1*d5cd4065SSascha Wildner.\" $OpenBSD: script.7,v 1.8 2019/08/11 15:48:08 deraadt Exp $ 2e0bca924SSascha Wildner.\" 3*d5cd4065SSascha Wildner.\" $NetBSD: script.7,v 1.6 2010/03/22 18:58:32 joerg Exp $ 4e0bca924SSascha Wildner.\" 5e0bca924SSascha Wildner.\" Copyright (c) 2005 The NetBSD Foundation, Inc. 6e0bca924SSascha Wildner.\" All rights reserved. 7e0bca924SSascha Wildner.\" 8e0bca924SSascha Wildner.\" This document was originally contributed to The NetBSD Foundation 9e0bca924SSascha Wildner.\" by Perry E. Metzger of Metzger, Dowdeswell & Co. LLC. 10e0bca924SSascha Wildner.\" 11e0bca924SSascha Wildner.\" Redistribution and use in source and binary forms, with or without 12e0bca924SSascha Wildner.\" modification, are permitted provided that the following conditions 13e0bca924SSascha Wildner.\" are met: 14e0bca924SSascha Wildner.\" 1. Redistributions of source code must retain the above copyright 15e0bca924SSascha Wildner.\" notice, this list of conditions and the following disclaimer. 16e0bca924SSascha Wildner.\" 2. Redistributions in binary form must reproduce the above copyright 17e0bca924SSascha Wildner.\" notice, this list of conditions and the following disclaimer in the 18e0bca924SSascha Wildner.\" documentation and/or other materials provided with the distribution. 19e0bca924SSascha Wildner.\" 20e0bca924SSascha Wildner.\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 21e0bca924SSascha Wildner.\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 22e0bca924SSascha Wildner.\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 23e0bca924SSascha Wildner.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 24e0bca924SSascha Wildner.\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 25e0bca924SSascha Wildner.\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 26e0bca924SSascha Wildner.\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 27e0bca924SSascha Wildner.\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 28e0bca924SSascha Wildner.\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 29e0bca924SSascha Wildner.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 30e0bca924SSascha Wildner.\" POSSIBILITY OF SUCH DAMAGE. 31e0bca924SSascha Wildner.\" 32*d5cd4065SSascha Wildner.Dd November 1, 2020 33e0bca924SSascha Wildner.Dt SCRIPT 7 34e0bca924SSascha Wildner.Os 35e0bca924SSascha Wildner.Sh NAME 36e0bca924SSascha Wildner.Nm script 37e0bca924SSascha Wildner.Nd interpreter script execution 38e0bca924SSascha Wildner.Sh DESCRIPTION 39e0bca924SSascha WildnerThe system is capable of treating a text file containing commands 40e0bca924SSascha Wildnerintended for an interpreter, such as 41e0bca924SSascha Wildner.Xr sh 1 42e0bca924SSascha Wildneror 43e0bca924SSascha Wildner.Xr awk 1 , 44e0bca924SSascha Wildneras an executable program. 45e0bca924SSascha Wildner.Pp 46e0bca924SSascha WildnerAn 47e0bca924SSascha Wildner.Dq interpreter script 48e0bca924SSascha Wildneris a file which has been set executable (see 49e0bca924SSascha Wildner.Xr chmod 2 ) 50e0bca924SSascha Wildnerand which has a first line of the form: 51e0bca924SSascha Wildner.Pp 52e0bca924SSascha Wildner.D1 Li #! Ar pathname Op Ar argument 53e0bca924SSascha Wildner.Pp 54e0bca924SSascha WildnerThe 55e0bca924SSascha Wildner.Sq #! 