InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

Menu
  • Home
  • Sitemap

Python Programming Language Best Tutorials and Code Examples

Learn Python Right Now!
Home
Bash
Avoiding Common Security Problems in bash
Bash

Avoiding Common Security Problems in bash

InfinityCoder February 21, 2017

You want to avoid common security problems in your scripting.

Validate all external input, including interactive input and that from configuration files and interactive use.

In particular, never eval input that you have not checked very thoroughly.
Use secure temporary files, ideally in secure temporary directories.
Make sure you are using trusted external executables.

In a way, this recipe barely scratches the surface of scripting and system security.

Yet it also covers the most common security problems you’ll find.
Data validation, or rather the lack of it, is a huge deal in computer security right now.

This is the problem that leads to buffer overflows, which are by far the most common class of exploit going around. bash doesn’t suffer from this issue in the same way that C does, but the concepts are the same.

In the bash world it’s more likely that unvalidated input will contain something like ; rm -rf / than a buffer overflow; however, neither is welcome. Validate your data!
Race conditions are another big issue, closely tied to the problem of an attacker gaining an ability to write over unexpected files.

A race condition exists when two or more separate events must occur in the correct order at the correct time without external interference.

They often result in providing an unprivileged user with read and/or write access to files they shouldn’t be able to access, which in turn can result in so-called privilege escalation, where an ordinary user can gain root access.

Insecure use of temporary files is a very common factor in this kind of attack.

Using secure temporary files, especially inside secure temporary directories, will eliminate this attack vector.
Another common attack vector is trojaned utilities. Like the Trojan horse, these appear to be one thing while they are in fact something else.

The canonical example here is the trojaned ls command that works just like the real ls command except when run by root.

In that case it creates a new user called r00t, with a default password known to the attacker and deletes itself.

Using a secure $PATH is about the best you can do from the scripting side.

From the systems side there are many tools such as Tripwire and AIDE to help you assure system integrity.

Share
Tweet
Email
Prev Article
Next Article

Related Articles

Avoiding Aliases, Functions in bash
You’ve written an alias or function to override a real …

Avoiding Aliases, Functions in bash

Using for Loops Portably in bash
You need to do a for loop but want it …

Using for Loops Portably in bash

About The Author

InfinityCoder
InfinityCoder

Leave a Reply

Cancel reply

Recent Tutorials InfinityQuest

  • Adding New Features to bash Using Loadable Built-ins in bash
    Adding New Features to bash Using Loadable …
    June 27, 2017 0
  • Getting to the Bottom of Things in bash
    Getting to the Bottom of Things in …
    June 27, 2017 0

Recent Comments

  • fer on Turning a Dictionary into XML in Python
  • mahesh on Turning a Dictionary into XML in Python

Categories

  • Bash
  • PHP
  • Python
  • Uncategorized

InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more

About Us

Start learning your desired programming language with InfinityQuest.com.

On our website you can access any tutorial that you want with video and code examples.

We are very happy and honored that InfinityQuest.com has been listed as a recommended learning website for students.

Popular Tags

binary data python CIDR convert string into datetime python create xml from dict python dictionary into xml python how to create xml with dict in Python how to write binary data in Python IP Address read binary data python tutorial string as date object python string to datetime python

Archives

  • June 2017
  • April 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
Copyright © 2021 InfinityQuest - Programming Code Tutorials and Examples with Python, C++, Java, PHP, C#, JavaScript, Swift and more
Programming Tutorials | Sitemap