secure-bash-scripting

Error handling:

Command:              Behavior:                                                    Recommendation:
#!/bin/bash -p        Prevents loading the initialization scriots.                 Recommended, but wwill need to set the PATH 
                                                                                   variable manually.

set -o pipefail       Will return error codes thrown by command. set -e            Recommended for error handling.
                      will just crash if a command returns error code.
                     


Set Default Filesystem Permissions:

Set a default umask in your scripts if you will be creating files to insure their permissions are secure. The default recommended
is 0077.

---------------------------------------------------------------------
#!/bin/bash -p
umask 0077 
---------------------------------------------------------------------

Its usually better for a script to terminate than to continue running and potentially have unintended actions. Error handling
should look as followed generally. Use error handling where possible.

---------------------------------------------------------------------
  run_command
  if [ "$?" = "0" ]; then
    echo "shit ran, good for you."
    run_more_commands
  else
    echo "damn jackie, I cant cotrol the weather..."
    handle_error
  exit1
---------------------------------------------------------------------

ANY NON 0 VALUE IS AN ERROR.

  exit1 - Generic error
  exit0 - Clean, no error.
  exit2 - Misuse of shell built-ins, syntax error.
  exit126 - Permissions issue.
  exit127 - Command not found.
  exit128 - Invalid arg to exit.
  exit130 - Terminated using Ctrl+C.




Quotation:

Examples of common quotation and how they will be handled - 
---------------------------------------------------------------------
  #!/bin/bash
  VAR="foo bar"
  touch $VAR
  
  ^-- This will create two seperate files, one foo, one bar. 
  
  #!/bin/bash
  VAR="foo bar"
  touch "$VAR"
  
  ^-- This will create one file, named "foo bar".
  
  #!/bin/bash
  VAR="foo bar"
  touch '$VAR'
  
  ^-- This will turn the variable into a string literal, and a syntax error. a file named VAR will be created.
  ---------------------------------------------------------------------
  


Temporary Files:

Common Practices - 
  1. Create new directories with secure filesystem permissions. (umask set)
  2. Generate pseudo random strings and use them for temporary file or directory names. This
     can be done using the mktemp command (shown below) and automatically provide strict fs permissions.
     
     ---------------------------------------------------------------------
     #!/bin/bash
     
     OUTPUTDIR="$(mktemp -d)"
     OUTPUTFILE="$(mktemp -p $OUTPUTDIR)"
     echo "My temp data" >> $OUTPUTFILE
     ---------------------------------------------------------------------
     
  3. Remove temporary files before the script exits. Add checks to make sure the intended temp files are deleted.
  
  
  
Cononicalization:

Expressing importance in writing out file names and paths in full without using links, periods, or extra slashes. If this is not
done, an attacker can sometimes use special characters to access resources outside of intended access.

/home/user/script/../../../tmp = /tmp

readlink -f $path_to_validate
realpath $path_to_validate

VULNERABLE SCRIPT:
---------------------------------------------------------------------
  #!/bin/bash
  
  conf_file=/opt/web_service/archive.conf  --> hard coded config file could be replaced with a symlink to a malicious config file.
  archive_endpoint="$(cat $conf_file)"
  log_file=/opt/web_service/auth.log   --> symbolic link that would allow user to point to another file and possibly remove logs.
  timestamp='date +%Y%m%d'
  scp $log_file user@$archive_endpoint:/mnt/archive/auth_logs/$timestamp
  ---------------------------------------------------------------------


BETTER APPROACH:
---------------------------------------------------------------------
  #!/bin/bash
  
  conf_file=/opt/web_service/archive.conf
  real_conf=realpath $conf_file
  
  # The real config should not be a symlink.
  if [ $conf_file != $real_conf ]
  then
          # Something is wrong with the config file.
          # Handle the error and exit.
          # ...
          echo "Error, config file is tampered with."
  fi
  archive_endpoint="$(cat $conf_file)"
  
  log_file=/opt/web_service/auth.log
  real_log=realpath $log_file
  log_file_path=/opt/web_service
  
  log_file_in_the_correct_place=$(find $log_file_path -wholename $real_log | wc -l)
  
  if [[ $log_file_in_the_correct_place -lt 1 ]]
  then
	        # Something is wrong with the log file
	        # Handle the error and exit
	        # ...
	        echo "Error with logfile integrity."
  fi
  
  # The configuration file and the log file are okay
  # Proceed with the file copy    
  timestamp='date +%Y%m%d'
  echo scp $log_file user@$archive_endpoint:/mnt/archive/auth_logs/$timestamp
---------------------------------------------------------------------
  
As you can see, by verifying our files it allows us to take a more secure approach to using these paths in our daily script. 




Validate Command Line Parameters:

To prevent command injection in bash scripts, avoid passing user-controlled data to commands that invoke other commands. Use 
caution and keep this in mind. 

Example:
---------------------------------------------------------------------
  #!/bin/bash
  VAR=$ARGV[1];
  ssh user@bleep touch "$VAR"
---------------------------------------------------------------------

Obviously here the user can use a semi-colon to continue executing commands outside the intended purpose.