Chapter 14: Security in Bash Scripting

Understand the basics of security in Bash scripting, including permissions, secure handling of sensitive data, and avoiding common vulnerabilities.

In this chapter, we’ll explore essential security practices for Bash scripting, from setting correct permissions to safely handling sensitive data and mitigating potential vulnerabilities. These practices help ensure that your scripts are safe and reliable, protecting sensitive information and preventing unauthorized access.

Setting Correct File Permissions

Permissions determine who can read, write, or execute a script. Use the chmod command to set restrictive permissions, limiting access only to necessary users:

# Example: Restricting script permissions
chmod 700 script.sh

This command grants read, write, and execute permissions only to the owner, preventing group or public access.

Avoiding Hard-Coded Sensitive Information

Storing sensitive data, like passwords or API keys, directly in scripts can lead to security risks. Instead, use environment variables or prompt the user for sensitive information:

# Example: Prompting for a password securely
read -sp "Enter your password: " password
echo "Password entered securely"

In this example, -s option in read hides the input, keeping the password secure.

Input Validation to Prevent Injection Attacks

Always validate user input to prevent command injection attacks. Avoid using user input directly in commands; instead, use conditional checks or restricted patterns:

# Example: Validating user input
read -p "Enter a valid filename: " filename
if [[ "$filename" =~ ^[a-zA-Z0-9_.-]+$ ]]; then
    echo "Processing $filename"
else
    echo "Invalid filename"
fi

This example ensures the filename contains only valid characters, preventing potentially dangerous input.

Secure File Handling with `mktemp`

For temporary files, use mktemp to create uniquely named files securely. Avoid using predictable filenames, as they can be targeted by malicious actors:

# Example: Creating a secure temporary file
temp_file=$(mktemp)
echo "Temporary file created: $temp_file"

This command generates a uniquely named file in the system’s temp directory, minimizing security risks.

Avoiding Common Vulnerabilities

Follow these practices to avoid common scripting vulnerabilities:

Use Quoting: Quote variables to prevent word splitting and globbing (e.g., "$variable").
Avoid `eval`: The eval command executes arguments as code, which can be exploited if user input is involved. Avoid it unless necessary.
Limit Permissions: Only provide users with the minimum required permissions to run scripts and access files.
Use `trap` for Cleanup: Clean up sensitive data (e.g., temporary files) on script exit using trap to prevent unintended exposure.

Using `trap` for Security Cleanup

Use trap to ensure sensitive data or files are deleted if the script exits unexpectedly, reducing the chance of exposure:

# Example: Cleanup with trap
temp_file=$(mktemp)
trap 'rm -f "$temp_file"' EXIT
echo "Temporary data" > "$temp_file"

This setup deletes the temporary file upon script exit, ensuring no sensitive data is left on the system.

Summary and Best Practices

In this chapter, we covered essential security practices for Bash scripting, including setting permissions, securely handling sensitive data, validating input, and using secure file handling methods. Adhering to these practices will help you create secure, reliable scripts that protect data and prevent unauthorized access.