What does 'set -e' do, and why might it be considered dangerous?

Question

This question has appeared on a pre-interview quiz and it's making me crazy. Can anyone answer this and put me at ease? The quiz has no reference to a particular shell but the job description is for a unix sa. again the question is simply...

What does 'set -e' do, and why might it be considered dangerous?

Answer 1

set -e causes the shell to exit if any subcommand or pipeline returns a non-zero status.

The answer the interviewer was probably looking for is:

It would be dangerous to use "set -e" when creating init.d scripts:

From http://www.debian.org/doc/debian-policy/ch-opersys.html 9.3.2 --

Be careful of using set -e in init.d scripts. Writing correct init.d scripts requires accepting various error exit statuses when daemons are already running or already stopped without aborting the init.d script, and common init.d function libraries are not safe to call with set -e in effect. For init.d scripts, it's often easier to not use set -e and instead check the result of each command separately.

This is a valid question from an interviewer standpoint because it gauges a candidates working knowledge of server-level scripting and automation

Answer 2

From bash(1):

          -e      Exit immediately if a pipeline (which may consist  of  a
                  single  simple command),  a subshell command enclosed in
                  parentheses, or one of the commands executed as part  of
                  a  command  list  enclosed  by braces (see SHELL GRAMMAR
                  above) exits with a non-zero status.  The shell does not
                  exit  if  the  command that fails is part of the command
                  list immediately following a  while  or  until  keyword,
                  part  of  the  test  following  the  if or elif reserved
                  words, part of any command executed in a && or  ││  list
                  except  the  command  following  the final && or ││, any
                  command in a pipeline but the last, or if the  command’s
                  return  value  is being inverted with !.  A trap on ERR,
                  if set, is executed before the shell exits.  This option
                  applies to the shell environment and each subshell envi-
                  ronment separately (see  COMMAND  EXECUTION  ENVIRONMENT
                  above), and may cause subshells to exit before executing
                  all the commands in the subshell.

Unfortunately I'm not creative enough to think of why it would be dangerous, other than "the rest of the script won't get executed" or "it might possibly perhaps mask real problems".

Answer 3

It should be noted that set -e can be turned on and off for various sections of a script. It doesn't have to be on for the whole script's execution. It could even be conditionally enabled. That said, I don't ever use it since I do my own error handling (or not).

some code
set -e     # same as set -o errexit
more code  # exit on non-zero status
set +e     # same as set +o errexit
more code  # no exit on non-zero status

Also noteworthy is this from the Bash man page section on the trap command which also describes how set -e functions under certain circumstances.

The ERR trap is not executed if the failed command is part of the command list immediately following a while or until keyword, part of the test in an if statement, part of a command executed in a && or ⎪⎪ list, or if the command's return value is being inverted via !. These are the same conditions obeyed by the errexit option.

So there are some conditions under which a non-zero status will not cause an exit.

I think the danger is in not understanding when set -e comes into play and when it doesn't and relying on it incorrectly under some invalid assumption.

Please also see BashFAQ/105 Why doesn't set -e (or set -o errexit, or trap ERR) do what I expected?

Answer 4

Keep in mind this is a quiz for a job interview. The questions may have been written by the current staff, and they may be wrong. This isn't necessarily bad, and everyone makes mistakes, and interview questions often sit in a dark corner without review, and only come out during an interview.

It's entirely possible that 'set -e' does nothing that we would consider "dangerous". But the author of that question may mistakenly believe that 'set -e' is dangerous, due to their own ignorance or bias. Maybe they wrote a buggy shell script, it bombed horribly, and they mistakenly thought that 'set -e' was to blame, when in fact they neglected to write proper error checking.

I've participated in probably 40 job interviews over the last 2 years, and the interviewers sometimes ask questions which are wrong, or have answers which are wrong.

Or maybe it's a trick question, which would be lame, but not entirely unexpected.

Or maybe this is a good explanation: http://www.mail-archive.com/debian-bugs-dist@lists.debian.org/msg473314.html

Answer 5

set -e terminates the script if a nonzero exit code is encountered, except under certain conditions. To sum up the dangers of its usage in a few words: it doesn't behave how people think it does.

In my opinion, it should be regarded as a dangerous hack which continues to exist for compatibility purposes only. The set -e statement does not turn shell from a language that uses error codes into a language that uses exception-like control flow, it merely poorly attempts to emulate that behaviour.

Greg Wooledge has a lot to say on the dangers of set -e:

• https://www.mail-archive.com/bug-bash@gnu.org/msg19497.html (a recent mailing list post with an interesting analogy)
• http://mywiki.wooledge.org/BashFAQ/105 (a wiki page on the pitfalls of set -e)

In the second link, there are various examples of the unintuitive and unpredictable behaviour of set -e.

