hngopher.com

       [HN Gopher] Run unknown shell script with a line-by-line confirm...
       ___________________________________________________________________
        
       Run unknown shell script with a line-by-line confirmation prompt
        
       Author : wlib
       Score  : 26 points
       Date   : 2021-04-14 20:35 UTC (2 hours ago)
        
 (HTM) web link (gist.github.com)
 (TXT) w3m dump (gist.github.com)
        
       | jdeaton wrote:
       | Can I use it to run itself?
        
         | wlib wrote:
         | Not without some modifications, which I did not make because
         | the complexity would get crazy with shell scripting
        
       | tyingq wrote:
       | You can fool it with ^H (Insert with ^V^H in vim)
       | #!/bin/sh       rm not ^H^H^H^H expected
       | 
       | Gives:                 -> rm  expected       Run command? [Y/n]
       | rm: cannot remove 'not': No such file or directory       rm:
       | cannot remove ''$'\b\b\b\b': No such file or directory       rm:
       | cannot remove 'expected': No such file or directory
        
       | rhizome wrote:
       | Possibly relevant, the bash restricted shell (bash -r):
       | 
       | https://www.gnu.org/software/bash/manual/html_node/The-Restr...
        
       | eurasiantiger wrote:
       | It's probably possible to craft a script that looks innocuous
       | line-by-line, but does something malicious as a whole.
        
         | LinuxBender wrote:
         | Indeed. If the person does not understand why/what is encoded
         | by things like _xxd_ or _base64_ or using _tr_ to swap /filter
         | characters, then one should hopefully pull the eject lever.
         | When in doubt, one can sandbox scripts and see what they are in
         | effect trying to do.
        
       | barbazoo wrote:
       | > Useful for running unknown scripts
       | 
       | Or just, you know, read them before you run them.
        
       | protomyth wrote:
       | It would be interesting to have a shell that allowed transactions
       | like a database and could list what files have been affected
       | while in the transaction.
        
       | opk wrote:
       | You can also do this with bashdb which is possibly also a more
       | robust solution.
        
         | e40 wrote:
         | Why isn't this solution robust? Seems like using the DEBUG trap
         | would be very robust.
        
       | m463 wrote:
       | accept_whatsapp_terms_and_conditions="true"       Run command?
       | [Y/n]
        
       ___________________________________________________________________
       (page generated 2021-04-14 23:00 UTC)