Re: [Sugar-devel] Quoting in shell scripts (was: Re: [sugar-devel] Recent fiddlings with Print Support)
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On Sat, May 16, 2009 at 06:20:56PM +0530, Vamsi Krishna Davuluri wrote: >Hello! I finally figured what was going wrong with my script. > > >Jonas, I have tried implementing your suggestions. using mktemp, X, >and also a -m 077. The code doesnt work for some reason that way. lpr >gets me a failed job. Try piece by piece to locate which part does not work in your environment. Or try invoking the script with "bash -x" to enable debugging. >[va...@localhost Desktop]$ $(set -e abiword [...] I believe the synax is this: [va...@localhost Desktop]$ $(set -e; abiword [...] And if I didn't mention it clearly enough before, I try do it now: I strongly recommends to completely avoid subshells (those `` and $() and () constructs) as they are more complex to do right! >The lp user of lp group ( cups script executor) messes up with >permissions when executing commands in a subshell, that's really messed >up. my rationale is, in a subshell the lp user has no longer domain. >Also, CUPS doesnt write to our /tmp folder, instead has its own folder >defined somewhere. No surprise. Please read above. Read twice if needed ;-) - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREDAAYFAkoQKNQACgkQn7DbMsAkQLhpMwCfR7iWoQ41oXptjU0I/GnDJl10 awEAn3U0W9vvbpC4m8GgKYCXJVTgMjtR =w35a -END PGP SIGNATURE- ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Quoting in shell scripts (was: Re: [sugar-devel] Recent fiddlings with Print Support)
Hello! I finally figured what was going wrong with my script. Jonas, I have tried implementing your suggestions. using mktemp, X, and also a -m 077. The code doesnt work for some reason that way. lpr gets me a failed job. Also that code is basically ported from this guide, http://www.ibm.com/developerworks/linux/library/l-dvi-filter.html Jonas, Silbe, notice this [va...@localhost Desktop]$ $(abiword --to=ps /home/Vamsi/lololo.odt); if [ $? -ne 0 ]; then echo 'hello'; else echo 'what'; fi hello [va...@localhost Desktop]$ $(abiword --to=doc /home/Vamsi/lololo.odt); if [ $? -ne 0 ]; then echo 'hello'; else echo 'what'; fi what [va...@localhost Desktop]$ $(set -e abiword --to=doc /home/Vamsi/lololo.odt); if [ $? -ne 0 ]; then echo 'hello'; else echo 'what'; fi what [va...@localhost Desktop]$ $(set -e abiword --to=ps /home/Vamsi/lololo.odt); if [ $? -ne 0 ]; then echo 'hello'; else echo 'what'; fi what [va...@localhost Desktop]$ $(abiword --to=ps /home/Vamsi/lololo.odt); if [ $? -ne 0 ]; then echo 'hello'; else echo 'what'; fi hello [va...@localhost Desktop]$ $(abiword --to=ps /home/Vamsi/lololo.odt); if [ $? -ne 0 ]; then echo 'hello'; else echo 'what'; fi hello Set -e basically yields me the same case, that is even on an error it returns me a 0. But without set -e , it works great. Moving on, Its like this, The lp user of lp group ( cups script executor) messes up with permissions when executing commands in a subshell, that's really messed up. my rationale is, in a subshell the lp user has no longer domain. Also, CUPS doesnt write to our /tmp folder, instead has its own folder defined somewhere. So what I made is, sandbox1="${TMPDIR1:-/tmp}/tempcups." (umask 077 && mkdir "$sandbox1") || exit 1 I made another temp folder for the subshells to execute their commands And, andres, it initially does try to convert to doc. The algorithm is pretty much like this, 1) We try to write to some new path besides the same folder, if it works, we are running 2.6.6 and plus, if not we are on 2.6.6-- - We cannot check for ~somepath.ps here as 2.6.8 doesnt have that capability, so that would be inviting a hole as we would be skipping for 2.6.8 as well! # $fn happens to be supplied variable $(abiword --to=$sandbox1/temp123.doc $fn) # if this doesnt