Heard of SQL-injection (SQLi)? Do you know we can do script injection, similar to SQLi? Here is how to protect the shell script from injection attack.
First, check out what is SheBang if you haven't heard of it.
Second, sometime you will notice some SheBang will end with - or --.
#!/bin/bash -
#!/bin/bash --
The purpose of the single-dash is to protect it from script injection. IT simply mens the end of the options and disable any further option processing. Any argument after the -- is treated as filenames and arguments
This can protect the script from setuid based root spoofing and avoid interpreter spoofing, and eventually improve script security.
* Many OS ignore the setuid attribute when it detects shebang in an executable shell scripts.
Links:
- https://www.cyberciti.biz/faq/binbash-interpreter-spoofing/
- https://www.in-ulm.de/~mascheck/various/shebang/
- http://www.faqs.org/faqs/unix-faq/faq/part4/section-7.html
- https://unix.stackexchange.com/questions/364/allow-setuid-on-shell-scripts