56e0bca924SSascha Wildnermust appear as the first two characters of the file. 57e0bca924SSascha WildnerA space between the 58e0bca924SSascha Wildner.Sq #! 59e0bca924SSascha Wildnerand 60e0bca924SSascha Wildner.Ar pathname 61e0bca924SSascha Wildneris optional. 62e0bca924SSascha WildnerAt most one 63e0bca924SSascha Wildner.Ar argument 64e0bca924SSascha Wildnermay follow 65e0bca924SSascha Wildner.Ar pathname , 66e0bca924SSascha Wildnerand the length of the entire line is limited (see below). 67e0bca924SSascha Wildner.Pp 68e0bca924SSascha WildnerIf such a file is executed (such as via the 69e0bca924SSascha Wildner.Xr execve 2 70e0bca924SSascha Wildnersystem call), the interpreter specified by the 71e0bca924SSascha Wildner.Ar pathname 72e0bca924SSascha Wildneris executed by the system. 73e0bca924SSascha Wildner(The 74e0bca924SSascha Wildner.Ar pathname 75e0bca924SSascha Wildneris executed without regard to the 76e0bca924SSascha Wildner.Ev PATH 77e0bca924SSascha Wildnervariable, so in general 78e0bca924SSascha Wildner.Ar pathname 79e0bca924SSascha Wildnershould be an absolute path.) 80e0bca924SSascha Wildner.Pp 81e0bca924SSascha WildnerThe arguments passed to the interpreter will be as follows. 82e0bca924SSascha Wildner.Va argv[0] 83e0bca924SSascha Wildnerwill be the path to the interpreter itself, as specified on the first 84e0bca924SSascha Wildnerline of the script. 85e0bca924SSascha WildnerIf there is an 86e0bca924SSascha Wildner.Ar argument 87e0bca924SSascha Wildnerfollowing 88e0bca924SSascha Wildner.Ar pathname 89e0bca924SSascha Wildneron the first line of the script, it will be passed as 90e0bca924SSascha Wildner.Va argv[1] . 91e0bca924SSascha WildnerThe subsequent elements of 92e0bca924SSascha Wildner.Va argv 93e0bca924SSascha Wildnerwill be the path to the interpreter script file itself (i.e. the 94e0bca924SSascha Wildneroriginal 95e0bca924SSascha Wildner.Va argv[0] ) 96e0bca924SSascha Wildnerfollowed by any further arguments passed when 97e0bca924SSascha Wildner.Xr execve 2 98e0bca924SSascha Wildnerwas invoked to execute the script file. 99e0bca924SSascha Wildner.Pp 100e0bca924SSascha WildnerBy convention, it is expected that an interpreter will open the script 101e0bca924SSascha Wildnerfile passed as an argument and process the commands within it. 102e0bca924SSascha WildnerTypical interpreters treat 103e0bca924SSascha Wildner.Sq # 104e0bca924SSascha Wildneras a comment character, and thus will ignore the initial line of the script 105e0bca924SSascha Wildnerbecause it begins 106e0bca924SSascha Wildner.Sq #! , 107e0bca924SSascha Wildnerbut there is no requirement for this per se. 108e0bca924SSascha Wildner.Pp 109e0bca924SSascha WildnerOn 110e0bca924SSascha Wildner.Dx , 111e0bca924SSascha Wildnerthe length of the 112e0bca924SSascha Wildner.Sq #! 113e0bca924SSascha Wildnerline, excluding the 114e0bca924SSascha Wildner.Sq #! 115e0bca924SSascha Wildneritself, is limited to 116*d5cd4065SSascha Wildner.Dv MAXSHELLCMDLEN 117e0bca924SSascha Wildner(as defined in 118*d5cd4065SSascha Wildner.In sys/imgact.h ) . 119e0bca924SSascha WildnerOther operating systems impose different limits on the length of 120e0bca924SSascha Wildnerthe 121e0bca924SSascha Wildner.Sq #! 122e0bca924SSascha Wildnerline (see below). 