0

Context for the question is the following comment on one of my answers:

@SergiyKolodyazhnyy Prefacing a script name with /bin/bash or even just bash is also a common way to solve the lack of executable permissions on the script.

I've refuted with the obvious remarks that there's danger in giving a potentially malicious script ability to do what it wants while file itself doesn't have executable bit set, and obvious incompatibility of script written for say c-shell being run with bourne-like shell ( and syntax incompatibility among Bourne-like shells themselves ). And the way I see it in hindsight, it's almost close to faulty advise of doing curl somedomain/script.sh | bash.

However, I'm curious if there are potentially more severe implications. I know that merely cat'ing a file can be dangerous and merely copy-pasting of a seemingly harmless script, but I'm curious if there's anything not so obvious exists about running a script as argument to shell.

Arminius
  • 44,242
  • 14
  • 143
  • 138

1 Answers1

3

Not really. If someone can get you to run a malicious script -- whether with ./scriptname or with bash scriptname -- you're pretty much toast. Also, you shouldn't think of the execute permission as a protection against malware. Execute permission controls whether you are allowed to execute the script (via exec() and its relatives), not whether it is allowed to execute.

Gordon Davisson
  • 2,601
  • 1
  • 17
  • 13