From: Kevin Day Date: Fri, 6 Jun 2025 02:42:16 +0000 (-0500) Subject: Security: Explicitly define IFS to prevent misuse. X-Git-Url: https://git.kevux.org/?a=commitdiff_plain;h=HEAD;p=controller Security: Explicitly define IFS to prevent misuse. The scripts are written with certain expectations. This expectation may not be properly met if the `IFS` value is changed. This can potentially be used to create some sort of exploit. Explicitly define IFS and then do so at a local variable scope to prevent affecting the callers IFS setting. Simplify some of the Controller rules. --- diff --git a/data/data/controller/example/cgroup/rules/program/chromium.rule b/data/data/controller/example/cgroup/rules/program/chromium.rule index f332b70..38d455c 100644 --- a/data/data/controller/example/cgroup/rules/program/chromium.rule +++ b/data/data/controller/example/cgroup/rules/program/chromium.rule @@ -13,15 +13,21 @@ settings: script: start { - if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then - xhost SI:localuser:some_user - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - if [[ $DISPLAY == "" ]] ; then - export DISPLAY=:0.0 - fi + if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then + xhost SI:localuser:some_user + fi - export WEBKIT_DISABLE_COMPOSITING_MODE=1 + if [[ $DISPLAY == "" ]] ; then + export DISPLAY=:0.0 + fi + + export WEBKIT_DISABLE_COMPOSITING_MODE=1 + \} + + main ${*} } command: diff --git a/data/data/controller/example/cgroup/rules/program/falkon.rule b/data/data/controller/example/cgroup/rules/program/falkon.rule index f7458c5..94bd242 100644 --- a/data/data/controller/example/cgroup/rules/program/falkon.rule +++ b/data/data/controller/example/cgroup/rules/program/falkon.rule @@ -13,13 +13,19 @@ settings: script: start { - if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then - xhost SI:localuser:some_user - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - if [[ $DISPLAY == "" ]] ; then - export DISPLAY=:0.0 - fi + if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then + xhost SI:localuser:some_user + fi + + if [[ $DISPLAY == "" ]] ; then + export DISPLAY=:0.0 + fi + \} + + main ${*} } command: diff --git a/data/data/controller/example/cgroup/rules/program/firefox.rule b/data/data/controller/example/cgroup/rules/program/firefox.rule index 196d6d0..9f36b69 100644 --- a/data/data/controller/example/cgroup/rules/program/firefox.rule +++ b/data/data/controller/example/cgroup/rules/program/firefox.rule @@ -13,13 +13,19 @@ settings: script: start { - if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then - xhost SI:localuser:some_user - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - if [[ $DISPLAY == "" ]] ; then - export DISPLAY=:0.0 - fi + if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then + xhost SI:localuser:some_user + fi + + if [[ $DISPLAY == "" ]] ; then + export DISPLAY=:0.0 + fi + \} + + main ${*} } command: diff --git a/data/data/controller/example/cgroup/rules/program/terminator.rule b/data/data/controller/example/cgroup/rules/program/terminator.rule index 79f373e..d1ea68c 100644 --- a/data/data/controller/example/cgroup/rules/program/terminator.rule +++ b/data/data/controller/example/cgroup/rules/program/terminator.rule @@ -13,13 +13,19 @@ settings: script: start { - if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then - xhost SI:localuser:some_user - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - if [[ $DISPLAY == "" ]] ; then - export DISPLAY=:0.0 - fi + if [[ $(xhost | grep '^SI:localuser:some_user$') == "" ]] ; then + xhost SI:localuser:some_user + fi + + if [[ $DISPLAY == "" ]] ; then + export DISPLAY=:0.0 + fi + \} + + main ${*} } command: diff --git a/data/data/controller/example/cgroup/rules/setup/cgroups.rule b/data/data/controller/example/cgroup/rules/setup/cgroups.rule index b86e1ce..2020e5f 100644 --- a/data/data/controller/example/cgroup/rules/setup/cgroups.rule +++ b/data/data/controller/example/cgroup/rules/setup/cgroups.rule @@ -16,6 +16,8 @@ script: start { main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + # Example PATH containing the FLL programs at a custom isolated directory. PATH=/usr/local/fll/programs/shared/:$PATH @@ -148,5 +150,5 @@ script: return 0 \} - main + main ${*} } diff --git a/data/data/controller/example/init/rules/boot/devices.rule b/data/data/controller/example/init/rules/boot/devices.rule index 61d3038..f7a8418 100644 --- a/data/data/controller/example/init/rules/boot/devices.rule +++ b/data/data/controller/example/init/rules/boot/devices.rule @@ -14,15 +14,21 @@ settings: script: start { - if [[ ! -d /dev/pts ]] ; then - mkdir /dev/pts - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - if [[ ! -d /dev/shm ]] ; then - mkdir /dev/shm - fi + if [[ ! -d /dev/pts ]] ; then + mkdir /dev/pts + fi - exit 0 + if [[ ! -d /dev/shm ]] ; then + mkdir /dev/shm + fi + + return 0 + \} + + main ${*} } command: diff --git a/data/data/controller/example/init/rules/boot/file_system.rule b/data/data/controller/example/init/rules/boot/file_system.rule index 41e6932..fb763fe 100644 --- a/data/data/controller/example/init/rules/boot/file_system.rule +++ b/data/data/controller/example/init/rules/boot/file_system.rule @@ -23,7 +23,13 @@ command: script: start { - if [[ ! -d /var/run/init ]] ; then - mkdir /var/run/init - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + if [[ ! -d /var/run/init ]] ; then + mkdir /var/run/init + fi + \} + + main ${*} } diff --git a/data/data/controller/example/init/rules/boot/modules.rule b/data/data/controller/example/init/rules/boot/modules.rule index 5572d90..eb0c88c 100644 --- a/data/data/controller/example/init/rules/boot/modules.rule +++ b/data/data/controller/example/init/rules/boot/modules.rule @@ -12,17 +12,23 @@ settings: script: start { - if [[ ! -f /proc/modules ]] ; then - exit 0 - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - if [[ -d /modules ]] ; then - if [[ ! -e /modules/$(uname -r)/modules.dep ]] ; then - depmod - else - depmod -A + if [[ ! -f /proc/modules ]] ; then + exit 0 fi - fi - exit 0 + if [[ -d /modules ]] ; then + if [[ ! -e /modules/$(uname -r)/modules.dep ]] ; then + depmod + else + depmod -A + fi + fi + + return 0 + \} + + main ${*} } diff --git a/data/data/controller/example/init/rules/boot/proc.rule b/data/data/controller/example/init/rules/boot/proc.rule index acb9fa5..28b605f 100644 --- a/data/data/controller/example/init/rules/boot/proc.rule +++ b/data/data/controller/example/init/rules/boot/proc.rule @@ -13,17 +13,29 @@ command: script: start { - if [[ -d /proc/bus/usb ]] ; then - mount /proc/bus/usb - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - exit 0 + if [[ -d /proc/bus/usb ]] ; then + mount /proc/bus/usb + fi + + return 0 + \} + + main ${*} } stop { - if [[ -d /proc/bus/usb ]] ; then - umount -l /proc/bus/usb - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + if [[ -d /proc/bus/usb ]] ; then + umount -l /proc/bus/usb + fi + + return 0 + \} - exit 0 + main ${*} } diff --git a/data/data/controller/example/init/rules/boot/root.rule b/data/data/controller/example/init/rules/boot/root.rule index 5f3abf6..dcdeae7 100644 --- a/data/data/controller/example/init/rules/boot/root.rule +++ b/data/data/controller/example/init/rules/boot/root.rule @@ -11,57 +11,18 @@ command: script: start { - if [[ ! -d /dev ]] ; then - mkdir /dev - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + local i= - if [[ ! -d /dev/pts ]] ; then - mkdir /dev/pts - fi + for i in /dev /dev/pts /dev/shm /firmware /mnt /modules /proc /sys /tmp /var /var/log /var/run /var/tmp ; do + if [[ ! -d ${i} ]] ; then + mkdir ${i} + fi + done - if [[ ! -d /dev/shm ]] ; then - mkdir /dev/shm - fi + return 0 + \} - if [[ ! -d /firmware ]] ; then - mkdir /firmware - fi - - if [[ ! -d /mnt ]] ; then - mkdir /mnt - fi - - if [[ ! -d /modules ]] ; then - mkdir /modules - fi - - if [[ ! -d /proc ]] ; then - mkdir /proc - fi - - if [[ ! -d /sys ]] ; then - mkdir /sys - fi - - if [[ ! -d /tmp ]] ; then - mkdir /tmp - fi - - if [[ ! -d /var ]] ; then - mkdir /var - fi - - if [[ ! -d /var/log ]] ; then - mkdir /var/log - fi - - if [[ ! -d /var/run ]] ; then - mkdir /var/run - fi - - if [[ ! -d /var/tmp ]] ; then - mkdir /var/tmp - fi - - exit 0 + main ${*} } diff --git a/data/data/controller/example/init/rules/net/loopback.rule b/data/data/controller/example/init/rules/net/loopback.rule index 9377cdd..1ac8841 100644 --- a/data/data/controller/example/init/rules/net/loopback.rule +++ b/data/data/controller/example/init/rules/net/loopback.rule @@ -10,10 +10,22 @@ settings: script: start { - ip addr add 127.0.0.1/8 label lo dev lo - ip link set lo up + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + ip addr add 127.0.0.1/8 label lo dev lo + ip link set lo up + \} + + main ${*} } stop { - ip link set lo down + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + ip link set lo down + \} + + main ${*} } diff --git a/data/data/controller/example/init/rules/service/mouse.rule b/data/data/controller/example/init/rules/service/mouse.rule index ad97095..ecfcb38 100644 --- a/data/data/controller/example/init/rules/service/mouse.rule +++ b/data/data/controller/example/init/rules/service/mouse.rule @@ -10,10 +10,16 @@ settings: script: start { - # This works if gpm service is run as root, but if not then this should be in a separate rule file with appropriate access to write to /var/run (don't forget to chown!). - if [[ ! -d /var/run/mouse/ && -d /var/run ]] ; then - mkdir /var/run/mouse/ - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + # This works if gpm service is run as root, but if not then this should be in a separate rule file with appropriate access to write to /var/run (don't forget to chown!). + if [[ ! -d /var/run/mouse/ && -d /var/run ]] ; then + mkdir /var/run/mouse/ + fi + \} + + main ${*} } service: diff --git a/data/data/controller/example/init/rules/task/clock.rule b/data/data/controller/example/init/rules/task/clock.rule index 663f159..6463e57 100644 --- a/data/data/controller/example/init/rules/task/clock.rule +++ b/data/data/controller/example/init/rules/task/clock.rule @@ -13,27 +13,33 @@ settings: script: start { - clock_file=/etc/clock - clock_mode= - clock_server= - clock_ntpdate= + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - if [[ -f $clock_file ]] ; then - clock_mode=$(fss_basic_read -can 0 mode $clock_file); - clock_server=$(fss_basic_read -can 0 server $clock_file) - clock_ntpdate=$(fss_basic_read -can 0 ntpdate $clock_file) - fi + local clock_file=/etc/clock + local clock_mode= + local clock_server= + local clock_ntpdate= - if [[ $clock_mode == "local" ]] ; then - hwclock --hctosys; - elif [[ $clock_mode == "ntp" ]] ; then - if [[ $clock_ntpdate == "yes" ]] ; then - ntpdate $clock_server && - hwclock --systohc --utc + if [[ -f $clock_file ]] ; then + clock_mode=$(fss_basic_read -can 0 mode $clock_file); + clock_server=$(fss_basic_read -can 0 server $clock_file) + clock_ntpdate=$(fss_basic_read -can 0 ntpdate $clock_file) fi - elif [[ $clock_mode == "ntpdate" && $clock_host != "" ]] ; then - ntpdate $clock_server - elif [[ $clock_mode == "utc" ]] ; then - hwclock --hctosys --utc; - fi + + if [[ $clock_mode == "local" ]] ; then + hwclock --hctosys; + elif [[ $clock_mode == "ntp" ]] ; then + if [[ $clock_ntpdate == "yes" ]] ; then + ntpdate $clock_server && + hwclock --systohc --utc + fi + elif [[ $clock_mode == "ntpdate" && $clock_host != "" ]] ; then + ntpdate $clock_server + elif [[ $clock_mode == "utc" ]] ; then + hwclock --hctosys --utc; + fi + \} + + main ${*} } diff --git a/data/data/controller/example/init/rules/task/ntpdate.rule b/data/data/controller/example/init/rules/task/ntpdate.rule index 5956114..f8d35bd 100644 --- a/data/data/controller/example/init/rules/task/ntpdate.rule +++ b/data/data/controller/example/init/rules/task/ntpdate.rule @@ -13,16 +13,22 @@ settings: script: start { - clock_file=/etc/clock - clock_mode= - clock_server= + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - if [[ -f $clock_file ]] ; then - clock_mode=$(fss_basic_read -can 0 mode $clock_file); - clock_server=$(fss_basic_read -can 0 server $clock_file) - fi + local clock_file=/etc/clock + local clock_mode= + local clock_server= - if [[ $clock_mode == "ntpdate" && $clock_host != "" ]] ; then - ntpdate $clock_server - fi + if [[ -f $clock_file ]] ; then + clock_mode=$(fss_basic_read -can 0 mode $clock_file); + clock_server=$(fss_basic_read -can 0 server $clock_file) + fi + + if [[ $clock_mode == "ntpdate" && $clock_host != "" ]] ; then + ntpdate $clock_server + fi + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/command/multiple.rule b/data/data/controller/example/miscellaneous/rules/command/multiple.rule index 8b3fd73..32ff117 100644 --- a/data/data/controller/example/miscellaneous/rules/command/multiple.rule +++ b/data/data/controller/example/miscellaneous/rules/command/multiple.rule @@ -19,20 +19,32 @@ settings: script: start { - echo - echo "Current ulimit is" - ulimit -a - sleep 5 - - echo - echo "Current cgroup for self (PPID $PPID, PID $$) is: '$(cat /proc/self/cgroup)'" - sleep 5 + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo + echo "Current ulimit is" + ulimit -a + sleep 5 + + echo + echo "Current cgroup for self (PPID $PPID, PID $$) is: '$(cat /proc/self/cgroup)'" + sleep 5 + \} + + main ${*} } command: start { - id - sleep 5 + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + id + sleep 5 + \} + + main ${*} } script: diff --git a/data/data/controller/example/miscellaneous/rules/environment/default.rule b/data/data/controller/example/miscellaneous/rules/environment/default.rule index 4efe7e4..dffe66b 100644 --- a/data/data/controller/example/miscellaneous/rules/environment/default.rule +++ b/data/data/controller/example/miscellaneous/rules/environment/default.rule @@ -9,10 +9,16 @@ settings: script: start { - echo - echo "===================================" - echo "Environment using default settings." - echo "===================================" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - env + echo + echo "===================================" + echo "Environment using default settings." + echo "===================================" + + env + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/environment/empty.rule b/data/data/controller/example/miscellaneous/rules/environment/empty.rule index c041187..fdb4794 100644 --- a/data/data/controller/example/miscellaneous/rules/environment/empty.rule +++ b/data/data/controller/example/miscellaneous/rules/environment/empty.rule @@ -10,10 +10,16 @@ settings: script: start { - echo - echo "=============================" - echo "Environment allowing nothing." - echo "=============================" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - env + echo + echo "=============================" + echo "Environment allowing nothing." + echo "=============================" + + env + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/environment/exported.rule b/data/data/controller/example/miscellaneous/rules/environment/exported.rule index d8c204f..a7e626b 100644 --- a/data/data/controller/example/miscellaneous/rules/environment/exported.rule +++ b/data/data/controller/example/miscellaneous/rules/environment/exported.rule @@ -10,10 +10,16 @@ settings: script: start { - echo - echo "==========================" - echo "Environment allowing PATH." - echo "==========================" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - env + echo + echo "==========================" + echo "Environment allowing PATH." + echo "==========================" + + env + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/environment/exporting.rule b/data/data/controller/example/miscellaneous/rules/environment/exporting.rule index d2b3dad..5b4cd9b 100644 --- a/data/data/controller/example/miscellaneous/rules/environment/exporting.rule +++ b/data/data/controller/example/miscellaneous/rules/environment/exporting.rule @@ -10,15 +10,21 @@ settings: script: start { - echo - echo "=================================" - echo "Exported Environment is isolated." - echo "=================================" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. - export custom_variable="is not retained" - echo "export custom_variable='$custom_variable'" - echo - echo "Now for 'env' command:" + echo + echo "=================================" + echo "Exported Environment is isolated." + echo "=================================" + + export custom_variable="is not retained" + echo "export custom_variable='$custom_variable'" + echo + echo "Now for 'env' command:" + \} + + main ${*} } command: diff --git a/data/data/controller/example/miscellaneous/rules/maintenance/boom.rule b/data/data/controller/example/miscellaneous/rules/maintenance/boom.rule index 7278506..4a4fa8d 100644 --- a/data/data/controller/example/miscellaneous/rules/maintenance/boom.rule +++ b/data/data/controller/example/miscellaneous/rules/maintenance/boom.rule @@ -6,6 +6,12 @@ settings: script: start { - echo "kaboooom!" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "kaboooom!" + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/script/create_socket_path.rule b/data/data/controller/example/miscellaneous/rules/script/create_socket_path.rule index 796b366..5b3b210 100644 --- a/data/data/controller/example/miscellaneous/rules/script/create_socket_path.rule +++ b/data/data/controller/example/miscellaneous/rules/script/create_socket_path.rule @@ -8,7 +8,13 @@ settings: script: start { - if [[ ! -d "parameter:"socket"" ]] ; then - mkdir parameter:"verbose" -p parameter:"socket" - fi + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + if [[ ! -d "parameter:"socket"" ]] ; then + mkdir parameter:"verbose" -p parameter:"socket" + fi + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/script/fail.rule b/data/data/controller/example/miscellaneous/rules/script/fail.rule index dd77b41..536b4e5 100644 --- a/data/data/controller/example/miscellaneous/rules/script/fail.rule +++ b/data/data/controller/example/miscellaneous/rules/script/fail.rule @@ -7,8 +7,12 @@ settings: script: start { \#!/bin/bash + my_function() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + echo "Hello this is the last script, it should trigger failure." + return 1; \} diff --git a/data/data/controller/example/miscellaneous/rules/script/iki.rule b/data/data/controller/example/miscellaneous/rules/script/iki.rule index c451918..6f34ddb 100644 --- a/data/data/controller/example/miscellaneous/rules/script/iki.rule +++ b/data/data/controller/example/miscellaneous/rules/script/iki.rule @@ -9,22 +9,29 @@ settings: script: start { \#!/bin/bash - echo "=====================================" - env - echo "=====================================" - echo "IKI Path is 'define:"PATH"'" - echo "IKI define IKI_TEST 'define:"IKI_TEST"'" - echo "ENV IKI_TEST '$IKI_TEST'" - echo "Some Parameter is 'parameter:"some"'" - echo "Unknown parameter is: 'parameter:"unknown"'" - echo "Unknown environment is: 'define:"unknown"'" - echo "Unavailable environment via IKI: 'define:"USER"'" - echo "Unavailable environment via ENV: '$USER'" - echo "Program parameter verbose: 'program:"verbose"'" - echo "Program parameter verbose(option): 'program:"verbose:option"'" - echo "Program parameter verbose(value): 'program:"verbose:value"'" - echo "Program parameter PID: 'program:"pid"'" - echo "Program parameter PID(option): 'program:"pid:option"'" - echo "Program parameter PID(value): 'program:"pid:value"'" - echo "=====================================" + + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "=====================================" + env + echo "=====================================" + echo "IKI Path is 'define:"PATH"'" + echo "IKI define IKI_TEST 'define:"IKI_TEST"'" + echo "ENV IKI_TEST '$IKI_TEST'" + echo "Some Parameter is 'parameter:"some"'" + echo "Unknown parameter is: 'parameter:"unknown"'" + echo "Unknown environment is: 'define:"unknown"'" + echo "Unavailable environment via IKI: 'define:"USER"'" + echo "Unavailable