CIT 383 Administrative Scripting Commands Computer Security Art

CIT 383: Administrative Scripting Commands Computer Security: Art and Science 1

Topics 1. 2. 3. 4. 5. System Exec Command Quotes Popen Expect CIT 383: Administrative Scripting

System Executes command string in a subshell system(“tar cjf ruby. tar. bz 2 *. rb”) system(“cut –d: -f 1 /etc/passwd | sort”) All shell features are available Globbing (*/*. c) Tilde expansion (~jsmith) I/O redirection Pipes CIT 383: Administrative Scripting

System with Multiple Arguments Multiple arguments have different behavior First argument is name of command. Later arguments are command line arguments. None are interpreted by shell. Examples system(“echo *”) prints all files in directory system(“echo”, “*”) prints a * system(“tar”, “c”, “f”, “ruby. tar”, “rubyfiles/”) CIT 383: Administrative Scripting

System Security Archiving user specified files = gets system(“tar cf ruby. tar #{files}”) What if the user enters “*; rm –rf /”? tar cjf ruby. tar. bz 2 * rm –rf / Use multiple argument form to avoid this bug. files = gets system(“tar”, “c”, “f”, “ruby. tar”, files) CIT 383: Administrative Scripting

Exec Replaces current process by running command. exec(“ls –l”) # program never reaches this point Single argument form invokes shell exec(“echo *”) Multiple argument form does not exec(“echo”, “*”) CIT 383: Administrative Scripting

Command Quotes Ruby will run commands in backquotes os = `uname` os = %x|uname| Return value is output of command as String. Command quotes invoke a subshell: files = `echo *` sortedfiles = `echo * | sort` CIT 383: Administrative Scripting

Popen Pipe Open IO. popen(command_string, mode) Opens command like a file r: read from command’s STDOUT. w: write to command’s STDIN. Similar to command quotes in read mode: uname_fh = IO. popen(‘uname –a’, ‘r’) unixname = uname_fh. readlines CIT 383: Administrative Scripting

Popen offers more control than command quotes. Use less memory (read a line at a time. ) Obtain partial output immediately. Examples vmfh = popen(“vmstat 5 5”) # Throw away header lines then print vmfh. gets vmfh. each do |vmline| puts vmline end CIT 383: Administrative Scripting

Expect Automation tool for interactive processes. fsck ftp minicom passwd telnet Methods spawn: start an external command expect: wait for command to output pattern send: send string to command as input CIT 383: Administrative Scripting

Expect PTY. spawn(‘telnet zork. nku. edu’) do |r_f, w_f, pid| r_f. expect(/^Username. *: /) do w_f. print ‘jsmith’ end r_f. expect('Password: ') do w_f. print password end r_f. expect(‘$ ‘) do w_f. print “passwd #{password} spameggs“ end CIT 383: Administrative Scripting

References 1. Michael Fitzgerald, Learning Ruby, O’Reilly, 2008. 2. David Flanagan and Yukihiro Matsumoto, The Ruby Programming Language, O’Reilly, 2008. 3. Hal Fulton, The Ruby Way, 2 nd edition, Addison-Wesley, 2007. 4. Dave Thomas with Chad Fowler and Andy Hunt, Programming Ruby, 2 nd edition, Pragmatic Programmers, 2005. Computer Security: Art and Science 12