Kris on Twitter is a bit radical against shell scripts. Learn why.
Posted by jpluimers on 2022/04/13
I say to people: only use shell interactively, don’t write scripts. Never. Not one.
But Kris, they ask, why so radical?
Because of this:
is the literal English Google Translation of the German text
Ich sage den Leuten: benutzt Shell nur interaktiv, schreibt keine Scripte. Nie. Nicht eines.
Aber Kris, fragen sie, wieso so Radikal?
Deswegen:
then links to [Wayback/Archive] Jan Schaumann on Twitter: “TIL zgrep(1)
is a shell script. BSD basically does “zcat | grep
”, but GNU does “gzip -dc | sed
”. How did I learn that? The fun way! CVE-2022-1271, arbitrary-file-write and code execution vulnerability in GNU zgrep / gzip. …”:
Oh, I learned about cowsay: “cowsay is a program that generates ASCII art pictures of a cow with a message.”
Source: [Wayback/Archive] Kris on Twitter: “Ich sage den Leuten: benutzt Shell nur interaktiv, schreibt keine Scripte. Nie. Nicht eines. Aber Kris, fragen sie, wieso so Radikal? Deswegen:” / Twitter
Where I responded if Python would be allowed, spurring some nice responses:
- [Wayback/Archive] Florian Haas on Twitter: “@jpluimers @isotopp Don’t do that either. Instead do:
subprocess.check_call("/bin/bash myscript.sh")
[ducks, runs]” - [Wayback/Archive] Christian Vogel 🏡🦠 on Twitter: “@xahteiwi @jpluimers @isotopp
subprocess.check_call("/bin/bash myscript.sh",shell=True)
is the the only way.” - [Wayback/Archive] Florian Haas on Twitter: “@vogelchr @jpluimers @isotopp Preceded by
requests.get()
to a HTTP URL to fetchmyscript.sh
, of course. yolo”
Note, that a few hours later Kris added this [Wayback/Archive]:
You think you can do input sanitation and error handling in the shell, but it’s harder than it looks. A real programming language is much better placed and experience has shown that it is already difficult enough
translated from
Du denkst, Du bekommst input sanitation und error handling in der Shell hin, aber das ist schwieriger als es aussieht. Eine richtige Programmiersprache ist da viel besser aufgestellt und da ist es erfahrungsgemäß schon schwer genug
Which got “35 years of bash scripting. And Kris is still right. Of course there are traps and fuss, but there is always a racing condition that you can’t even guess. Just trying to see if the PoC also works with WSU… 🦹♀️😈” from [Wayback/Archive] Millux on Twitter: “@isotopp 35 Jahre bash scripting. Und Kris hat trotzdem Recht. Klar gibts trap und Gedöns, trotzdem gibt es immer eine Racing Condition, die du nicht mal ahnen kannst. Grad mal probiert ob der PoC auch mit WSU… 🦹♀️😈”
–jeroen
Leave a Reply