work, do the following, as 2.6.6- could only do operations in the same folder, # we are copying ;) if [ "$?" -ne 0 ]; then #our dummy file fn1="$sandbox/temp123.odt" cp "$fn" "$fn1" # Call abiword quietly, securely abiword --to="ps" "`echo "$fn1" | sed -e 's/odt$/doc/' `" fn2="`echo "$fn1" | sed -e 's/odt$/ps/' `" 2) Now we enter the case what if we are in fact on 2.6.6+, well now come two paths again, 1) are we 2.6.8, or 2) anything other than 2.6.8 (again 2.6.8 cant write to ps directly, we need an intermediate doc conversion for this effect) # Call abiword quietly, securely #check if our version doesn't require an intermediate conversion, if it does, do it $(abiword --to="$sandbox1/temp123.ps" "$fn") if [ "$?" -ne 0 ]; then abiword --to="$sandbox/temp123.doc" "$fn" abiword --to="$sandbox/temp123.ps" "$sandbox/temp123.doc" else #abiword --to="$sandbox/temp123.ps" "$fn" fn2="$sandbox1/temp123.ps" Andres, script works great for ALLL cases :D #!/bin/bash # CUPS filter to process ODT files using abiword # $6 happens to be the path to file passed as argument for debugging purposes i am use $1 fn="$6" #for our subshell convenience sandbox1="${TMPDIR1:-/tmp}/tempcups." (umask 077 && mkdir "$sandbox1") || exit 1 # we are creating a dummy folder, which can take different file types. sandbox="${TMPDIR:-/tmp}/t6cups-odftops." (umask 077 && mkdir "$sandbox") || exit 1 #The condition which checks whether our abiword is 2.6.6+ or 2.6.6- $(abiword --to="$sandbox1/temp123.doc" "$fn") if [ "$?" -ne 0 ]; then #our dummy file fn1="$sandbox/temp123.odt" cp "$fn" "$fn1" # Call abiword quietly, securely abiword --to="ps" "`echo "$fn1" | sed -e 's/odt$/doc/' `" fn2="`echo "$fn1" | sed -e 's/odt$/ps/' `" else # Call abiword quietly, securely #check if our version doesn't require an intermediate conversion, if it does, do it $(abiword --to="$sandbox1/temp123.ps" "$fn") if [ "$?" -ne 0 ]; then abiword --to="$sandbox/temp123.doc" "$fn" abiword --to="$sandbox/temp123.ps" "$sandbox/temp123.doc" else #abiword --to="$sandbox/temp123.ps" "$fn" fn2="$sandbox1/temp123.ps" fi fi cat "$fn2" #remove the sandbox folder, for debugging purposes check by commenting the following line and see what is in the /tmp/ folder #rm -rf $sandbox #rm -rf $sandbox1 ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Quoting in shell scripts (was: Re: [sugar-devel] Recent fiddlings with Print Support)
On Thu, May 14, 2009 at 8:14 AM, Andrés Ambrois wrote: > if [ -z `grep "%!PS-Adobe-3.0" < "$fn2"` ]; then Even better, you can use the exit code of grep, thus if grep -q 'pattern' $file; then elegant, clearer and faster :-) Some grep implementations don't support -q, so a more portable way (but uglier) of saying the same is: if grep 'pattern' $file >/dev/null ; then (Actually, some take -s for 'silent', but that's patchy as well. Only /dev/null works everywhere...) cheers, m -- martin.langh...@gmail.com mar...@laptop.org -- School Server Architect - ask interesting questions - don't get distracted with shiny stuff - working code first - http://wiki.laptop.org/go/User:Martinlanghoff ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Quoting in shell scripts (was: Re: [sugar-devel] Recent fiddlings with Print Support)
On Wednesday 13 May 2009 08:03:22 am Vamsi Krishna Davuluri wrote: > Thanks. I have taken into account your suggestions and made another script. Thank you all for helping out! Here are a few other comments: > > #!