123e0bca924SSascha Wildner.Pp 124e0bca924SSascha WildnerNote that the interpreter may not itself be an interpreter script. 125e0bca924SSascha WildnerIf 126e0bca924SSascha Wildner.Ar pathname 127e0bca924SSascha Wildnerdoes not point to an executable binary, execution of the interpreter 128e0bca924SSascha Wildnerscript will fail. 129e0bca924SSascha Wildner.Ss Trampolines and Portable Scripts 130e0bca924SSascha WildnerDifferent operating systems often have interpreters located in 131e0bca924SSascha Wildnerdifferent locations, and the kernel executes the passed interpreter 132e0bca924SSascha Wildnerwithout regard to the setting of environment variables such as 133e0bca924SSascha Wildner.Ev PATH . 134e0bca924SSascha WildnerThis makes it somewhat challenging to set the 135e0bca924SSascha Wildner.Sq #! 136e0bca924SSascha Wildnerline of a script so that it will run identically on different systems. 137e0bca924SSascha Wildner.Pp 138e0bca924SSascha WildnerSince the 139e0bca924SSascha Wildner.Xr env 1 140e0bca924SSascha Wildnerutility executes a command passed to it on its command line, it is 141e0bca924SSascha Wildneroften used as a 142e0bca924SSascha Wildner.Dq trampoline 143e0bca924SSascha Wildnerto render scripts portable. 144e0bca924SSascha WildnerIf the leading line of a script reads 145e0bca924SSascha Wildner.Pp 146e0bca924SSascha Wildner.Dl #! /usr/bin/env interp 147e0bca924SSascha Wildner.Pp 148e0bca924SSascha Wildnerthen the 149e0bca924SSascha Wildner.Xr env 1 150e0bca924SSascha Wildnercommand will execute the 151e0bca924SSascha Wildner.Dq interp 152e0bca924SSascha Wildnercommand it finds in its 153e0bca924SSascha Wildner.Ev PATH , 154e0bca924SSascha Wildnerpassing on to it all subsequent arguments with which it itself was called. 155e0bca924SSascha WildnerSince 156e0bca924SSascha Wildner.Pa /usr/bin/env 157e0bca924SSascha Wildneris found on almost all 158e0bca924SSascha Wildner.Tn POSIX 159e0bca924SSascha Wildnerstyle systems, this trick is frequently exploited by authors who need 160e0bca924SSascha Wildnera script to execute without change on multiple systems. 161e0bca924SSascha Wildner.Ss Historical Note: Scripts without `#!' 162e0bca924SSascha WildnerShell scripts predate the invention of the 163e0bca924SSascha Wildner.Sq #! 164e0bca924SSascha Wildnerconvention, which is implemented in the kernel. 165e0bca924SSascha WildnerIn the days of 166e0bca924SSascha Wildner.At v7 , 167e0bca924SSascha Wildnerthere was only one interpreter used on the system, 168e0bca924SSascha Wildner.Pa /bin/sh , 169e0bca924SSascha Wildnerand the shell treated any file that failed to execute with an 170e0bca924SSascha Wildner.Er ENOEXEC 171e0bca924SSascha Wildnererror 172e0bca924SSascha Wildner(see 173e0bca924SSascha Wildner.Xr intro 2 ) 174e0bca924SSascha Wildneras a shell script. 175e0bca924SSascha Wildner.Pp 176e0bca924SSascha WildnerMost shells (such as 177e0bca924SSascha Wildner.Xr sh 1 ) 178e0bca924SSascha Wildnerand certain other facilities (including 179e0bca924SSascha Wildner.Xr execlp 3 180e0bca924SSascha Wildnerand 181e0bca924SSascha Wildner.Xr execvp 3 182e0bca924SSascha Wildnerbut not other types of 183e0bca924SSascha Wildner.Xr exec 3 184e0bca924SSascha Wildnercalls) still pass 185e0bca924SSascha Wildnerinterpreter scripts that do not include the 186e0bca924SSascha Wildner.Sq #! 