate any feedback or suggestion as for how to improve the noscript or what to learn next.

Also, I got help in this forum so I want to say thank you very much to anyone that helped!

Its too long to post here so I pasted it in github.

https://github.com/Kakabom/Kakabom/blob/main/Script.bash

https://redd.it/yilt70
@r_bash

Use diff to find new usb port

Hi, I have a lot of usb ports on my pc and oftentimes I don't seem to find the right one under /dev/tty*. Is there a cleaner version of what I do here to detect a newly added usbport?

Currently Im doing this:
\- I did a /dev/tty* snapshot with all usb devices I normally use plugged in and store it somewhere. The command is: ls /dev/tty* > ~/somewhere/usbdevices
\-as I am plugging in a new usb device I run this noscript and get the newly added usb tty port:
diff ~/somewhere/usbdevices <(ls /dev/tty*).

&#x200B;



I just wonder, whether there is a cleaner solution to get the same output.

&#x200B;

Thank you

Edit: if it is important, I'm on a mac

https://redd.it/yipoqr
@r_bash

ssh with expect, send and interact

Have this code, which works as intended:

exec expect -c "
        spawn ssh user@host
        expect {
                "password:" {send "1234"}
        }
        interact timeout 3599 {send "000"}
"

I would like to add another line under the one with "password:" for auto "sudo su -" . How can I do that? - Adding multiple expects. Adding the trigger keyword and the send doesn't work.

TIA

https://redd.it/yjfc69
@r_bash