Ksh Shell script security question.

Dan Nelson dnelson at allantgroup.com
Thu Feb 15 04:57:14 UTC 2007

In the last episode (Feb 14), Dak Ghatikachalam said:
> I am am puzzled how to secure this code when this shell script is
> being executed.
> ${ORACLE_HOME}/bin/sqlplus -s  <<EOF | tee -a  ${RESTOREFILE}
>        connect system/ugo8990d
>        set heading off
>        set feedback off
>        set pagesize 500
>        select 'SCN_TO_USE | '||max(next_change#)   from V\$LOG_HISTORY;
>        quit
> When I run this code from shell script in /tmp directory it spews
> file called /tmp/sh03400.000 in that I have this entire code visible.

I bet if you check the permissions you'll find the file has mode 0600,
which means only the user running the script can read the file (at
least that's what a test using the pdksh port does on my system). 
ksh93 does have a problem, though: it opens a file and immediately
unlinks it, but the file is world-readable for a short time.

Both ksh variants honor the TMPDIR variable, though, so if you create a
~/tmp directory, chmod it so only you can access it, then set
TMPDIR=~/tmp , you will be secure even if you're using ksh93.

	Dan Nelson
	dnelson at allantgroup.com

More information about the freebsd-questions mailing list