187e0bca924SSascha Wildner(and thus fail to execute with 188e0bca924SSascha Wildner.Er ENOEXEC ) 189e0bca924SSascha Wildnerto 190e0bca924SSascha Wildner.Pa /bin/sh . 191e0bca924SSascha Wildner.Pp 192e0bca924SSascha WildnerAs this behavior is implemented outside the kernel, there is no 193e0bca924SSascha Wildnermechanism that forces it to be respected by all programs that execute 194e0bca924SSascha Wildnerother programs. 195e0bca924SSascha WildnerIt is thus not completely reliable. 196e0bca924SSascha WildnerIt is therefore important to always include 197e0bca924SSascha Wildner.Pp 198e0bca924SSascha Wildner.Dl #!/bin/sh 199e0bca924SSascha Wildner.Pp 200e0bca924SSascha Wildnerin front of Bourne shell scripts, and to treat the traditional 201e0bca924SSascha Wildnerbehavior as obsolete. 202e0bca924SSascha Wildner.Sh EXAMPLES 203e0bca924SSascha WildnerSuppose that an executable binary exists in 204e0bca924SSascha Wildner.Pa /bin/interp 205e0bca924SSascha Wildnerand that the file 206e0bca924SSascha Wildner.Pa /tmp/script 207e0bca924SSascha Wildnercontains: 208e0bca924SSascha Wildner.Bd -literal -offset indent 209e0bca924SSascha Wildner#!/bin/interp -arg 210e0bca924SSascha Wildner 211e0bca924SSascha Wildner[...] 212e0bca924SSascha Wildner.Ed 213e0bca924SSascha Wildner.Pp 214e0bca924SSascha Wildnerand that 215e0bca924SSascha Wildner.Pa /tmp/script 216e0bca924SSascha Wildneris set mode 755. 217e0bca924SSascha Wildner.Pp 218e0bca924SSascha WildnerExecuting 219e0bca924SSascha Wildner.Pp 220e0bca924SSascha Wildner.Dl $ /tmp/script one two three 221e0bca924SSascha Wildner.Pp 222e0bca924SSascha Wildnerat the shell will result in 223e0bca924SSascha Wildner.Pa /bin/interp 224e0bca924SSascha Wildnerbeing executed, receiving the following arguments in 225e0bca924SSascha Wildner.Va argv 226e0bca924SSascha Wildner(numbered from 0): 227e0bca924SSascha Wildner.Bd -ragged -offset indent 228e0bca924SSascha Wildner.Qq /bin/interp , 229e0bca924SSascha Wildner.Qq "-arg" , 230e0bca924SSascha Wildner.Qq /tmp/script , 231e0bca924SSascha Wildner.Qq one , 232e0bca924SSascha Wildner.Qq two , 233e0bca924SSascha Wildner.Qq three 234e0bca924SSascha Wildner.Ed 235e0bca924SSascha Wildner.Ss Portability Note: Multiple arguments 236e0bca924SSascha WildnerThe behavior of multiple arguments on the 237e0bca924SSascha Wildner.Sq #! 238e0bca924SSascha Wildnerline is highly non-portable between different systems. 239e0bca924SSascha WildnerIn general, only one argument can be assumed to work consistently. 240e0bca924SSascha Wildner.Pp 241e0bca924SSascha WildnerConsider the following variation on the previous example. 242e0bca924SSascha WildnerSuppose that an executable binary exists in 243e0bca924SSascha Wildner.Pa /bin/interp 244e0bca924SSascha Wildnerand that the file 245e0bca924SSascha Wildner.Pa /tmp/script 246e0bca924SSascha Wildnercontains: 247e0bca924SSascha Wildner.Bd -literal -offset indent 248e0bca924SSascha Wildner#!/bin/interp -x -y 249e0bca924SSascha Wildner 250e0bca924SSascha Wildner[...] 251e0bca924SSascha Wildner.Ed 252e0bca924SSascha Wildner.Pp 253e0bca924SSascha Wildnerand that 254e0bca924SSascha Wildner.Pa /tmp/script 255e0bca924SSascha Wildneris set mode 755. 