2

When I stumble across an evil web site that I want blocked from corporate access, I edit my named.conf file on my bind server and then update my proxy server blacklist file. I'd like to automate this somewhat with a bash script. Say my script is called "evil-site-block.sh" and contains the following:

ssh [email protected] 'echo "#date added $(date +%m/%d/%Y)" >> /var/named/chroot/etc/named.conf; echo "zone \"$1\" { type master; file \"/etc/zone/dummy-block\"; };" >> /var/named/chroot/etc/named.conf'

It is then run as 

$ evil-site-block.sh google.com

When I look at the contents of named.conf on the remote machine I see:

#date added 09/16/2014
zone "" { type master; file "/etc/zone/dummy-block"; };

What I can't figure out is how to pass "google.com" as $1.

Improve this question

2 Answers 2

Reset to default
2

First off, you don't want this to be two separately redirected echo statements -- doing that is both inefficient and means that the lines could end up not next to each other if something else is appending at the same time.

Second, and much more importantly, you don't want the remote command that's run to be something that could escape its quotes and run arbitrary commands on your server (think of if $1 is '$(rm -rf /)'.spammer.com).

Instead, consider:

#!/bin/bash
# ^ above is mandatory, since we use features not found in #!/bin/sh

printf -v new_contents \
  '# date added %s\nzone "%s" { type master; file "/etc/zone/dummy-block"; };\n' \
  "$(date +%m/%d/%Y)" \
  "$1"
printf -v remote_command \
  'echo %q >>/var/named/chroot/etc/named.conf' \
  "$new_contents"
ssh [email protected] bash <<<"$remote_command"

printf %q escapes data such that an evaluation pass in another bash shell will evaluate that content back to itself. Thus, the remote shell will be guaranteed (so long as it's bash) to interpret the content correctly, even if the content attempts to escape its surrounding quotes.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

Your problem: Your entire command is put into single quotes – obviously so that bash expressions are expanded on the server and not locally.

But this also applies to your $1.

Simple solution: “Interupt” the quotation by wrapping your local variable into single quotes.

ssh [email protected] 'echo "#date added $(date +%m/%d/%Y)" >> /var/named/chroot/etc/named.conf; echo "zone \"'$1'\" { type master; file \"/etc/zone/dummy-block\"; };" >> /var/named/chroot/etc/named.conf'

NB: \"$1\"\"'$1'\".

NOTE: This solution is a simple fix for the one-liner as posted in the question above. If there's the slightest chance that this script is executed by other people, or it could process external output of any kind, please have a look at Charles Duffy's solution.

Improve this answer

14 Comments

This isn't safe against intentionally malicious arguments. Given as this is code being invoked in response to security incidents and running as root, such safety is probably a legitimate concern.
I agree, but we're talking about some hack-ish helper script. A proper solution for blacklist management would look different, anyway. ;)
For a more explicit example: Consider the case where $1 is '"$(rm -rf /)"' (where those outer quotes are literal text rather than syntax). I'd rather allow an attacker to put garbage in named.conf than allow them to run arbitrary commands on my name server.
I think lxg's answer is what I need. I escaped that puppy almost every way I could except... I'm not concerned about named.conf being edited by another process, and this is a quick method to block access to sites being referenced in spam emails, etc. Thnaks!
@mrodmac, if you're extracting text from spam emails (by definition, malicious content) and feeding that text into a script which will, for some values of that text, execute arbitrary commands as root, I'd argue that you really could use some additional paranoia around how you treat security. :)
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.