Text-only | Table of Contents (frame/ no frame) |
(29) Security |
Most systems don't even allow a script to be made set-UID. It is
impossible (due to inherent race conditions) to ensure that a set-uid script cannot be compromised.
Use wrapper programs like sudo
instead.
$PATH
at the start of a script, so that you know exactly
which external programs will be used.
$TMPDIR
,
and create files safely (e.g. mktemp
).
Often scripts will write to a fixed, or trivially generated temporary filename in /tmp. If the file already exists and you don't have permission to overwrite it, the script will fail. If you do have permission to overwrite it, you will delete the previous contents. Since /tmp is public write, another user may create files in it, or possibly fill it completely.
Example:Environment variable
- A link is created by an unprivileged user in /tmp:
/tmp/scratch -> /vmunix
- A root user runs a script that blindly writes a scratch file to /tmp/scratch, and overwrites the operating system.
$TMPDIR
is often used to indicate a preferred location for temporary files (e.g., a per-user directory). Some systems may use$TMP
or$TEMP
. Safe scratch files can be made by creating a new directory, owned and writeable only by you, then creating files in there.
Example:(umask 077 && mkdir /tmp/tempdir.$$) || exit 1or (deluxe version)tmp=${TMPDIR:-/tmp} tmp=$tmp/tempdir.$RANDOM.$RANDOM.$RANDOM.$$ (umask 077 && mkdir $tmp) || { echo "Could not create temporary directory" 1>&2 exit 1 }Alternatively, many systems havemktemp
to safely create a temporary file and return the filename, which can be used by the script and then deleted.
ls
or find
Example:
Consider the effects of a file named "myfile;cd /;rm *
" if processed,
unquoted, by your script.
One possible way to protect against weirdo characters in file names:# A function to massage a list of filenames # to protect weirdo characters # e.g. find ... | protect_filenames | xargs command # # We are backslash-protecting the characters \'" ?*; protect_filenames() { sed -es/\\\\/\\\\\\\\/g \ -es/\\\'/\\\\\'/g \ -es/\\\"/\\\\\"/g \ -es/\\\;/\\\\\;/g \ -es/\\\?/\\\\\?/g \ -es/\\\*/\\\\\*/g \ -es/\\\ /\\\\\ /g }If using GNUfind
andxargs
, there is a much cleaner option to null-terminate generated pathnames.
security.src last modified Mar 11, 2005 | Introduction | Table of Contents (frame/no frame) |
Printable (single file) |
© Dartmouth College |