Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
howto:conffile [2015/08/08 17:44]
bill_thomson
howto:conffile [2015/08/08 18:00] (current)
bill_thomson
Line 5: Line 5:
 ===== General ===== ===== General =====
  
-For this task, you don't have to write big parser routines (unless you want it 100% secure or you want a special file syntax) - you can use the Bash source command. The file to be sourced should be formated in key="​value"​ format, otherwise bash will try to interpret commands:+For this task, you don't have to write large parser routines (unless you want it 100% secure or you want a special file syntax) - you can use the Bash source command. The file to be sourced should be formated in key="​value"​ format, otherwise bash will try to interpret commands:
  
 <​code>​ <​code>​
Line 30: Line 30:
 #!/bin/bash #!/bin/bash
 echo "​Reading config...."​ >&2 echo "​Reading config...."​ >&2
-. /​etc/​cool.cfg+. /etc/cool.cfg #note the space between the dot and the leading slash of /etc.cfg
 echo "​Config for the username: $cool_username"​ >&2 echo "​Config for the username: $cool_username"​ >&2
 echo "​Config for the target host: $cool_host"​ >&2 echo "​Config for the target host: $cool_host"​ >&2
Line 37: Line 37:
 ===== Per-user configs ===== ===== Per-user configs =====
  
-There'​s also a way to provide a system-wide config file in /etc and a custom ​one in ~/ (user'​s home) to override ​some system-wide defaults. ​The user-specific config ​will only be used when present, in the following example:+There'​s also a way to provide a system-wide config file in /etc and a custom ​config ​in ~/​(user'​s home) to override system-wide defaults. ​In the following example, the if/then construct is used to check for the existance of a user-specific config:
  
 <​code>​ <​code>​
Line 54: Line 54:
  
 As mentioned earlier, the sourced file can contain anything a Bash script can. Essentially,​ it **is** an included Bash script. That creates security issues. A malicicios person can "​execute"​ arbitrary code when your script is sourcing its config file. As mentioned earlier, the sourced file can contain anything a Bash script can. Essentially,​ it **is** an included Bash script. That creates security issues. A malicicios person can "​execute"​ arbitrary code when your script is sourcing its config file.
-You might want to only allow constructs in the form ''​NAME=VALUE''​ in that file (variable assignment syntax) and maybe comments (though comments are technically ​unimportant).+You might want to allow only constructs in the form ''​NAME=VALUE''​ in that file (variable assignment syntax) and maybe comments (though ​technically, ​comments are unimportant).
 Imagine the following "​config file", containing some malicious code: Imagine the following "​config file", containing some malicious code:
  
Line 69: Line 69:
 </​code>​ </​code>​
  
-You don't want these ''​echo''​-commands (which could be any other commands!) to be executed. One way to be a bit safer is to filter only the constructs you want, write the filtered results to a new file and source the new file. Also, we need to be careful that someome ​hasn'​t ​tacked on something nefarious ​to the end of one of our name=value parameters, perhaps using ; or && command separators. In those cases, perhaps it is simplest to just ignore the line entirely. Egrep (''​grep -E''​) will help us here, it filters by description:​+You don't want these ''​echo''​-commands (which could be any other commands!) to be executed. One way to be a bit safer is to filter only the constructs you want, write the filtered results to a new file and source the new file. We also need to be sure something nefarious ​hasn'​t ​been added to the end of one of our name=value parameters, perhaps using ; or && command separators. In those cases, perhaps it is simplest to just ignore the line entirely. Egrep (''​grep -E''​) will help us here, it filters by description:​
  
 <​code>​ <​code>​
Line 87: Line 87:
 source "​$configfile"​ source "​$configfile"​
 </​code>​ </​code>​
-**__To make clear what it does:__** egrep checks if the file contains something we don't want, if yes, egrep filters the file and writes the filtered contents to a new file. If done, the original file name is changed to the name stored in the variable ''​configfile''​. ​Then file named by that variable is sourced, as if it were the original file.+**__To make clear what it does:__** egrep checks if the file contains something we don't want, if yes, egrep filters the file and writes the filtered contents to a new file. If done, the original file name is changed to the name stored in the variable ''​configfile''​. ​The file named by that variable is sourced, as if it were the original file.
  
 This filter allows only ''​NAME=VALUE''​ and comments in the file, but it doesn'​t prevent all methods of code execution. I will address that later. This filter allows only ''​NAME=VALUE''​ and comments in the file, but it doesn'​t prevent all methods of code execution. I will address that later.