为 find -execdir 清理 $PATH
Sanitize $PATH for find -execdir
find -execdir 比 -exec 更推荐,手册中说后者存在不可避免的安全问题,并在 bugs 部分中列出。
man find 说 -execdir:
If you use this option, you must ensure that your
$PATH environment variable does not reference .; otherwise, an
attacker can run any commands they like by leaving an appropriately-
named file in a directory in which you will run -execdir. The same
applies to having entries in $PATH which are empty or which are not
absolute directory names.
在 bash 脚本中,如何遵守手册的 "must" 并从 $PATH 中删除所有相关或空元素?
您可以使用以下 bash 功能清理 PATH:
sanitize_PATH()
{
local new_path=""
local dir
while read -r -d: dir
do
if [[ $dir == /* ]]
then
new_path="$new_path:$dir"
else
echo "dropping from PATH: '$dir'"
fi
done <<< "$PATH:"
PATH="${new_path#:}"
echo PATH="$PATH"
}
测试:
$ PATH=/usr/local/bin:/usr/bin:/bin sanitize_PATH
PATH=/usr/local/bin:/usr/bin:/bin
$ PATH=:/usr/local/bin:/usr/bin:/bin sanitize_PATH
dropping from PATH: ''
PATH=/usr/local/bin:/usr/bin:/bin
$ PATH=/usr/local/bin:/usr/bin:/bin: sanitize_PATH
dropping from PATH: ''
PATH=/usr/local/bin:/usr/bin:/bin
$ PATH=/usr/local/bin:/usr/bin:/bin: sanitize_PATH
dropping from PATH: ''
PATH=/usr/local/bin:/usr/bin:/bin
$ PATH=.:bin:/usr/local/bin:/usr/bin:/bin sanitize_PATH
dropping from PATH: '.'
dropping from PATH: 'bin'
PATH=/usr/local/bin:/usr/bin:/bin
$ PATH=/usr/local/bin::/usr/bin:/bin sanitize_PATH
dropping from PATH: ''
PATH=/usr/local/bin:/usr/bin:/bin
find -execdir 比 -exec 更推荐,手册中说后者存在不可避免的安全问题,并在 bugs 部分中列出。
man find 说 -execdir:
If you use this option, you must ensure that your
$PATHenvironment variable does not reference.; otherwise, an attacker can run any commands they like by leaving an appropriately- named file in a directory in which you will run-execdir. The same applies to having entries in$PATHwhich are empty or which are not absolute directory names.
在 bash 脚本中,如何遵守手册的 "must" 并从 $PATH 中删除所有相关或空元素?
您可以使用以下 bash 功能清理 PATH:
sanitize_PATH()
{
local new_path=""
local dir
while read -r -d: dir
do
if [[ $dir == /* ]]
then
new_path="$new_path:$dir"
else
echo "dropping from PATH: '$dir'"
fi
done <<< "$PATH:"
PATH="${new_path#:}"
echo PATH="$PATH"
}
测试:
$ PATH=/usr/local/bin:/usr/bin:/bin sanitize_PATH
PATH=/usr/local/bin:/usr/bin:/bin
$ PATH=:/usr/local/bin:/usr/bin:/bin sanitize_PATH
dropping from PATH: ''
PATH=/usr/local/bin:/usr/bin:/bin
$ PATH=/usr/local/bin:/usr/bin:/bin: sanitize_PATH
dropping from PATH: ''
PATH=/usr/local/bin:/usr/bin:/bin
$ PATH=/usr/local/bin:/usr/bin:/bin: sanitize_PATH
dropping from PATH: ''
PATH=/usr/local/bin:/usr/bin:/bin
$ PATH=.:bin:/usr/local/bin:/usr/bin:/bin sanitize_PATH
dropping from PATH: '.'
dropping from PATH: 'bin'
PATH=/usr/local/bin:/usr/bin:/bin
$ PATH=/usr/local/bin::/usr/bin:/bin sanitize_PATH
dropping from PATH: ''
PATH=/usr/local/bin:/usr/bin:/bin