V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 56s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 56s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -29,21 +29,54 @@ and governs how the shell reacts to unexpected states, variable misuses, and sub
|
||||
|
||||
The following Bash options are set to enforce secure and fail-fast behavior:
|
||||
|
||||
- `errexit` (`set -e`): Immediately aborts execution on non-zero exit status.
|
||||
- `errtrace` (`set -E`): Ensures that `ERR` traps are inherited in functions and subshells.
|
||||
- `functrace` (`set -T`): Allows `DEBUG` and `RETURN` traps to be inherited as well.
|
||||
- `ignoreeof`: Prevents accidental termination via Ctrl-D on interactive shells.
|
||||
- `nounset` (`set -u`): Fails on use of undeclared variables.
|
||||
- `pipefail`: Propagates the first failing command's exit code in pipelines.
|
||||
- `noclobber` (`set -C`): Disallows overwriting of existing files via output redirection.
|
||||
#### 2.2.2.1. `set` Options
|
||||
|
||||
### 2.2.3. Paradigm
|
||||
| Option | Purpose |
|
||||
|--------------------|--------------------------------------------------------------------------------------------------------------|
|
||||
| `errexit` (`-e`) | Immediately exits the script if any command returns a non-zero status. Prevents silent failure continuation. |
|
||||
| `errtrace` (`-E`) | Ensures that `ERR` traps are inherited by functions and subshells, maintaining error-handling consistency. |
|
||||
| `functrace` (`-T`) | Ensures that `DEBUG` and `RETURN` traps are inherited, enabling full-stack debug tracing. |
|
||||
| `ignoreeof` | Prevents accidental shell termination from a stray `EOF` (Ctrl-D) in interactive sessions. |
|
||||
| `noclobber` (`-C`) | Prohibits overwriting existing files via output redirection, mitigating destructive accidents. |
|
||||
| `nounset` (`-u`) | Treats use of undefined variables as fatal errors, preventing unpredictable logic paths. |
|
||||
| `pipefail` | Returns the exit status of the first failed command in a pipeline, avoiding false-positive success states. |
|
||||
|
||||
#### 2.2.2.2. `shopt` Options
|
||||
|
||||
| Option | State | Purpose |
|
||||
|-------------------|-------|----------------------------------------------------------------------------------------------------------------------------|
|
||||
| `failglob` | `on` | Causes filename expansion to fail if no matches are found, avoiding unintended literal pattern usage. |
|
||||
| `inherit_errexit` | `on` | Preserves `errexit` behaviour inside command substitutions, ensuring subshells do not mask failures. |
|
||||
| `lastpipe` | `on` | Runs the last command in a pipeline in the current shell (non-job-control mode), preserving variables set in that command. |
|
||||
| `expand_aliases` | `off` | Disables alias expansion in non-interactive mode to maintain predictable parsing and avoid hidden behaviours. |
|
||||
| `dotglob` | `off` | Prevents inclusion of dotfiles in filename expansion unless explicitly requested, avoiding unintentional file processing. |
|
||||
| `extglob` | `off` | Disables extended pattern matching by default, reducing syntactic ambiguity unless explicitly enabled. |
|
||||
| `nullglob` | `off` | Prevents non-matching globs from expanding to empty strings, preserving error signalling. |
|
||||
|
||||
#### 2.2.2.3. Environment Variables
|
||||
|
||||
* **`PATH`** Explicitly set to a minimal, trusted search path: ``/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin``
|
||||
This minimizes the risk of executing binaries from untrusted directories.
|
||||
* **`IFS`** Reset to the canonical safe value for whitespace splitting. This mitigates word-splitting injection vulnerabilities.
|
||||
* **`umask 0022`** Ensures newly created files are world-readable but only writable by their owner. This is a conservative
|
||||
default that prevents accidental creation of files with overly permissive access rights.
|
||||
|
||||
### 2.2.3 Security Considerations
|
||||
|
||||
- **Fail-fast principle**: By combining `set -Ceuo pipefail` with strict `shopt` rules, unexpected runtime states result in
|
||||
immediate termination and diagnostic reporting.
|
||||
- **Predictability**: Disabled features (such as `extglob`, `expand_aliases`) prevent accidental reliance on non-portable or
|
||||
side-effect-prone shell behavior.
|
||||
- **Isolation**: A fixed `PATH` ensures that only known system binaries are invoked, neutralizing the risk of executing
|
||||
malicious binaries from user-writable directories.
|
||||
- **Consistency across contexts**: `inherit_errexit` ensures subshell and function calls do not silently bypass global error policy.
|
||||
|
||||
### 2.2.4. Paradigm
|
||||
|
||||
All scripts and modules in the **CISS.debian.installer** framework operate under the principle of deterministic failure and
|
||||
exhaustive state introspection. The defined options anticipate and actively prevent common scripting failures due to overlooked
|
||||
conditions or shell misbehavior.
|
||||
|
||||
|
||||
## 2.3. [0060_trap_err.sh](../../lib/cdi_0060_traps/0060_trap_err.sh)
|
||||
|
||||
### 2.3.1. Purpose
|
||||
|
||||
Reference in New Issue
Block a user