Text-only	Table of Contents (frame/ no frame)
(28) Security

• Don't use set-UID scripts.

  Most systems don't even allow a script to be made set-UID. It is impossible (due to inherent race conditions) to ensure that a set-uid script cannot be compromised. Use wrapper programs like sudo instead.

• Always explicitly set $PATH at the start of a script, so that you know exactly which external programs will be used.

• If possible, don't use temporary files. If they cannot be avoided, use $TMPDIR, and create files safely (e.g. mktemp).

  Often scripts will write to a fixed, or trivially generated temporary filename in /tmp. If the file already exists and you don't have permission to overwrite it, the script will fail. If you do have permission to overwrite it, you will delete the previous contents. Since /tmp is public write, another user may create files in it, or possibly fill it completely.
  Example:

  1. A link is created by an unprivileged user in /tmp: /tmp/scratch -> /vmunix
  2. A root user runs a script that blindly writes a scratch file to /tmp/scratch, and overwrites the operating system.

  Environment variable $TMPDIR is often used to indicate a preferred location for temporary files (e.g., a per-user directory). Some systems may use $TMP or $TEMP. Safe scratch files can be made by creating a new directory, owned and writeable only by you, then creating files in there.
  Example:

  (umask 077 && mkdir /tmp/tempdir.$$) || exit 1
  

  or (deluxe version)

  tmp=${TMPDIR:-/tmp}
  tmp=$tmp/tempdir.$RANDOM.$RANDOM.$RANDOM.$$
  (umask 077 && mkdir $tmp) || {
      echo "Could not create temporary directory" 1>&2
      exit 1
  }
  

  Alternatively, many systems have mktemp to safely create a temporary file and return the filename, which can be used by the script and then deleted.

• Check exit status of everything you do.

• Don't trust user input
  • contents of files
  • data piped from other programs
  • file names. Output of filename generation with wildcards, or directly from ls or find

Example:
Consider the effects of a file named "myfile;cd /;rm *" if processed, unquoted, by your script.

One possible way to protect against weirdo characters in file names:

# A function to massage a list of filenames 
# to protect weirdo characters
# e.g. find ... | protect_filenames | xargs command
#
# We are backslash-protecting the characters \'" ?*;
protect_filenames()
{
   sed -es/\\\\/\\\\\\\\/g \
       -es/\\\'/\\\\\'/g   \
       -es/\\\"/\\\\\"/g   \
       -es/\\\;/\\\\\;/g   \
       -es/\\\?/\\\\\?/g   \
       -es/\\\*/\\\\\*/g   \
       -es/\\\ /\\\\\ /g
}

If using GNU find and xargs, there is a much cleaner option to null-terminate generated pathnames.