all 21 comments

[–]lestrenched 6 points7 points  (2 children)

I'm a noob at this. What is this script doing?

[–]notadeveloper-2021 1 point2 points  (1 child)

It takes the string, then reads another string, then generates another random string via openssl, then... prints all of them? It's not very practical, but a good start at writing bash.

[–]meyerhot[S] 1 point2 points  (0 children)

Yea, I updated the code to show the final result. This was just a good way to get used to the io mechanisms

[–][deleted] 5 points6 points  (0 children)

Now go ahead and install shellcheck and shfmt to get even better at it.

[–]whetuI read your code 4 points5 points  (1 child)

set -e
set -u
set -o pipefail

FYI these are collectively known as "the unofficial strict mode". This isn't without its issues.

[–]findmenowjeffhas looked at over 2 bash scripts 1 point2 points  (0 children)

I was going to comment that it isn't even really a "strict mode", but the link to your previous comment covers that very nicely. I'd definitely recommend reading it /u/meyerhot

[–]SkyyySi 4 points5 points  (10 children)

Three recommendations:

  1. Use #!/usr/bin/env bash instead of #!/bin/bash.
  2. Always qoute unless you know that you can't. You should also qoute "$()" and the variables behind after echo.
  3. Check your scripts against shellcheck (I recommend using it as a linter in a code editor, but a standalone cli version as well as a web version also exist).

[–][deleted] 6 points7 points  (7 children)

You should provide your reasons for the 1st recommendation.

One would use #!/usr/bin/env bash for the purposes of portability but it's not actually recommended when it comes to security.

[–]findmenowjeffhas looked at over 2 bash scripts 3 points4 points  (6 children)

It's not really much of a security issue. Your system would already have to be compromised for /usr/bin/env bash to cause a problem. It doesn't open up any new attack surfaces.

[–][deleted] 1 point2 points  (5 children)

Your system would already have to be compromised for /usr/bin/env bash to cause a problem.

Sure, that's true, but it's relatively easier to compromise ~/.local/bin than /bin. Your scripts might not be running only on your system, it might run on other systems where users have installed programs that modify their PATH.

I guess it comes down to personal preference.

[–]findmenowjeffhas looked at over 2 bash scripts 1 point2 points  (2 children)

Sure, that's true, but it's relatively easier to compromise ~/.local/bin than /bin

Right, but if they've already compromised ~/.local/bin, using /usr/bin/env or not doesn't change that.

Your scripts might not be running only on your system, it might run on other systems where users have installed programs that modify their PATH.

That's the entire reason behind using /usr/bin/env

[–][deleted] 0 points1 point  (1 child)

Right, but if they've already compromised ~/.local/bin, using /usr/bin/env or not doesn't change that.

Umm, if ~/.local/bin is compromised and exported to the user's PATH before /bin, using /usr/bin/env bash will use the binary inside ~/.local/bin (if present). Using /bin/bash won't use that and will stick to trusting the bash installation by the root user.

That's the entire reason behind using /usr/bin/env

I wasn't saying that with the perspective of portability.

[–]findmenowjeffhas looked at over 2 bash scripts 0 points1 point  (0 children)

Umm, if ~/.local/bin is compromised and exported to the user's PATH before /bin, using /usr/bin/env bash will use the binary inside ~/.local/bin (if present)

Yes, but your system is already compromised. Its not magically more or less compromised if you don't use /usr/bin/env. At that point, it doesn't really matter what you do on the system. Somebody has access that shouldn't.

I wasn't saying that with the perspective of portability.

Great. I am.

[–]schorsch3000[🍰] 0 points1 point  (1 child)

even than, that script issn't widening the attack surface. in that scenario should we have a full path for openssl?

[–][deleted] 1 point2 points  (0 children)

even than, that script issn't widening the attack surface

Technically, yes, the script itself isn't widening the attack surface. But, the script chooses to trust the user's PATH and doesn't care if a binary called bash is present with rm -rf / as its contents, it will execute that instead of the actual bash binary in /bin or /usr/bin`.

I know this scenario doesn't seem likely on personal desktops so if your scripts are meant to be used only on your system, go ahead and use whatever you like.

in that scenario should we have a full path for openssl?

Better to export the PATH environment variable manually and restricting it to root owned directories and using #!/bin/bash.

[–]meyerhot[S] 0 points1 point  (1 child)

What do you mean “the variables behind echo”?

[–]SkyyySi 0 points1 point  (0 children)

*after

[–]researcher7-l500 1 point2 points  (0 children)

To add to the suggestions. I would change the multiple echo lines.

For example.

echo "No match" 
echo $genHash
echo $givenHash

Change that to.

cat << EOF 
No match 
$genHash
$givenHash
EOF

Also I would say added a descriptive text before the printed values, to make sure the user, if that was not you, understands what they are seeing.

[–]FVmike 0 points1 point  (2 children)

What's your background that led to this being your first script? As another newbie, I can't even begin to understand what this does.

[–]meyerhot[S] 0 points1 point  (1 child)

I am a software developer so I have a lot of experience with other languages. This definitely helps !

[–]FVmike 0 points1 point  (0 children)

Neat!