/bin/bash -e > # CUPS filter to process ODT files using abiword > > > # $6 happens to be the path to file passed as argument > fn="$6" > > #in case its not defined > TMPDIR="/tmp" See Jona's comments > # we are creating a dummy folder, which can take different file types using > mkdir, change to ="/tmp/cups-odftops" > sandbox="${TMPDIR-/tmp}/cups-odftops." > (umask 077 && mkdir "$sandbox") || exit 1 > > #our two dummy files > fn1="$sandbox/temp123.odt" > cp "$fn" "$fn1" Do you need to cp? Can't you symlink? Copying potentially large files is a problem. > # Call abiword quietly, securely > abiword --to="ps" "$fn1" > fn2="`echo "$fn1" | sed -e 's/odt/ps/' `" fn2=`echo "$fn1" | sed 's/\.odt$/\.ps/'` > #check if our version doesn't require an intermediate conversion, if it > does, do it, else break; > > if [ -n "`grep -q "%!PS-Adobe-3.0" < "$fn2" `" ];then grep -q is always silent, and [ -n ] tests for string length nonzero, so this will always fail. I guess you're trying to see if the conversion failed (does not contain "%!PS-Adobe-3.0" ), so you should need: if [ -z `grep "%!PS-Adobe-3.0" < "$fn2"` ]; then > abiword --to="doc" "$fn1" > abiword --to="ps" "`echo "$fn1" | sed -e 's/odt/doc/' `" > fi Again, watch out for that sed. -- Andrés ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Quoting in shell scripts (was: Re: [sugar-devel] Recent fiddlings with Print Support)
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On Wed, May 13, 2009 at 04:33:22PM +0530, Vamsi Krishna Davuluri wrote: >#in case its not defined >TMPDIR="/tmp" Above means that you override if it was defined. Use this instead: TMPDIR="${TMPDIR:-/tmp}" Or use mktemp which has same fallback (and more!) internally. ># we are creating a dummy folder, which can take different file types using >mkdir, change to ="/tmp/cups-odftops" It is common practice to keep lines maximum 72 characters long, to avoid them wrapping in e.g. emails. >sandbox="${TMPDIR-/tmp}/cups-odftops." There is absolutely no improved security in 4x$. $$ resolves to the current process id, which (on most systems?) is not random but aequential so relatively easy to guess by evil-doers. simply means use the same process id twice. My recommendation was to use mktemp with a _skeleton_ value that includes , which means add a random number that is 4 characters long. >(umask 077 && mkdir "$sandbox") || exit 1 If a system for some reason fails to set umask, above command silently continues! Kind regards, - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREDAAYFAkoK4SsACgkQn7DbMsAkQLgpAACfSuqCDsFQmFwCPYTjKVSyKRKR rLUAnA2/5HuoN3VnXc2+3/iaznf8dHgG =cqf9 -END PGP SIGNATURE- ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Quoting in shell scripts (was: Re: [sugar-devel] Recent fiddlings with Print Support)
Thanks. I have taken into account your suggestions and made another script. This had been not a competition to beautify or verify the rigidity of the script, rather to see if opensuse accepted it. Which it still doesnt Something to do with lp user file create permissions. Though the script works fine on ubuntu and fedora. And also, this is my first shell script #!/bin/bash -e # CUPS filter to process ODT files using abiword # $6 happens to be the path to file passed as argument fn="$6" #in case its not defined TMPDIR="/tmp" # we are creating a dummy folder, which can take different file types using mkdir, change to ="/tmp/cups-odftops" sandbox="${TMPDIR-/tmp}/cups-odftops." (umask 077 && mkdir "$sandbox") || exit 1 #our two dummy files fn1="$sandbox/temp123.odt" cp "$fn" "$fn1" # Call abiword quietly, securely abiword --to="ps" "$fn1" fn2="`echo "$fn1" | sed -e 's/odt/ps/' `" #check if our version doesn't require an intermediate conversion, if it does, do it, else break; if [ -n "`grep -q "%!PS-Adobe-3.0" < "$fn2" `" ];then abiword --to="doc" "$fn1" abiword --to="ps" "`echo "$fn1" | sed -e 's/odt/doc/' `" fi cat "$fn2" #remove the sandbox folder, for debugging purposes check by commenting the following line and see what is in the /tmp/ folder #rm -rf $sandbox #NOTES: CURSE me for not realizing that these scripts cant write to anyplace other than tmp dirs, and wasting about 20 hrs doing all sorts of combinations of selinux tweaking, writing sample scripts (which magically did the job) and CHMODing odftops2 Description: Binary data ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
