Classic Shell Scripting - Arnold Robbins [219]
Limit setuid code as much as possible
Make the amount of setuid code as small as you can. Move it into a separate program, and invoke that from within a larger script when necessary. However, be sure to code defensively as if the script can be invoked by anyone from anywhere else!
Chet Ramey, the maintainer of bash, offers the following prolog for use in shell scripts that need to be more secure:
# Reset IFS. Even though ksh doesn't import IFS from the environment,
# $ENV could set it. This uses special bash and ksh93 notation,
# not in POSIX.
IFS=$' \t\n'
# Make sure unalias is not a function, since it's a regular built-in.
# unset is a special built-in, so it will be found before functions.
unset -f unalias
# Unset all aliases and quote unalias so it's not alias-expanded.
\unalias -a
# Make sure command is not a function, since it's a regular built-in.
# unset is a special built-in, so it will be found before functions.
unset -f command
# Get a reliable path prefix, handling case where getconf is not
# available.
SYSPATH="$(command -p getconf PATH 2>/dev/null)"
if [[ -z "$SYSPATH" ]]; then
SYSPATH="/usr/bin:/bin" # pick your poison
fi
PATH="$SYSPATH:$PATH"
This code uses several non-POSIX extensions, all of which are described in Section 14.3.
* * *
[1] See http://www.cerias.purdue.edu/.
Restricted Shell
A restricted shell is designed to put the user into an environment where the ability to move around and write files is severely limited. It's usually used for guest accounts. POSIX does not specify that environments provide a restricted shell, "because it does not provide the level of security restriction that is implied by historical documentation." Nevertheless, both ksh93 and bash do provide this facility. We describe it here for both of them.
When invoked as rksh (or with the -r option), ksh93 acts as a restricted shell. You can make a user's login shell restricted by putting the full pathname to rksh in the user's /etc/passwd entry. The ksh93 executable file must have a link to it named rksh for this to work.
The specific constraints imposed by the restricted ksh93 disallow the user from doing the things described in the following list. Some of these features are specific to ksh93; for more information see Learning the Korn Shell.
Changing working directories: cd is inoperative. If you try to use it, you will get the error message ksh: cd: restricted.
Redirecting output to a file: the redirectors >, >|, <>, and >> are not allowed. This includes using exec.
Assigning a new value to the environment variables ENV, FPATH, PATH, or SHELL, or trying to change their attributes with typeset.
Specifying any pathnames of commands with slashes (/) in them. The shell only runs commands found along $PATH.
Adding new built-in commands with the builtin command.
Similar to ksh93, when invoked as rbash, bash acts as a restricted shell, and the bash executable file must have a link to it named rbash for this to work. The list of restricted operations for bash (taken from the bash(1) manpage) is similar to those for ksh93. Here too, some of the features mentioned here are specific to bash and haven't been covered in this book. For more information, see the bash(1) manpage:
Changing directories with cd
Setting or unsetting the values of SHELL, PATH, ENV, or BASH_ENV
Specifying command names containing /
Specifying a filename containing a / as an argument to the . (dot) built-in command
Specifying a filename containing a / as an argument to the -p option to the hash built-in command
Importing function definitions from the shell environment at startup
Parsing the value of SHELLOPTS from the shell environment at startup
Redirecting output using the >, >|, <>, >&, &>, and >> redirection operators
Using the exec built-in command to replace the shell with another command
Adding or deleting built-in commands with the -f and -d options to the enable built-in command
Using the enable built-in command to enable disabled shell built-in commands
Specifying the