Implications of running script as argument to shell

Question

Context for the question is the following comment on one of my answers:

@SergiyKolodyazhnyy Prefacing a script name with /bin/bash or even just bash is also a common way to solve the lack of executable permissions on the script.

I've refuted with the obvious remarks that there's danger in giving a potentially malicious script ability to do what it wants while file itself doesn't have executable bit set, and obvious incompatibility of script written for say c-shell being run with bourne-like shell ( and syntax incompatibility among Bourne-like shells themselves ). And the way I see it in hindsight, it's almost close to faulty advise of doing curl somedomain/script.sh | bash.

However, I'm curious if there are potentially more severe implications. I know that merely cat'ing a file can be dangerous and merely copy-pasting of a seemingly harmless script, but I'm curious if there's anything not so obvious exists about running a script as argument to shell.

score 3 · Accepted Answer · answered Oct 29 '17 at 03:04

3

Not really. If someone can get you to run a malicious script -- whether with ./scriptname or with bash scriptname -- you're pretty much toast. Also, you shouldn't think of the execute permission as a protection against malware. Execute permission controls whether you are allowed to execute the script (via exec() and its relatives), not whether it is allowed to execute.

answered Oct 29 '17 at 03:04

Gordon Davisson

2,581
1
17
13

Yeah, for naive newbie user that doesn't make much difference, good point – Sergiy Kolodyazhnyy Oct 29 '17 at 03:29

Implications of running script as argument to shell

1 Answers1