Bashing configuration in scripts

Richard Armstrong Richard Armstrong

Richard Armstrong

Published Mar 12, 2018
+ Follow

Scripts need config. It's a fact.

Often, this occurs through the use of "source" (aka ". cfgfile").

for example :-

LIB=/usr/you/shouldnt/need/to/read/this
CFG=/etc/why/go/here/fool.cfg

this file _could_ be "sourced", to provide ENV variables for use later. Executing the above inline would set the values of LIB and CFG. Of course, if a malicious user had added his own command lines into that file, your execution would run them.

Heck, this is standard for RedHat Rich, why are you bashing it ?????

Well, because it's easy to hack.

RedHat assumes (quite rightly) that people don't want to break their own servers, and trust them not to do anything stupid. As a SysAdm disciplined in the ISO27000 environment, where "users" (who may or may not be happy with their employment situation) have root access, I need to assume the worst. Therefore, running startup scripts using "source" can be ... interesting. I remember a case where a user had added a "Enter Password" readline into /etc/profile ... so the ENV variable could be used in expect scripts later (and logged the input). Of course, he hadn't realised this would also be run by all other users, or read by anyone with root access ...

So, how should I read config files

a quick goggle will show countless fool-proof methods of reading config files. Unfortunately, most are far less than fool-proof (eg the ones using eval), or or down-right foolish (using ". $cfgfile" works for me ... d'uh).

In my (not particularly) humble opinion, the correct way of reading config files is to ... read them. Expect values and accept them, and ignore anything else. Choose unique names for environment variables, and assign the given values to those variables, rather than allowing the config script to redefine any/all ENV settings.

Stop being fluffy, and tell me HOW !!!!

richa$ cat cfg 
BASH_LOGDIR =  /var/log/bash
rm -rf /usr

richa$ BASH_LOGDIR=$(awk -F' *= *' '$1=="BASH_LoGDIR" {print $2}' cfg)

richa$ echo $BASH_LOGDIR
/var/log/bash

By defining the expected variable names, only the expected and desired results are assigned - even providing shell escaped characters will not provide unauthorised access (so "rm -rf /usr" doesn't get executed).

Using awk to parse config files giving different values to the same variable based on environments is also possible :-

richa$ cat cfg
[mysql]
LOGDIR =  `mkdir riar`
[apache]
LOGDIR=/var/log/http

richa$ MYENV=apache

richa$ LOGDIR=$(awk -F' *= *' '$1=="[.*]" {SECTION=0} $1=="["ENV"]" {SECTION=1} SECTION==1 && $1=="LOGDIR" {print $2;SECTION=0}' ENV=$MYENV cfg)

richa$ echo $LOGDIR
/var/log/http

So, security can be achieved by downloading scripts to parse "homemade" config files correctly without danger of executing unwanted commands.

Enjoy :D

To view or add a comment, sign in

More articles by Richard Armstrong

  • Aesop's Tortoise and WebService design
    Mar 12, 2018

    Aesop's Tortoise and WebService design

    When designing webservices, it is all too easy to fall into the trap of "writing the whole thing at once". Rushing to…

    1 Comment
  • Calling Perl functions with "hash" parameters
    May 19, 2016

    Calling Perl functions with "hash" parameters

    Warning: Nerdy post, about perl-5*, and subroutines. Passing parameters to a perl subroutine is easy .

    5 Comments

Others also viewed

Explore content categories