Re: [Sugar-devel] Quoting in shell scripts (was: Re: [sugar-devel] Recent fiddlings with Print Support)
-BEGIN PGP SIGNED MESSAGE- Hash: RIPEMD160 On Wed, May 13, 2009 at 10:25:36AM +0200, Sascha Silbe wrote: > On Wed, May 13, 2009 at 01:03:26PM +0530, Vamsi Krishna Davuluri > wrote: > >> Okay, so here's the latest dope. > I hope you don't mind me pointing out a few oversights in your script > publically. The main reason is that I want to remember others (e.g. > GSoC students) to be careful about quoting - a topic that > unfortunately doesn't seem to get as much attention in university > courses as it deserves. > >> sandbox=${TMPDIR-/tmp}/cups-odftops.$$ >> (umask 077 && mkdir $sandbox) || exit 1 > TMPDIR and thus later sandbox may contain any character, so you need > to quote them. While we are at it, I believe it is safer and more elegant to use mktemp than $$ (which in theory can be captured by evil-doers using simple ps on a very slow system). Also, I usually avoid subshells to not risk hiding failures (you need to do "set -e" inside each subshell). Here's my suggested variant of above: sandbox="$(mktemp -t cups-odftops.XX)" mkdir -m 077 "$sandbox" || exit 1 Enjoy :-) - Jonas - -- * Jonas Smedegaard - idealist og Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (GNU/Linux) iEYEAREDAAYFAkoKmIEACgkQn7DbMsAkQLi6VQCeIsalYM8qNJApqtDA6MHuszjV A5sAoIGEd4avfdoYB/syXpwg7l2vdI4/ =iMab -END PGP SIGNATURE- ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel
[Sugar-devel] Quoting in shell scripts (was: Re: [sugar-devel] Recent fiddlings with Print Support)
On Wed, May 13, 2009 at 01:03:26PM +0530, Vamsi Krishna Davuluri wrote: Okay, so here's the latest dope. I hope you don't mind me pointing out a few oversights in your script publically. The main reason is that I want to remember others (e.g. GSoC students) to be careful about quoting - a topic that unfortunately doesn't seem to get as much attention in university courses as it deserves. sandbox=${TMPDIR-/tmp}/cups-odftops.$$ (umask 077 && mkdir $sandbox) || exit 1 TMPDIR and thus later sandbox may contain any character, so you need to quote them. BTW: I usually issue "set -e" in front of any script and explicitly handle the cases where I know that some command may fail and I _do_ want to continue, BTW. Doing it the other way round increases the likelyhood of forgetting to check for an error and thus making the real error hard to find. fn2=`echo $fn1 | sed -e 's/odt/ps/' ` This invocation is the reason for this mail: You should (*) quote both fn1 and the result of the calculation. This would give: fn2="`echo \"$fn1\" | sed -e 's/odt/ps/' `" As you see, it's a bit awkward. That's why I recommend using $(...) instead of `...`: fn2="$(echo "$fn1" | sed -e 's/odt/ps/')" The given sed invocation will replace the _first_ occurence of "odt" (e.g. "Godtfred Kirk Christiansen.odt" -> "Gpsfred Kirk Christiansen.odt") , BTW. You should append "$" after odt to make it match just the end of the string. if cat "$fn2" | grep -q "%!PS-Adobe-3.0" Useless use of cat: you can use shell redirection instead: if grep -q "%!PS-Adobe-3.0" < "$fn2" break; Hmm, I don't see any loop that could be aborted. Do you mean "exit 0" instead? (*) For this particular occurence, it isn't strictly necessary to fn1, as it is passed to echo which will behave the same either way. This isn't true for most other commands, so it's useful to develop a habit of always quoting arguments if they may contain arbitrary / unknown / "user"-specified data. CU Sascha -- http://sascha.silbe.org/ http://www.infra-silbe.de/ signature.asc Description: Digital signature ___ Sugar-devel mailing list Sugar-devel@lists.sugarlabs.org http://lists.sugarlabs.org/listinfo/sugar-devel