256e0bca924SSascha Wildner.Pp 257e0bca924SSascha WildnerExecuting 258e0bca924SSascha Wildner.Pp 259e0bca924SSascha Wildner.Dl $ /tmp/script one two three 260e0bca924SSascha Wildner.Pp 261e0bca924SSascha Wildnerat the shell will result in 262e0bca924SSascha Wildner.Pa /bin/interp 263e0bca924SSascha Wildnerbeing executed, receiving the following arguments in 264e0bca924SSascha Wildner.Va argv 265e0bca924SSascha Wildner(numbered from 0): 266e0bca924SSascha Wildner.Bd -ragged -offset indent 267e0bca924SSascha Wildner.Qq /bin/interp , 268e0bca924SSascha Wildner.Qq "-x -y" , 269e0bca924SSascha Wildner.Qq /tmp/script , 270e0bca924SSascha Wildner.Qq one , 271e0bca924SSascha Wildner.Qq two , 272e0bca924SSascha Wildner.Qq three 273e0bca924SSascha Wildner.Ed 274e0bca924SSascha Wildner.Pp 275e0bca924SSascha WildnerNote that 276e0bca924SSascha Wildner.Qq "-x -y" 277e0bca924SSascha Wildnerwill be passed on 278e0bca924SSascha Wildner.Dx 279e0bca924SSascha Wildneras a single argument. 280e0bca924SSascha Wildner.Pp 281e0bca924SSascha WildnerAlthough most 282e0bca924SSascha Wildner.Tn POSIX 283e0bca924SSascha Wildnerstyle operating systems will pass only one 284e0bca924SSascha Wildner.Ar argument , 285e0bca924SSascha Wildnerthe behavior when multiple arguments are included is not 286e0bca924SSascha Wildnerconsistent between platforms. 287e0bca924SSascha WildnerSome, such as 288e0bca924SSascha Wildner.Dx , 289e0bca924SSascha Wildnerwill concatenate multiple arguments into a single argument (as above), 290e0bca924SSascha Wildnersome will truncate them, and at least one will pass them as multiple 291e0bca924SSascha Wildnerarguments. 292e0bca924SSascha Wildner.Pp 293e0bca924SSascha WildnerThe 294e0bca924SSascha Wildner.Dx 295e0bca924SSascha Wildnerbehavior is common but not universal. 296e0bca924SSascha WildnerSun's 297e0bca924SSascha Wildner.Tn Solaris 298e0bca924SSascha Wildnerwould present the above argument as 299e0bca924SSascha Wildner.Qq -x , 300e0bca924SSascha Wildnerdropping the 301e0bca924SSascha Wildner.Qq " -y" 302e0bca924SSascha Wildnerentirely. 303e0bca924SSascha WildnerPerhaps uniquely, recent versions of Apple's 304e0bca924SSascha Wildner.Tn OS X 305e0bca924SSascha Wildnerwill actually pass multiple arguments properly, i.e.: 306e0bca924SSascha Wildner.Bd -ragged -offset indent 307e0bca924SSascha Wildner.Qq /bin/interp , 308e0bca924SSascha Wildner.Qq -x , 309e0bca924SSascha Wildner.Qq -y , 310e0bca924SSascha Wildner.Qq /tmp/script , 311e0bca924SSascha Wildner.Qq one , 312e0bca924SSascha Wildner.Qq two , 313e0bca924SSascha Wildner.Qq three 314e0bca924SSascha Wildner.Ed 315e0bca924SSascha Wildner.Pp 316e0bca924SSascha WildnerThe behavior of the system in the face of multiple arguments is thus 317e0bca924SSascha Wildnernot currently standardized, should not be relied on, and may be 318e0bca924SSascha Wildnerchanged in future releases. 319e0bca924SSascha WildnerIn general, pass at most one argument, and do not rely on multiple 320e0bca924SSascha Wildnerarguments being concatenated. 321e0bca924SSascha Wildner.Sh SEE ALSO 322e0bca924SSascha Wildner.Xr awk 1 , 323e0bca924SSascha Wildner.Xr csh 1 , 324e0bca924SSascha Wildner.Xr sh 1 , 325e0bca924SSascha Wildner.Xr chmod 2 , 326e0bca924SSascha Wildner.Xr execve 2 , 327e0bca924SSascha Wildner.Xr intro 2 , 328e0bca924SSascha Wildner.Xr execlp 3 , 329e0bca924SSascha Wildner.Xr execvp 3 330e0bca924SSascha Wildner.Sh STANDARDS 331e0bca924SSascha WildnerThe behavior of interpreter scripts is obliquely referred to, but 332e0bca924SSascha Wildnernever actually described in, 333e0bca924SSascha Wildner.St -p1003.1-2004 . 