environment via ENV: '$USER'" + echo "Program parameter verbose: 'program:"verbose"'" + echo "Program parameter verbose(option): 'program:"verbose:option"'" + echo "Program parameter verbose(value): 'program:"verbose:value"'" + echo "Program parameter PID: 'program:"pid"'" + echo "Program parameter PID(option): 'program:"pid:option"'" + echo "Program parameter PID(value): 'program:"pid:value"'" + echo "=====================================" + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_1.rule b/data/data/controller/example/miscellaneous/rules/serial/s_1.rule index bb84e2d..a661846 100644 --- a/data/data/controller/example/miscellaneous/rules/serial/s_1.rule +++ b/data/data/controller/example/miscellaneous/rules/serial/s_1.rule @@ -6,13 +6,25 @@ settings: script: start { - echo "Serial 1: sleeping $(date -u)" - sleep 1 - echo "Serial 1: slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 1: sleeping $(date -u)" + sleep 1 + echo "Serial 1: slept $(date -u)" + \} + + main ${*} } stop { - echo "Serial 1: stopping, sleeping $(date -u)" - sleep 1 - echo "Serial 1: stopping, slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 1: stopping, sleeping $(date -u)" + sleep 1 + echo "Serial 1: stopping, slept $(date -u)" + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_2.rule b/data/data/controller/example/miscellaneous/rules/serial/s_2.rule index 5496172..afb7392 100644 --- a/data/data/controller/example/miscellaneous/rules/serial/s_2.rule +++ b/data/data/controller/example/miscellaneous/rules/serial/s_2.rule @@ -7,13 +7,25 @@ settings: script: start { - echo "Serial 2: sleeping $(date -u)" - sleep 1 - echo "Serial 2: slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 2: sleeping $(date -u)" + sleep 1 + echo "Serial 2: slept $(date -u)" + \} + + main ${*} } stop { - echo "Serial 2: stopping, sleeping $(date -u)" - sleep 1 - echo "Serial 2: stopping, slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 2: stopping, sleeping $(date -u)" + sleep 1 + echo "Serial 2: stopping, slept $(date -u)" + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_3.rule b/data/data/controller/example/miscellaneous/rules/serial/s_3.rule index fee1d88..bc17f58 100644 --- a/data/data/controller/example/miscellaneous/rules/serial/s_3.rule +++ b/data/data/controller/example/miscellaneous/rules/serial/s_3.rule @@ -7,13 +7,25 @@ settings: script: start { - echo "Serial 3: sleeping $(date -u)" - sleep 1 - echo "Serial 3: slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 3: sleeping $(date -u)" + sleep 1 + echo "Serial 3: slept $(date -u)" + \} + + main ${*} } stop { - echo "Serial 3: stopping, sleeping $(date -u)" - sleep 1 - echo "Serial 3: stopping, slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 3: stopping, sleeping $(date -u)" + sleep 1 + echo "Serial 3: stopping, slept $(date -u)" + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_4.rule b/data/data/controller/example/miscellaneous/rules/serial/s_4.rule index ff7040f..b144dcc 100644 --- a/data/data/controller/example/miscellaneous/rules/serial/s_4.rule +++ b/data/data/controller/example/miscellaneous/rules/serial/s_4.rule @@ -7,13 +7,25 @@ settings: script: start { - echo "Serial 4: sleeping $(date -u)" - sleep 1 - echo "Serial 4: slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 4: sleeping $(date -u)" + sleep 1 + echo "Serial 4: slept $(date -u)" + \} + + main ${*} } stop { - echo "Serial 4: stopping, sleeping $(date -u)" - sleep 1 - echo "Serial 4: stopping, slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 4: stopping, sleeping $(date -u)" + sleep 1 + echo "Serial 4: stopping, slept $(date -u)" + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_5.rule b/data/data/controller/example/miscellaneous/rules/serial/s_5.rule index 11c7c6c..60b4a31 100644 --- a/data/data/controller/example/miscellaneous/rules/serial/s_5.rule +++ b/data/data/controller/example/miscellaneous/rules/serial/s_5.rule @@ -7,13 +7,25 @@ settings: script: start { - echo "Serial 5: sleeping $(date -u)" - sleep 1 - echo "Serial 5: slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 5: sleeping $(date -u)" + sleep 1 + echo "Serial 5: slept $(date -u)" + \} + + main ${*} } stop { - echo "Serial 5: stopping, sleeping $(date -u)" - sleep 1 - echo "Serial 5: stopping, slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 5: stopping, sleeping $(date -u)" + sleep 1 + echo "Serial 5: stopping, slept $(date -u)" + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/serial/s_6.rule b/data/data/controller/example/miscellaneous/rules/serial/s_6.rule index 4eba10d..c6d971a 100644 --- a/data/data/controller/example/miscellaneous/rules/serial/s_6.rule +++ b/data/data/controller/example/miscellaneous/rules/serial/s_6.rule @@ -6,13 +6,25 @@ settings: script: start { - echo "Serial 6: sleeping $(date -u)" - sleep 1 - echo "Serial 6: slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 6: sleeping $(date -u)" + sleep 1 + echo "Serial 6: slept $(date -u)" + \} + + main ${*} } stop { - echo "Serial 6: stopping, sleeping $(date -u)" - sleep 1 - echo "Serial 6: stopping, slept $(date -u)" + main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + + echo "Serial 6: stopping, sleeping $(date -u)" + sleep 1 + echo "Serial 6: stopping, slept $(date -u)" + \} + + main ${*} } diff --git a/data/data/controller/example/miscellaneous/rules/utility/sleeper_1.rule b/data/data/controller/example/miscellaneous/rules/utility/sleeper_1.rule index 3a84e5f..3ac8048 100644 --- a/data/data/controller/example/miscellaneous/rules/utility/sleeper_1.rule +++ b/data/data/controller/example/miscellaneous/rules/utility/sleeper_1.rule @@ -11,6 +11,8 @@ utility: \#!/bin/bash main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + if [[ -f /tmp/sleeper_1.pid ]] ; then echo "Failure: pid file '/tmp/sleeper_1.pid' already exists." return 1 @@ -23,6 +25,7 @@ utility: echo "Sleeper 1, done sleeping." rm -f /tmp/sleeper_1.pid + return 0 \} diff --git a/data/data/controller/example/miscellaneous/rules/utility/sleeper_2.rule b/data/data/controller/example/miscellaneous/rules/utility/sleeper_2.rule index d44d332..89e8fec 100644 --- a/data/data/controller/example/miscellaneous/rules/utility/sleeper_2.rule +++ b/data/data/controller/example/miscellaneous/rules/utility/sleeper_2.rule @@ -11,6 +11,8 @@ utility: \#!/bin/bash main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + if [[ -f /tmp/sleeper_2.pid ]] ; then echo "Failure: pid file '/tmp/sleeper_2.pid' already exists." return 1 @@ -23,6 +25,7 @@ utility: echo "Sleeper 2, done sleeping." rm -f /tmp/sleeper_2.pid + return 0 \} diff --git a/data/data/controller/example/miscellaneous/rules/utility/sleeper_3.rule b/data/data/controller/example/miscellaneous/rules/utility/sleeper_3.rule index 04c8900..adf0ca8 100644 --- a/data/data/controller/example/miscellaneous/rules/utility/sleeper_3.rule +++ b/data/data/controller/example/miscellaneous/rules/utility/sleeper_3.rule @@ -11,6 +11,8 @@ utility: \#!/bin/bash main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + if [[ -f /tmp/sleeper_3.1.pid ]] ; then echo "Failure: pid file '/tmp/sleeper_3.1.pid' already exists." return 1 @@ -23,10 +25,11 @@ utility: echo "Sleeper 3.1, done sleeping." rm -f /tmp/sleeper_3.1.pid + return 0 \} - main & + main ${*} & } utility: @@ -35,6 +38,8 @@ utility: \#!/bin/bash main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. + if [[ -f /tmp/sleeper_3.2.pid ]] ; then echo "Failure: pid file '/tmp/sleeper_3.2.pid' already exists." return 1 @@ -47,8 +52,9 @@ utility: echo "Sleeper 3.2, done sleeping." rm -f /tmp/sleeper_3.2.pid + return 0 \} - main & + main ${*} & } diff --git a/install.sh b/install.sh index c8972d1..fb971b5 100755 --- a/install.sh +++ b/install.sh @@ -14,6 +14,7 @@ # install_main() { + local IFS=$' \t\n' # Prevent IFS exploits by overriding with a local scope. if [[ ${SHELL_ENGINE} == "zsh" ]] ; then emulate ksh @@ -877,4 +878,4 @@ install_cleanup() { unset install_cleanup } -install_main $* +install_main ${*}