What do those do?
-### `[set](http://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html) -e`
+### [`set -e`](http://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html)
If a command fails, `set -e` will make the whole script exit, instead of just
resuming on the next line. If you have commands that can fail without it being
for example `set -e` followed by `false || :` will not cause your script to
terminate.
-### `[set](http://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html) -u`
+### [`set -u`](http://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html)
Treat unset variables as an error, and immediately exit.
-### `[set](http://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html) -f`
+### [`set -f`](http://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html)
Disable filename expansion (globbing) upon seeing `*`, `?`, etc..
If your script depends on globbing, you obviously shouldn't set this. Instead,
you may find
-`[shopt](http://www.gnu.org/software/bash/manual/html_node/The-Shopt-Builtin.html)
--s failglob` useful, which causes globs that don't get expanded to cause
+[`shopt -s failglob`](http://www.gnu.org/software/bash/manual/html_node/The-Shopt-Builtin.html) useful, which causes globs that don't get expanded to cause
errors, rather than getting passed to the command with the `*` intact.
-### [set](http://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html) -o pipefail
+### [`set -o pipefail`](http://www.gnu.org/software/bash/manual/html_node/The-Set-Builtin.html)
`set -o pipefail` causes a pipeline (for example, `curl -s http://sipb.mit.edu/
| grep foo`) to produce a failure return code if any command errors. Normally,
for details on the distinction between `$*`, `$@`, and `"$@"` — the first
and second are rarely what you want in a safe shell script.
+## Passing filenames or other positional arguments to commands
+
+If you get filenames from the user or from shell globbing, or any other kind of positional arguments, you should be aware that those could start with a "-". Even if you quote correctly, this may still act differently from what you intended. For example, consider a script that allows somebody to run commands as `nobody` (exposed over `remctl`, perhaps), consisting of just `sudo -u nobody "$@"`. The quoting is fine, but if a user passes `-u root reboot`, `sudo` will catch the second `-u` and run it as `root`.
+
+Fixing this depends on what command you're running.
+
+For many, however, `--` is accepted to indicate that any options are done, and future arguments should be parsed as positional parameters --- even if they look like options. In the `sudo` example above, `sudo -u nobody -- "$@"` would avoid this attack (though obviously limiting which users commands can be run as in the `sudo` configuration should be done as well).
+
+Another approach is to prefix each filename with `./`, if the filenames are expected to be in the current directory.
+
+## Temporary files
+
+TODO: mumble `mktemp`?
+
## Conclusion
When possible, instead of writing a "safe" shell script, *use a higher-level
sipb-www / wiki.git / blobdiff