Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
howto:conffile [2015/08/08 17:44] bill_thomson |
howto:conffile [2015/08/08 18:00] (current) bill_thomson |
||
---|---|---|---|
Line 5: | Line 5: | ||
===== General ===== | ===== General ===== | ||
- | For this task, you don't have to write big parser routines (unless you want it 100% secure or you want a special file syntax) - you can use the Bash source command. The file to be sourced should be formated in key="value" format, otherwise bash will try to interpret commands: | + | For this task, you don't have to write large parser routines (unless you want it 100% secure or you want a special file syntax) - you can use the Bash source command. The file to be sourced should be formated in key="value" format, otherwise bash will try to interpret commands: |
<code> | <code> | ||
Line 30: | Line 30: | ||
#!/bin/bash | #!/bin/bash | ||
echo "Reading config...." >&2 | echo "Reading config...." >&2 | ||
- | . /etc/cool.cfg | + | . /etc/cool.cfg #note the space between the dot and the leading slash of /etc.cfg |
echo "Config for the username: $cool_username" >&2 | echo "Config for the username: $cool_username" >&2 | ||
echo "Config for the target host: $cool_host" >&2 | echo "Config for the target host: $cool_host" >&2 | ||
Line 37: | Line 37: | ||
===== Per-user configs ===== | ===== Per-user configs ===== | ||
- | There's also a way to provide a system-wide config file in /etc and a custom one in ~/ (user's home) to override some system-wide defaults. The user-specific config will only be used when present, in the following example: | + | There's also a way to provide a system-wide config file in /etc and a custom config in ~/(user's home) to override system-wide defaults. In the following example, the if/then construct is used to check for the existance of a user-specific config: |
<code> | <code> | ||
Line 54: | Line 54: | ||
As mentioned earlier, the sourced file can contain anything a Bash script can. Essentially, it **is** an included Bash script. That creates security issues. A malicicios person can "execute" arbitrary code when your script is sourcing its config file. | As mentioned earlier, the sourced file can contain anything a Bash script can. Essentially, it **is** an included Bash script. That creates security issues. A malicicios person can "execute" arbitrary code when your script is sourcing its config file. | ||
- | You might want to only allow constructs in the form ''NAME=VALUE'' in that file (variable assignment syntax) and maybe comments (though comments are technically unimportant). | + | You might want to allow only constructs in the form ''NAME=VALUE'' in that file (variable assignment syntax) and maybe comments (though technically, comments are unimportant). |
Imagine the following "config file", containing some malicious code: | Imagine the following "config file", containing some malicious code: | ||
Line 69: | Line 69: | ||
</code> | </code> | ||
- | You don't want these ''echo''-commands (which could be any other commands!) to be executed. One way to be a bit safer is to filter only the constructs you want, write the filtered results to a new file and source the new file. Also, we need to be careful that someome hasn't tacked on something nefarious to the end of one of our name=value parameters, perhaps using ; or && command separators. In those cases, perhaps it is simplest to just ignore the line entirely. Egrep (''grep -E'') will help us here, it filters by description: | + | You don't want these ''echo''-commands (which could be any other commands!) to be executed. One way to be a bit safer is to filter only the constructs you want, write the filtered results to a new file and source the new file. We also need to be sure something nefarious hasn't been added to the end of one of our name=value parameters, perhaps using ; or && command separators. In those cases, perhaps it is simplest to just ignore the line entirely. Egrep (''grep -E'') will help us here, it filters by description: |
<code> | <code> | ||
Line 87: | Line 87: | ||
source "$configfile" | source "$configfile" | ||
</code> | </code> | ||
- | **__To make clear what it does:__** egrep checks if the file contains something we don't want, if yes, egrep filters the file and writes the filtered contents to a new file. If done, the original file name is changed to the name stored in the variable ''configfile''. Then file named by that variable is sourced, as if it were the original file. | + | **__To make clear what it does:__** egrep checks if the file contains something we don't want, if yes, egrep filters the file and writes the filtered contents to a new file. If done, the original file name is changed to the name stored in the variable ''configfile''. The file named by that variable is sourced, as if it were the original file. |
This filter allows only ''NAME=VALUE'' and comments in the file, but it doesn't prevent all methods of code execution. I will address that later. | This filter allows only ''NAME=VALUE'' and comments in the file, but it doesn't prevent all methods of code execution. I will address that later. |