Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[SOLVED] looking for advice with bash scripting
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Portage & Programming
View previous topic :: View next topic  
Author Message
chimeric
n00b
n00b


Joined: 15 Feb 2007
Posts: 10
Location: Germany

PostPosted: Fri Mar 23, 2007 7:14 pm    Post subject: [SOLVED] looking for advice with bash scripting Reply with quote

Hi everybody,

first I`d like to say that I am new to the forum (though not new to gentoo, I use it on my main workstation for more than 2 years now and it`s by far the best distro I`ve ever seen :) ). I am currently working on a little bash backup script which uses dar and sshfs. This script should be as portable as possible as I want to use it on several machines. While thinking about it I questioned myself if it`s generally a good idea (or a good habit) to use the full path of the used programs in the script like:
Code:
/usr/bin/sshfs

Or is it better to put the program path in a variable using "which":
Code:
SSHFS=$(which sshfs)

(though I am unsure if this could result in a possible security issue on compromised machines)?

Or doesn`t it matter at all?

Thanks in Advance!


Last edited by chimeric on Mon Mar 26, 2007 5:39 pm; edited 1 time in total
Back to top
View user's profile Send private message
tuam
l33t
l33t


Joined: 04 May 2004
Posts: 763
Location: CGN, Germany

PostPosted: Fri Mar 23, 2007 9:49 pm    Post subject: Reply with quote

The basic security issue is the following:
- script is setuid root: runs with root privileges
- cracker creates evil binary named sshfs somewhere in his home, makes it executable
- cracker modifies $PATH, so his home is searched first
- cracker runs script
:arrow: evil binary is run with root privileges

Possible solutions
- mount all dirs where cracker has write access with noexec :?
- hard-code paths

The idea of putting the path in a variable makes the script easier to maintain or port to other machines. So use SSHFS="/usr/bin/sshfs" at the beginniing of your script.

FF,

Daniel
_________________
Logic clearly dictates that the needs of the many outweigh the needs of the few. - Spock
The needs of the one outweigh the needs of the many. - Kirk
I refuse to let arithmetic decide questions like that. - Picard
Back to top
View user's profile Send private message
chimeric
n00b
n00b


Joined: 15 Feb 2007
Posts: 10
Location: Germany

PostPosted: Mon Mar 26, 2007 5:39 pm    Post subject: Reply with quote

Thanks tuam for your explanation!

Kind Regards
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Portage & Programming All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum