stdmux does not neccessarily require double dash as an options–command separator...
[hband-tools.git] / user-tools / notashell
1 #!/usr/bin/env perl
3 =pod
5 =head1 NAME
7 notashell - A non-interactive shell lacking of any shell syntax
9 =head1 SYNOPSIS
11 notashell -c I<COMMANDLINE>
15 notashell(1) is a program with non-interactive shell interface (ie. C<sh -c commandLine>),
16 and intentionally does not understand any shell syntax or meta character,
17 rather takes the first word of I<COMMANDLINE> and executes it as a single command
18 with all of the rest of I<COMMANDLINE> as its arguments.
20 This is useful when you have a program which normally calls some other commands via shell (eg. system(3)),
21 notably with user-controlled parts in it, ie. data from an untrusted source.
22 This potentially makes the call vulnerable to shell-injection.
23 Like incrond(8) since 2015, which triggered the author to make this defense tool.
25 These kind of programs usually try to guard by escaping user input,
26 but it often turns out that the re-implemented shell-escape mechanism was bad or incomplete.
28 Using notashell(1) enables you to fully evade this type of shell-injection attacks.
29 Since if you control at least the first word of I<COMMANDLINE>,
30 you can trustworthly call a program (wrapper script) in which the supplied I<COMMANDLINE>
31 can be re-examined, accepted, rejected, rewritten, etc.
32 and pass the execution forward now with verified user input.
34 No need to think on "is it safe to run by shell?" or quotation-mark/escape-backslash forests ever again.
36 =head1 FILES
38 Customize how I<COMMANDLINE> is parsed by F</etc/notashell/>.
39 If this file exists, notashell(1) executes it inside its main context,
40 so in you can build in custom logic.
41 There are some perl variables accessible:
42 B<$CommandString>, B<@CommandArgs>, and B<$ExecName>.
44 B<$CommandString> is just the I<COMMANDLINE> and recommended that only read it in,
45 because changing it does not affect what will be executed.
46 B<@CommandArgs> is I<COMMANDLINE> split into parts by spaces.
47 You may change or redefine it to control what will be the arguments of the executed command at the end.
48 B<$ExecName> is the command's name or path (C<$CommandArgs[0]> by default) what will be executed at the end.
49 You may change this one too, and it's does not need to be aligned with C<$CommandArgs[0]>.
51 You are also given some utility functions to use in at your dispense:
52 B<stripQuotes()>, B<setupIORedirects()>.
53 B<stripQuotes()> currently just return the supplied string without surrounding single and double quotes.
55 B<setupIORedirects()> scans the supplied list for common shell IO redirection syntax,
56 setup these redirection on the current process,
57 and return the input list without those elements which are found to be describing a redirection.
58 Recognized representation:
60 =over 4
62 =item operators:
64 write (B<< > >>) and append (B<< > >>B<< > >>)
66 =item an integer before the operator;
68 optional, defaults are the same as in sh(1)
70 =item filename
72 just right after the operator or in the next argument;
73 strings only matching to B<[a-zA-Z0-9_,./]+> are considered filenames.
75 =back
77 Don't forget to exit from with a true value.
79 B<Typical script>:
81 @CommandArgs = setupIORedirects(@CommandArgs);
82 @CommandArgs = map {stripQuotes($_)} @CommandArgs;
85 =head1 SETUP
87 You probably need a tool to force the neglegent program (which is the attack vector to shell-injection)
88 to run notashell(1) in place of normal shell (sh(1), bash(1)).
89 See for example B<noshellinject> tool to accomplish this (in F<../root-tools> directory in notashell's source git repo).
91 =cut
94 use POSIX qw/dup2/;
97 sub stripQuotes
99 my $s = shift;
100 $s =~ s/^([''""])(.*)\g1$/$2/;
101 return $s;
104 sub setupIORedirects
106 my @cmdargs = @_;
107 my @return = ();
108 my $filename_chars = 'a-zA-Z0-9_,./';
110 while(@cmdargs)
112 my $arg = shift @cmdargs;
113 my $arg_consumed = 0;
114 if(my ($fd, $redirop, $target) = $arg =~ /^(\d*)(>|>>)([$filename_chars]*)$/)
116 if($target eq '')
118 my $nextarg = shift @cmdargs;
119 if($nextarg =~ /^[$filename_chars]+$/)
121 $target = $nextarg;
123 else
125 unshift @cmdargs, $nextarg;
128 if($target ne '')
130 if($fd eq '')
132 $fd = 0 if $redirop =~ /^</;
133 $fd = 1 if $redirop =~ /^>/;
135 open my $fh, $redirop, $target or die "$0: $target: open: $!\n";
136 dup2(fileno $fh, $fd) or die "$0: $target: dup2: $!\n";
137 $arg_consumed = 1;
140 push @return, $arg unless $arg_consumed;
142 return @return;
146 $ParserHookPath = "/etc/notashell/";
148 if(scalar(@ARGV) == 2 and $ARGV[0] eq '-c')
150 $sh_c_invocation = 1;
153 if($ENV{'NOTASHELL_INTERCEPT'} eq "0" or not $sh_c_invocation)
155 my $basename = $0 =~ s/.*\/([^\/]+)$/$1/r;
156 $progname = $basename;
157 exec {"/var/lib/notashell/real-" . $basename} $0, @ARGV;
159 else
161 $CommandString = $ARGV[1];
162 @CommandArgs = split / /, $CommandString;
163 $ExecName = $CommandArgs[0];
165 if(-e $ParserHookPath)
167 my $hook_result = do $ParserHookPath;
168 if(not defined $hook_result)
170 die "$ParserHookPath: $@: $!\n";
174 $progname = $ExecName;
178 exec {$ExecName} @CommandArgs;
181 ($errno, $errstr) = (int $!, $!);
182 warn "$progname: $errstr\n";
183 exit 125+$errno;