| notashell - A non-interactive shell lacking of any shell syntax |
notashell - A non-interactive shell lacking of any shell syntax
notashell -c COMMANDLINE
notashell(1) is a program with non-interactive shell interface (ie. sh -c commandLine),
and intentionally does not understand any shell syntax or meta character,
rather takes the first word of COMMANDLINE and executes it as a single command
with all of the rest of COMMANDLINE as its arguments.
This is useful when you have a program which normally calls some other commands via shell (eg. system(3)),
notably with user-controlled parts in it, ie. data from an untrusted source.
This potentially makes the call vulnerable to shell-injection.
Like incrond(8) since 2015, which triggered the author to make this defense tool.
These kind of programs usually try to guard by escaping user input, but it often turns out that the re-implemented shell-escape mechanism was bad or incomplete.
Using notashell(1) enables you to fully evade this type of shell-injection attacks.
Since if you control at least the first word of COMMANDLINE,
you can trustworthly call a program (wrapper script) in which the supplied COMMANDLINE
can be re-examined, accepted, rejected, rewritten, etc.
and pass the execution forward now with verified user input.
No need to think on "is it safe to run by shell?" or quotation-mark/escape-backslash forests ever again.
Customize how COMMANDLINE is parsed by /etc/notashell/custom.pl.
If this file exists, notashell(1) executes it inside its main context,
so in custom.pl you can build in custom logic.
There are some perl variables accessible:
$CommandString, @CommandArgs, and $ExecName.
$CommandString is just the COMMANDLINE and recommended that only read it in custom.pl,
because changing it does not affect what will be executed.
@CommandArgs is COMMANDLINE split into parts by spaces.
You may change or redefine it to control what will be the arguments of the executed command at the end.
$ExecName is the command's name or path ($CommandArgs[0] by default) what will be executed at the end.
You may change this one too, and it's does not need to be aligned with $CommandArgs[0].
You are also given some utility functions to use in custom.pl at your dispense: stripQuotes(), setupIORedirects(). stripQuotes() currently just return the supplied string without surrounding single and double quotes.
setupIORedirects() scans the supplied list for common shell IO redirection syntax, setup these redirections on the current process, and return the input list except those elements which are found to be part of the redirection.
Example:
setupIORedirects("date", "-R", ">", "/tmp/date.txt")
# returns: ("date", "-R")
# and have STDOUT redirected to the file.
Recognized representation:
write ( >>) and append ( >> >>)
optional, defaults are the same as in sh(1)
just right after the operator or in the next argument; strings only matching to [a-zA-Z0-9_,./-]+ are considered filenames.
Don't forget to exit from custom.pl with a true value.
Typical custom.pl script:
@CommandArgs = setupIORedirects(@CommandArgs);
@CommandArgs = map {stripQuotes($_)} @CommandArgs;
1;
You probably need a tool to force the neglegent program (which is the attack vector to shell-injection)
to run notashell(1) in place of normal shell (sh(1), bash(1)).
See for example noshellinject tool to accomplish this (in ../root-tools directory in notashell's source git repo).