Sanitize Environment with Command or Bash Script

Run script in a clean environment

You can re-exec the script from within it:

[ -z "$CLEANED" ] && exec env -i CLEANED=1 "PATH=$PATH" "HOME=$HOME" bash "$0" "$@"
unset CLEANED

Where CLEANED is a marker variable to tell your script that the environment has been cleaned.

In a bash script, how do I sanitize user input?

As dj_segfault points out, the shell can do most of this for you. Looks like you'll have to fall back on something external for lower-casing the string, though. For this you have many options, like the perl one-liners above, etc., but I think tr is probably the simplest.

# first, strip underscores
CLEAN=${STRING//_/}
# next, replace spaces with underscores
CLEAN=${CLEAN// /_}
# now, clean out anything that's not alphanumeric or an underscore
CLEAN=${CLEAN//[^a-zA-Z0-9_]/}
# finally, lowercase with TR
CLEAN=`echo -n $CLEAN | tr A-Z a-z`

The order here is somewhat important. We want to get rid of underscores, plus replace spaces with underscores, so we have to be sure to strip underscores first. By waiting to pass things to tr until the end, we know we have only alphanumeric and underscores, and we can be sure we have no spaces, so we don't have to worry about special characters being interpreted by the shell.

Run from clean login shell without credentials

You can pass environment variables directly in a command line, right before the executable name:

ENV_VAR=foo command -options ...

If you want to pass multiple variables just add them one after one:

ENV_VAR_FOO=foo ENV_VAR_BAR=bar command -options ...

In your case, you'll need to find out which environment variable cmake needs to access the libraries. Then pass this to the call, like:

LIB_PATH=/path/to/libs cmake -options ... 

How to run a terminal with clean environment from Python

Use the env argument when calling subprocess.Popen:

subprocess.Popen([cmd], stdout=subprocess.PIPE, shell=True, env={})

This will run it in as clean environment as possible, however a lot of maybe needed environment variables will be missing. You may want to cache os.environ when you start your script and then populate the env argument with that cache to get the same environment variables you had when you started your script.

Update (for clarity sake): Keep in mind that the current environment is always copied to any sub-process (and sub-processes cannot access/change the environment of their parents) so the above essentially takes the current environment and blanks it out (giving the sub-process copy of an empty environment) and if the sub-process cannot establish new environment it will never know the variables from your script's environment. One way to partially mitigate that is to actually let bash (or whatever shell you're calling from your sub-process) to load profile and other user scripts but it still won't get the global environment.

Set environment variables from file of key/value pairs

Problem with your approach is the export in the while loop is happening in a sub shell, and those variable will not be available in current shell (parent shell of while loop).

Add export command in the file itself:

export MINIENTREGA_FECHALIMITE="2011-03-31"
export MINIENTREGA_FICHEROS="informe.txt programa.c"
export MINIENTREGA_DESTINO="./destino/entrega-prac1"

Then you need to source in the file in current shell using:

. ./conf/prac1

OR

source ./conf/prac1

How do I sanitize EDITOR, etc, environment variables?

I have only ever done something like this in CGI scripts, so perhaps this is not at all what you're looking for; I'm just hoping it'll help a bit. Here's a modified version of the selection of allowed characters I used, and a code suggestion:

   my $editor = '/usr/bin/nano';
   my $allowed = 'a-zA-Z0-9.\-_/';

   # this is what I did, but you will probably not want to do this... 
   #$file =~ s/[^$allowed]//go; # Remove every character thats NOT in the OK-list

   # check that the variables contain only allowed characters
   if ($VISUAL =~ m/^[$allowed]+$/) {
      $editor = $VISUAL;
   }
   elsif ($EDITOR =~ m/^[$allowed]+$/) {
      $editor = $EDITOR;
   } 
   else {
      # message
   }

   # The code I have given above should also leave $editor in its default
   # state if neither $VISUAL nor $EDITOR has been set, as the condition
   # will not be true for empty strings/undef values.

Obviously, you cannot change the environment variables if you notice characters in them which you think shouldn't be there (i.e. characters which are not in the $allowed string), but you could check for the presence of such characters and fall back on your default editor in such a case. This is just my humble suggestion; perhaps an expert on the topic will reply in a while, and you'll get her/his wisdom served on a silver platter :)

Passing an environment variable to a bash script over ssh from perl system

Try this:

system("ssh -t remote FOO='dir/dir/filename.stderr' $dir/bashscript> $dir/stdout.stdout 2> $dir/stderr.stderr &");

Note that if the value comes from an untrusted source this can be dangerous. You should really escape the value before you pass is like that. For example, you could do something like this:

my $foo='some value here';
$foo=~s/'/'\\''/g; # escape the '
system("ssh -t remote env FOO='$FOO' $dir/bashscript> $dir/stdout.stdout 2> $dir/stderr.stderr &");

In either case, bashscript can access the value via $FOO.

---

Related Topics