V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 56s
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 56s
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
@@ -29,21 +29,54 @@ and governs how the shell reacts to unexpected states, variable misuses, and sub
|
|||||||
|
|
||||||
The following Bash options are set to enforce secure and fail-fast behavior:
|
The following Bash options are set to enforce secure and fail-fast behavior:
|
||||||
|
|
||||||
- `errexit` (`set -e`): Immediately aborts execution on non-zero exit status.
|
#### 2.2.2.1. `set` Options
|
||||||
- `errtrace` (`set -E`): Ensures that `ERR` traps are inherited in functions and subshells.
|
|
||||||
- `functrace` (`set -T`): Allows `DEBUG` and `RETURN` traps to be inherited as well.
|
|
||||||
- `ignoreeof`: Prevents accidental termination via Ctrl-D on interactive shells.
|
|
||||||
- `nounset` (`set -u`): Fails on use of undeclared variables.
|
|
||||||
- `pipefail`: Propagates the first failing command's exit code in pipelines.
|
|
||||||
- `noclobber` (`set -C`): Disallows overwriting of existing files via output redirection.
|
|
||||||
|
|
||||||
### 2.2.3. Paradigm
|
| Option | Purpose |
|
||||||
|
|--------------------|--------------------------------------------------------------------------------------------------------------|
|
||||||
|
| `errexit` (`-e`) | Immediately exits the script if any command returns a non-zero status. Prevents silent failure continuation. |
|
||||||
|
| `errtrace` (`-E`) | Ensures that `ERR` traps are inherited by functions and subshells, maintaining error-handling consistency. |
|
||||||
|
| `functrace` (`-T`) | Ensures that `DEBUG` and `RETURN` traps are inherited, enabling full-stack debug tracing. |
|
||||||
|
| `ignoreeof` | Prevents accidental shell termination from a stray `EOF` (Ctrl-D) in interactive sessions. |
|
||||||
|
| `noclobber` (`-C`) | Prohibits overwriting existing files via output redirection, mitigating destructive accidents. |
|
||||||
|
| `nounset` (`-u`) | Treats use of undefined variables as fatal errors, preventing unpredictable logic paths. |
|
||||||
|
| `pipefail` | Returns the exit status of the first failed command in a pipeline, avoiding false-positive success states. |
|
||||||
|
|
||||||
|
#### 2.2.2.2. `shopt` Options
|
||||||
|
|
||||||
|
| Option | State | Purpose |
|
||||||
|
|-------------------|-------|----------------------------------------------------------------------------------------------------------------------------|
|
||||||
|
| `failglob` | `on` | Causes filename expansion to fail if no matches are found, avoiding unintended literal pattern usage. |
|
||||||
|
| `inherit_errexit` | `on` | Preserves `errexit` behaviour inside command substitutions, ensuring subshells do not mask failures. |
|
||||||
|
| `lastpipe` | `on` | Runs the last command in a pipeline in the current shell (non-job-control mode), preserving variables set in that command. |
|
||||||
|
| `expand_aliases` | `off` | Disables alias expansion in non-interactive mode to maintain predictable parsing and avoid hidden behaviours. |
|
||||||
|
| `dotglob` | `off` | Prevents inclusion of dotfiles in filename expansion unless explicitly requested, avoiding unintentional file processing. |
|
||||||
|
| `extglob` | `off` | Disables extended pattern matching by default, reducing syntactic ambiguity unless explicitly enabled. |
|
||||||
|
| `nullglob` | `off` | Prevents non-matching globs from expanding to empty strings, preserving error signalling. |
|
||||||
|
|
||||||
|
#### 2.2.2.3. Environment Variables
|
||||||
|
|
||||||
|
* **`PATH`** Explicitly set to a minimal, trusted search path: ``/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin``
|
||||||
|
This minimizes the risk of executing binaries from untrusted directories.
|
||||||
|
* **`IFS`** Reset to the canonical safe value for whitespace splitting. This mitigates word-splitting injection vulnerabilities.
