Secure a KSH script

iga3725 · June 28, 2010, 5:05am

Hi:

I want to secure (prevent Ctrol+C, or Ctrol+Z, or any kind of aborting) this ksh script:

#!/usr/bin/ksh

clear
echo
print "CSIA RBAC -- CONFIGURACION --"
echo

print "1) Habilitar/Desabilitar RBAC en el sistema"
print "2) Configurar comandos privados"
print "6) Salir"

echo
echo "Seleccione la opcion:"
echo

while true; do
  read SELECT
  case $SELECT in
    1)    print "a) Habilitar RBAC?"
          print "b) Desabilitar RBAC?"
          while read SELECT2;do
            case $SELECT2 in
              "a") print "Habilitando RBAC" ;;
              "b") print "Desabilitando RBAC" ;;
            esac
            break 2
          done;;
    2)    print "a) Listar los comandos privilegiados activos"
          print "b) Anadir comando a RBAC"
          print "c) Eliminar comando a RBAC"
          while read SELECT2;do
            case $SELECT2 in
              "a") echo "Comandos activos:" && lssecattr -c ALL|grep csia|awk '{print $1}';;
              "b") ./addcmdrbac.ksh;;
              "c") ./delcmdrbac.ksh;;
            esac
            break 2
          done;;
   
    6) break;;
  esac
  ./menu2.ksh
done

I tried with trap but no sucess..

thx
Israel.

zaxxon · June 28, 2010, 5:27am

Then either your trap was wrong or wrong placed.
Place it as 1st line after the shebang:

#!/usr/bin/ksh

trap 'echo "No way!"' 1 2 15

...

or whatever signals you want to trap.

methyl · June 28, 2010, 6:42am

If you do it with "trap" I'd trap "1 2 3" but not "15" (Hangup) or you will accumulate orphan shells when users disconnect their session.

Personally I'd use "stty" to disable the keys.
First run "stty -a" to find out what keys you wish to disable.
Then set each relevant key to null:

e.g.
stty intr ""
stty quit ""
stty eof ""
stty kill ""

iga3725 · June 28, 2010, 7:40am

umm.. where is trap command on aix6? I run 'which trap' but it doesn't returned nothing. How can I verify if trap is installed on my box?

thxs
Israel

methyl · June 28, 2010, 8:05am

The trap command is a ksh builtin.
ksh type trap
trap is a shell builtin

Ignoring trap for the moment, there is an issue in this menu script where it calls itself. It will eventially fail because the shells will be nested too deep.
The following construct using shell functions and "return" is better:

#!/usr/bin/ksh

main_menu()
{
while true
do
        clear
        echo
        print "CSIA RBAC -- CONFIGURACION --"
        echo

        print "1) Habilitar/Desabilitar RBAC en el sistema"
        print "2) Configurar comandos privados"
        print "6) Salir"

        echo
        echo "Seleccione la opcion:"
        echo

        read SELECT
        case $SELECT in
                1)      menu_1
                        ;;
                2)      menu_2
                        ;;
                6)      return 
                        ;;
        esac
done
}
#
menu_1()
{
while true
do
        print "a) Habilitar RBAC?"
        print "b) Desabilitar RBAC?"
        echo
        echo "Seleccione la opcion:"
        echo
        read SELECT2
        case $SELECT2 in
                "a") print "Habilitando RBAC"
                        sleep 2
                        return
                        ;;
                "b") print "Desabilitando RBAC"
                        sleep 2
                        return
                        ;;
                "")     return
                        ;;
                *) print "Invalid"
                        sleep 2
                        ;;
        esac
done
}
#
menu_2()
{
while true
do
        print "a) Listar los comandos privilegiados activos"
        print "b) Anadir comando a RBAC"
        print "c) Eliminar comando a RBAC"
        echo
        echo "Seleccione la opcion:"
        echo
        read SELECT2
        case $SELECT2 in
                "a") echo "Comandos activos:" && lssecattr -c ALL|grep csia|awk
 '{print $1}'
                        sleep 2
                        return
                        ;;
                "b") ./addcmdrbac.ksh
                        sleep 2
                        return
                        ;;
                "c") ./delcmdrbac.ksh
                        sleep 2
                        return
                        ;;
                "")     return
                        ;;
                *) print "Invalid"
                        sleep 2
                        ;;
        esac
done
}
#
#######
main_menu
exit

iga3725 · June 28, 2010, 11:54am

nice.. thanks methyl