What does this bash script do, and what issues does it have?

Question

Could you please help me to analyse this script and tell me what security issues it has (if any):

 #!/bin/bash
    user=$(whoami)
    touch /var/log/bashlog/$user
    /bin/bash | tee -a /var/log/bashlog/$user

We were asked to explore a system to find faults and this file has baffled me (it was saved as a weird name).

Caleb · Accepted Answer

This script is potentially dangerous!

The ramifications for you might vary based on how it was called. If it is something you run intentionally to debug your console or create tutorials it might be ok. However it doesn't smell like this is the case. If it was intentional and the dangers it introduces were taken into consideration it would not need to be multi-user aware and it would not be logging to a public location. If it is being run automatically as part of the login system on your machine for not clearly documented reasons, I would say that you have a severely compromised machine.

First, that script establishes who the user is and creates a log file for them in a public directory. Assuming your users have default umask settings, these log files are likely readable by all users on the system.
The next thing it does is launch a new shell. The catch is that the output of the new shell is being captured. The tee command is going to split the output to two places. The output of everything that happens in the shell is going to be written to the console, but an additional copy of everything is going to be appended to the previously established log file.

On running this script, you will be left in a shell that looks just like the one you started with, but the output of everything is now no longer private to your secured login shell. If this were to be called from user or system wide profiles, the output of everything ever done on the system might be public record.

You probably DON'T want that happening.

What does this bash script do, and what issues does it have?

Answers (2)

Related Questions