334e0bca924SSascha Wildner.Pp 335e0bca924SSascha WildnerThe behavior is partially (but not completely) described in the 336e0bca924SSascha Wildner.St -svid4 . 337e0bca924SSascha Wildner.Pp 338e0bca924SSascha WildnerAlthough it has never been formally standardized, the behavior 339e0bca924SSascha Wildnerdescribed is largely portable across 340e0bca924SSascha Wildner.Tn POSIX 341e0bca924SSascha Wildnerstyle systems, with two significant exceptions: the maximum length of the 342e0bca924SSascha Wildner.Sq #! 343e0bca924SSascha Wildnerline, and the behavior if multiple arguments are passed. 344e0bca924SSascha WildnerPlease be aware that the behavior in the 345e0bca924SSascha Wildnerface of multiple arguments is not consistent across systems. 346e0bca924SSascha Wildner.Sh HISTORY 347e0bca924SSascha WildnerThe behavior of the kernel when encountering scripts that start in 348e0bca924SSascha Wildner.Sq #! 349e0bca924SSascha Wildnerwas not present in 350e0bca924SSascha Wildner.At v7 . 351e0bca924SSascha WildnerA Usenet posting to net.unix by Guy Harris on October 16, 1984 claims 352e0bca924SSascha Wildnerthat the idea for the 353e0bca924SSascha Wildner.Sq #! 354e0bca924SSascha Wildnerbehavior was first proposed by Dennis Ritchie but that the first 355e0bca924SSascha Wildnerimplementation was on 356e0bca924SSascha Wildner.Bx . 357e0bca924SSascha Wildner.Pp 358e0bca924SSascha WildnerHistorical manuals (specifically the exec man page) indicate that the 359e0bca924SSascha Wildnerbehavior was present in 360e0bca924SSascha Wildner.Bx 4 361e0bca924SSascha Wildnerat least as early as April, 1981. 362e0bca924SSascha WildnerInformation on precisely when it was first implemented, and in which 363e0bca924SSascha Wildnerversion of 364e0bca924SSascha Wildner.Ux , 365e0bca924SSascha Wildneris solicited. 366e0bca924SSascha Wildner.Sh CAVEATS 367e0bca924SSascha WildnerNumerous security problems are associated with setuid interpreter 368e0bca924SSascha Wildnerscripts. 369e0bca924SSascha Wildner.Pp 370e0bca924SSascha WildnerIn addition to the fact that many interpreters (and scripts) are 371e0bca924SSascha Wildnersimply not designed to be robust in a setuid context, a race condition 372e0bca924SSascha Wildnerexists between the moment that the kernel examines the interpreter 373e0bca924SSascha Wildnerscript file and the moment that the newly invoked interpreter opens 374e0bca924SSascha Wildnerthe file itself. 375e0bca924SSascha Wildner.Pp 376e0bca924SSascha WildnerSubtle techniques can be used to subvert even seemingly well written scripts. 377e0bca924SSascha WildnerScripts executed by Bourne type shells can be subverted in numerous 378e0bca924SSascha Wildnerways, such as by setting the 379e0bca924SSascha Wildner.Ev IFS 380e0bca924SSascha Wildnervariable before executing the script. 381e0bca924SSascha WildnerOther interpreters possess their own vulnerabilities. 382e0bca924SSascha WildnerSetting the Set-user-ID on execution (SUID) bit 383e0bca924SSascha Wildneris therefore very dangerous, and should not be done lightly, if at all. 384