tcely · December 9, 2017 21:36
diff --git a/defensive_bash.sh b/defensive_bash.sh
 #!/bin/bash

 # *Temporarily* force Bash into POSIX compatibility mode, where `unset` cannot 
 # be shadowed, which allows us to undefine any `unset` *function* as well
 # as other functions that may shadow crucial commands.
 # Note: Fortunately, POSIXLY_CORRECT= works even without `export`, because
 #       use of `export` is not safe at this point.
 #       By contrast, a simple assignment cannot be tampered with.
 POSIXLY_CORRECT=

 # If defined, unset unset() and other functions that may shadow crucial commands.
 # Note the \ prefix to ensure that aliases are bypassed.
 \unset -f unset unalias read declare

 # Remove all aliases.
 # (Note that while alias expansion is off by default in scripts, it may
 #  have been turned on explicitly in a tampered-with environment.)
 \unalias -a  # Note: After this, \ to bypass aliases is no longer needed.

 # Now it is safe to turn POSIX mode back off, so as to reenable all Bash
 # features.
 unset POSIXLY_CORRECT

 # Now UNDEFINE ALL REMAINING FUNCTIONS:
 # Note that we do this AFTER switching back from POSIX mode, because
 # Bash in its default mode allows defining functions with nonstandard names
 # such as `[` or `z?`, and such functions can also only be *unset* while
 # in default mode.
 # Also note that we needn't worry about keywords `while`, `do` and `done`
 # being shadowed by functions, because the only way to invoke such functions
 # (which you can only define with the nonstandard `function` keyword) would
 # be with `\` (e.g., `\while`).
 while read _ _ n; do unset -f "$n"; done < <(declare -F)

 # IN THE REST OF THE SCRIPT:
 #  - It is now safe to call *builtins* as-is.
 #  - *External utilities* should be invoked:
 #      - by full path, if feasible
 #      - and/or, in the case of *standard utilities*, with
 #        command -p, which uses a minimal $PATH definition that only
 #        comprises the locations of standard utilities.
 #      - alternatively, as @jarno suggests, you can redefine your $PATH
 #        to contain standard locations only, after which you can invoke
 #        standard utilities by name only, as usual:
 #          PATH=$(command -p getconf PATH)

 # Example command:
 # Verify that `unset` now refers to the *builtin*:
 type unset
	#!/bin/bash

	# Temporarily force Bash into POSIX compatibility mode, where `unset` cannot
	# be shadowed, which allows us to undefine any `unset` function as well
	# as other functions that may shadow crucial commands.
	# Note: Fortunately, POSIXLY_CORRECT= works even without `export`, because
	# use of `export` is not safe at this point.
	# By contrast, a simple assignment cannot be tampered with.
	POSIXLY_CORRECT=

	# If defined, unset unset() and other functions that may shadow crucial commands.
	# Note the \ prefix to ensure that aliases are bypassed.
	\unset -f unset unalias read declare

	# Remove all aliases.
	# (Note that while alias expansion is off by default in scripts, it may
	# have been turned on explicitly in a tampered-with environment.)
	\unalias -a # Note: After this, \ to bypass aliases is no longer needed.

	# Now it is safe to turn POSIX mode back off, so as to reenable all Bash
	# features.
	unset POSIXLY_CORRECT

	# Now UNDEFINE ALL REMAINING FUNCTIONS:
	# Note that we do this AFTER switching back from POSIX mode, because
	# Bash in its default mode allows defining functions with nonstandard names
	# such as `[` or `z?`, and such functions can also only be unset while
	# in default mode.
	# Also note that we needn't worry about keywords `while`, `do` and `done`
	# being shadowed by functions, because the only way to invoke such functions
	# (which you can only define with the nonstandard `function` keyword) would
	# be with `\` (e.g., `\while`).
	while read _ _ n; do unset -f "$n"; done < <(declare -F)

	# IN THE REST OF THE SCRIPT:
	# - It is now safe to call builtins as-is.
	# - External utilities should be invoked:
	# - by full path, if feasible
	# - and/or, in the case of standard utilities, with
	# command -p, which uses a minimal $PATH definition that only
	# comprises the locations of standard utilities.
	# - alternatively, as @jarno suggests, you can redefine your $PATH
	# to contain standard locations only, after which you can invoke
	# standard utilities by name only, as usual:
	# PATH=$(command -p getconf PATH)

	# Example command:
	# Verify that `unset` now refers to the builtin:
	type unset