Show HN: Run unknown shell script with a line-by-line confirmation prompt

[+] tyingq|5 years ago|reply

You can fool it with ^H (Insert with ^V^H in vim)

  #!/bin/sh
  rm not ^H^H^H^H expected

Gives:

  -> rm  expected
  Run command? [Y/n] 
  rm: cannot remove 'not': No such file or directory
  rm: cannot remove ''$'\b\b\b\b': No such file or directory
  rm: cannot remove 'expected': No such file or directory

[+] wlib|5 years ago|reply

I updated to fix that, thanks for pointing it out. It had to do with echo printing the command with your backspace characters escaped. See if you can break it now, it's interesting how many weird cases exist in tty's.

[+] cookiengineer|5 years ago|reply

What would be amazing is a tool that analyses the script first, figures out folders and files (and networking) it influences and allows to sandbox it accordingly.

This script wants to modify:

- /usr/local/program/*

- /etc/program/*

- $HOME/.program

Do you want to execute this? [Yes/No]

..because you know, what happens when you execute a script that does rm -rf /usr in the 100th step?

[+] dwohnitmok|5 years ago|reply

In its full generality this runs afoul of the halting problem.

That doesn't mean what you want is completely unattainable, you just need to figure out whether you're okay with false positives, false negatives, or your tool just giving up on certain scripts (or some combination thereof).

[+] krageon|5 years ago|reply

You could do this by running your script pivot mounted into a namespace that mounts your "real" filesystem as readonly and layers with overlayfs to log changes. You can then terminate the script if the overlay diff gets too large (I assume on a 100GB disk you don't want 60GB of changes, and in any case you could tell it what to expect beforehand). That saves you having to do all this complicated analysing for files and folders and replaces it with something relatively foolproof.

[+] imhoguy|5 years ago|reply

Such can be easily implemented on top of Docker filesystem overlays/snapshots. You just run the script in question e.g. in fresh Ubuntu container and then compare overlay directories to see what changed.

[+] mlyle|5 years ago|reply

Very difficult to do in any kind of robust way. A script can run all kinds of things and use myriad forms of obfuscation, causing all kinds of obscure side effects.

[+] mimimi31|5 years ago|reply

That sounds a lot like what maybe[1] does.

[1] https://github.com/p-e-w/maybe

[+] totetsu|5 years ago|reply

Back on windows xp I ran a tool called black ice that did this.

[+] scintill76|5 years ago|reply

I’ll nitpick. I think

> # Ask for only a single character of input, so the user does not need to type an extra enter

plus

> echo "Please answer by typing n (for no), y (for yes), or Enter (also for yes)"

seem like it will lead to “y[enter]” so you accidentally accept a second line before you read it.

[+] macintux|5 years ago|reply

In addition, for security reasons I think you’d want the default behavior to be no, not yes. Seems like dropping enter entirely is the right choice.

[+] searchableguy|5 years ago|reply

This is exactly what deno is useful for. Write your script in typescript and then run it with deno --prompt.

I made a little demonstration script.

    deno run --prompt https://crux.land/4Lc2E2

Spoiler: https://share.getcloudapp.com/ApuYR00w if you can't run above.

[+] eurasiantiger|5 years ago|reply

It’s probably possible to craft a script that looks innocuous line-by-line, but does something malicious as a whole.

[+] LinuxBender|5 years ago|reply

Indeed. If the person does not understand why/what is encoded by things like xxd or base64 or using tr to swap/filter characters, then one should hopefully pull the eject lever. When in doubt, one can sandbox scripts and see what they are in effect trying to do.

[+] rhizome|5 years ago|reply

Possibly relevant, the bash restricted shell (bash -r):

https://www.gnu.org/software/bash/manual/html_node/The-Restr...

[+] comboy|5 years ago|reply

> When a command that is found to be a shell script is executed (see Shell Scripts), rbash turns off any restrictions in the shell spawned to execute the script.

Can you provide example of a scenario where this restricted shell is useful?

[+] unknown|5 years ago|reply

[deleted]

[+] opk|5 years ago|reply

You can also do this with bashdb which is possibly also a more robust solution.

[+] e40|5 years ago|reply

Why isn't this solution robust? Seems like using the DEBUG trap would be very robust.

[+] tessellated|5 years ago|reply

Yes, I was instantly reminded of the time I implemented the core functionality of the 'time' command in shellscript, only to find out about it months later.

[+] qiqitori|5 years ago|reply

Seconded. It's crazy that so few people seem to know about bashdb. I don't know of many other languages that are commonly used without using a debugger.

[+] protomyth|5 years ago|reply

It would be interesting to have a shell that allowed transactions like a database and could list what files have been affected while in the transaction.

[+] Skunkleton|5 years ago|reply

You could snapshot your filesystem, then run the script and diff against the snapshot. Isolating executables (even shell scripts) is really outside the scope of what a shell normally provides.

[+] slaymaker1907|5 years ago|reply

PowerShell technically does, though I think it is deprecated. It also seems to be less of a security feature and more a tool for keeping the system stable.

[+] m463|5 years ago|reply

  accept_whatsapp_terms_and_conditions="true"
  Run command? [Y/n]

[+] jdeaton|5 years ago|reply

Can I use it to run itself?

[+] wlib|5 years ago|reply

Not without some modifications, which I did not make because the complexity would get crazy with shell scripting

[+] cratermoon|5 years ago|reply

Would you trust it on itself? https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...

[+] barbazoo|5 years ago|reply

> Useful for running unknown scripts

Or just, you know, read them before you run them.

[+] dang|5 years ago|reply

"Please respond to the strongest plausible interpretation of what someone says, not a weaker one that's easier to criticize. Assume good faith."

"Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something."

https://news.ycombinator.com/newsguidelines.html

[+] klyrs|5 years ago|reply

One complication is that websites can hijack your copy buffer, and the text you paste isn't the text you copied. I avoid this by pasting into an editor, not directly into a shell.

[+] dumpsterdiver|5 years ago|reply

If you are considering using this tool, then I would suggest that you seriously reevaluate your life choices. You should never run shell scripts without reading them first, ever. That is so irresponsible. Validating shell scripts will make you a more competent and informed worker. Tools like this breed incompetence, and encourage carelessness.

[+] martinald|5 years ago|reply

I assume you also read all the source code for every program you run too?

[+] Waterluvian|5 years ago|reply

I just don't see how this perspective lives in the real world.

It's basically, "get off the shoulders of giants. If you aren't expert enough to detect exploits in <lang> then you're not worthy enough."

How would you ever begin a career, let alone become a desirable team member?

[+] dataflow|5 years ago|reply

> You should never run shell scripts without reading them first, ever. That is so irresponsible.

Do you run on Gentoo? and presumably read the millions of lines of code your machine is running on?

People have been downloading and running executables almost pretty much as as the internet has been around... and the world is still going 'round.

[+] GauntletWizard|5 years ago|reply

I want this to run my own shell scripts. I have a bunch of scripts that are halfway between "documentation" and "automation"; mostly the record of the last time I did X. Add a prompt to eval a command or two or change variables that are hard coded, and it's ipython for shell.

82 comments