Rebuilding bash source

SkySmart · November 7, 2017, 11:36am

so i have many scripts that have to run when the bash source is installed as normal.

however, some users have found a way to build bash from source and while doing so, they altered some default settings.

my question is, what can i put in my script to check that the "flags.c" binary and make sure the "echo_command_at_execute =0" has not been changed?

also, that the BASH_XTRACEFD has not been changed/set.

please advise.

basically, all i want to do is be able to know when a user runs one of my scripts, i want to be able to know if the bash source on the user's machine has been altered from its default state/settings. what can i check for?

Neo · November 7, 2017, 12:28pm

You can perform cryptographic hash functions on files to baseline and confirm file integrity.

jim_mcnamara · November 7, 2017, 12:41pm

I am guessing developers are recompiling some of their environment. You cannot hope to fix this.

If there actually is a completely defined standard environment:

use a shebang on all of your code
make sure /bin/sh is /bin/bash and /bin/bash has the correct checksum
examine and look for LD_PRELOAD settings, or any BASH environment variables

Basically what I see is a big problem. Management should explicitly disallow recompiling/rebuilding system code. The security issues are major here. This is like a hacker free for all, and you are trying to play referee.

Who owns a user's desktop Linux box? The company. Get management buy in and when something fails checksums or some other tests, contact management. If management thinks having folks do stuff like this is okay, then work at getting responsibility for solving script problems foist onto non-conforming users.

In other words do not try to "fix" the code problem, fix the cause instead.

SkySmart · November 7, 2017, 1:27pm

jim mcnamara:

I am guessing developers are recompiling some of their environment. You cannot hope to fix this.

If there actually is a completely defined standard environment:

use a shebang on all of your code

make sure /bin/sh is /bin/bash and /bin/bash has the correct checksum

examine and look for LD_PRELOAD settings, or any BASH environment variables

Basically what I see is a big problem. Management should explicitly disallow recompiling/rebuilding system code. The security issues are major here. This is like a hacker free for all, and you are trying to play referee.

Who owns a user's desktop Linux box? The company. Get management buy in and when something fails checksums or some other tests, contact management. If management thinks having folks do stuff like this is okay, then work at getting responsibility for solving script problems foist onto non-conforming users.

In other words do not try to "fix" the code problem, fix the cause instead.

thank you so much for the detailed response. what can i look for in the LD_PRELOAD settings? i'll do the scripting. all i need, if you can, is for you to provide me a list of things i should make sure is set a certain way.

a lot of things are outside my control here. so what i can do is make sure my script does not operate if the bash source is not default.

Yoda · November 7, 2017, 2:19pm

You can also try running gdb in non-interactive mode and get the flag variable value:-

gdb -q /bin/bash -ex "print echo_command_at_execute" -ex quit

SkySmart · November 7, 2017, 4:47pm

this will work on Ubuntu and Redhat systems and it is perfect!

are there other similar commands i can use that are more portable?

Corona688 · November 8, 2017, 5:06pm

Requiring that your users install gdb to make sure they're not reading your script is rather amusing. gdb is a debugger! gdb may help you a little, but will help them a lot more!

This rube goldbergian arms race is not sustainable.