Some examples of the unintuitive behaviour of set -e (some taken from the wiki link above):

• set -e
  x=0
  let x++
  echo "x is $x"

  The above will cause the shell script to prematurely exit, because let x++ returns 0, which is treated by the let keyword as a falsy value and turned into a nonzero exit code. set -e notices this, and silently terminates the script.

• set -e
  [ -d /opt/foo ] && echo "Warning: foo is already installed. Will overwrite." >&2
  echo "Installing foo..."
  

  The above works as expected, printing a warning if /opt/foo exists already.

  set -e
  check_previous_install() {
      [ -d /opt/foo ] && echo "Warning: foo is already installed. Will overwrite." >&2
  }
  
  check_previous_install
  echo "Installing foo..."
  

  The above, despite the only difference being that a single line has been refactored into a function, will terminate if /opt/foo does not exist. This is because the fact that it worked originally is a special exception to set -e's behaviour. When a && b returns nonzero, it is ignored by set -e. However, now that it's a function, the exit code of the function is equal to the exit code of that command, and the function returning nonzero will silently terminate the script.

• set -e
  IFS=$'\n' read -d '' -r -a config_vars < config
  

  The above will read the array config_vars from the file config. As the author might intend, it terminates with an error if config is missing. As the author might not intend, it silently terminates if config does not end in a newline. If set -e were not used here, then config_vars would contain all lines of the file whether or not it ended in a newline.

  Users of Sublime Text (and other text editors which handle newlines incorrectly), beware.

• set -e
  
  should_audit_user() {
      local group groups="$(groups "$1")"
      for group in $groups; do
          if [ "$group" = audit ]; then return 0; fi
      done
      return 1
  }
  
  if should_audit_user "$user"; then
      logger 'Blah'
  fi
  

  The author here might reasonably expect that if for some reason the user $user does not exist, then the groups command will fail and the script will terminate instead of letting the user perform some task unaudited. However, in this case the set -e termination never takes effect. If $user cannot be found for some reason, instead of terminating the script, the should_audit_user function will just return incorrect data as if set -e was not in effect.

  This applies to any function invoked from the condition part of an if statement, no matter how deeply nested, no matter where it is defined, no matter even if you run set -e inside it again. Using if at any point completely disables the effect of set -e until the condition block is fully executed. If the author is not aware of this pitfall, or does not know their entire call stack in all possible situations in which a function can be called, then they will write buggy code and the false sense of security provided by set -e will be at least partially to blame.

  Even if the author is fully aware of this pitfall, the workaround is to write code in the same way as one would write it without set -e, effectively rendering that switch less than useless; not only does the author have to write manual error handling code as if set -e were not in effect, but the presence of set -e may have fooled them into thinking that they do not have to.

Some further drawbacks of set -e:

• It encourages sloppy code. Error handlers are completely forgotten about, in the hopes that whatever failed will report the error in some sensible way. However, with examples like let x++ above, this is not the case. If the script dies unexpectedly, it is usually silently, which hinders debugging. If the script does not die and you expected it to (see previous bullet point), then you have a more subtle and insidious bug on your hands.
• It leads people into a false sense of security. See again the if-condition bullet point.
• The places where the shell terminates are not consistent between shells or shell versions. It is possible to accidentally write a script which behaves differently on an older version of bash due to the behaviour of set -e having been tweaked between those versions.

set -e is a contentious issue, and some people aware of the issues surrounding it recommend against it, while some others just recommend taking care while it is active to know the pitfalls. There are many shell scripting newbies who recommend set -e on all scripts as a catch-all for error conditions, but in real life it does not work that way.

set -e is no substitute for education.

Answer 6

set -e tells bash, in a script, to exit whenever anything returns a non-zero return value.

i could see how that would be annoying, and buggy, not sure about dangerous, unless you had opened up permissions on something, and before you could restrict them again, your script died.

Answer 7

I'd say it's dangerous because you don't control he flow of your script anymore. The script can terminate as long as any of the commands that the script invokes returns a non-zero. So all you have to do is to do something that alters the behavior or output of any of the components, and you get to terminate the main script. It might be more of a style problem, but it definitely has consequences. What if that main script of yours supposed to set some flag, and it didn't because it terminated early? You'd end up faulting the rest of the system if it assumes the flag should be there, or working with an unexpected default or old value.

Answer 8

As a more concrete example of @Marcin's answer which has personally bitten me, imagine there was a rm foo/bar.txt line somewhere in your script. Usually no big deal if foo/bar.txt doesn't actually exist. However with set -e present now your script will terminate early there! Oops.