|
||||||
|
* **`umask 0022`** Ensures newly created files are world-readable but only writable by their owner. This is a conservative
|
||||||
|
default that prevents accidental creation of files with overly permissive access rights.
|
||||||
|
|
||||||
|
### 2.2.3 Security Considerations
|
||||||
|
|
||||||
|
- **Fail-fast principle**: By combining `set -Ceuo pipefail` with strict `shopt` rules, unexpected runtime states result in
|
||||||
|
immediate termination and diagnostic reporting.
|
||||||
|
- **Predictability**: Disabled features (such as `extglob`, `expand_aliases`) prevent accidental reliance on non-portable or
|
||||||
|
side-effect-prone shell behavior.
|
||||||
|
- **Isolation**: A fixed `PATH` ensures that only known system binaries are invoked, neutralizing the risk of executing
|
||||||
|
malicious binaries from user-writable directories.
|
||||||
|
- **Consistency across contexts**: `inherit_errexit` ensures subshell and function calls do not silently bypass global error policy.
|
||||||
|
|
||||||
|
### 2.2.4. Paradigm
|
||||||
|
|
||||||
All scripts and modules in the **CISS.debian.installer** framework operate under the principle of deterministic failure and
|
All scripts and modules in the **CISS.debian.installer** framework operate under the principle of deterministic failure and
|
||||||
exhaustive state introspection. The defined options anticipate and actively prevent common scripting failures due to overlooked
|
exhaustive state introspection. The defined options anticipate and actively prevent common scripting failures due to overlooked
|
||||||
conditions or shell misbehavior.
|
conditions or shell misbehavior.
|
||||||
|
|
||||||
|
|
||||||
## 2.3. [0060_trap_err.sh](../../lib/cdi_0060_traps/0060_trap_err.sh)
|
## 2.3. [0060_trap_err.sh](../../lib/cdi_0060_traps/0060_trap_err.sh)
|
||||||
|
|
||||||
### 2.3.1. Purpose
|
### 2.3.1. Purpose
|
||||||
|
|||||||
@@ -25,8 +25,8 @@ guard_sourcing
|
|||||||
#######################################
|
#######################################
|
||||||
chroot_logger() {
|
chroot_logger() {
|
||||||
declare -r var_logfile="$1"
|
declare -r var_logfile="$1"
|
||||||
: >| "${TARGET}${var_logfile}" || return "${ERR_CHROOT_LOGGER}"
|
: >| "${var_logfile}" || return "${ERR_CHROOT_LOGGER}"
|
||||||
chmod 0600 "${TARGET}${var_logfile}" || "${ERR_CHROOT_LOGGER}"
|
chmod 0600 "${var_logfile}" || "${ERR_CHROOT_LOGGER}"
|
||||||
return 0
|
return 0
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -21,6 +21,7 @@ set -o noclobber # Prevent overwriting, the same as "set -C".
|
|||||||
set -o nounset # Exit script on use of an undefined variable, the same as "set -u".
|
set -o nounset # Exit script on use of an undefined variable, the same as "set -u".
|
||||||
set -o pipefail # Makes pipelines return the exit status of the last command in the pipe that failed.
|
set -o pipefail # Makes pipelines return the exit status of the last command in the pipe that failed.
|
||||||
|
|
||||||
|
### For all options see https://www.gnu.org/software/bash/manual/bash.html#The-Shopt-Builtin
|
||||||
shopt -s failglob # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
|
shopt -s failglob # If set, patterns that fail to match filenames during filename expansion result in an expansion error.
|
||||||
shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option, instead of unsetting it in the
|
shopt -s inherit_errexit # If set, command substitution inherits the value of the errexit option, instead of unsetting it in the
|
||||||
# subshell environment. This option is enabled when POSIX mode is enabled.
|
# subshell environment. This option is enabled when POSIX mode is enabled.
|
||||||
|
|||||||
Reference in New Issue
Block a user