Shell脚本编程基础之shell脚本安全set命令

脚本安全

为防止编写的脚本因某些原因，产生误操作，需要进行安全设置。

引子

设想定义变量$dir,用rm -rf $dir/* 清空目录

若干$dir为空，则误执行rm -rf /*

  1 #!/bash/bin
  2
  3 DIR=/data
  4
  5 rm -rf $D1R/*
  6
  7 echo Del $DIR Already!

$-

通过+<选项>关闭，-<选项>开启

• h 缓存功能。hashhall，shell缓存命令执行路径
• B 支持花括号{}扩展
• i 交互式shell
• m 监控模式，可通过job control来控制程序的启、停、续，前后台。
• H 历史命令记录功能
• s

[21:32:18 root@C8-3-55 ~]#echo $-
himBHs

set命令可以定制脚本环境

[21:42:30 root@C8-3-55 ~]#set --help
set: set [--abefhkmnptuvxBCHP] [-o 选项名] [--] [参数 ...]
    Set or unset values of shell options and positional parameters.

    Change the value of shell attributes and positional parameters, or
    display the names and values of shell variables.

    Options:
      -a  Mark variables which are modified or created for export.
      -b  Notify of job termination immediately.
      -e  Exit immediately if a command exits with a non-zero status.
      -f  Disable file name generation (globbing).
      -h  Remember the location of commands as they are looked up.
      -k  All assignment arguments are placed in the environment for a
          command, not just those that precede the command name.
      -m  Job control is enabled.
      -n  Read commands but do not execute them.
      -o option-name
          Set the variable corresponding to option-name:
              allexport    same as -a
              braceexpand  same as -B
              emacs        use an emacs-style line editing interface
              errexit      same as -e
              errtrace     same as -E
              functrace    same as -T
              hashall      same as -h
              histexpand   same as -H
              history      enable command history
              ignoreeof    the shell will not exit upon reading EOF
              interactive-comments
                           allow comments to appear in interactive commands
              keyword      same as -k
              monitor      same as -m
              noclobber    same as -C
              noexec       same as -n
              noglob       same as -f
              nolog        currently accepted but ignored
              notify       same as -b
              nounset      same as -u
              onecmd       same as -t
              physical     same as -P
              pipefail     the return value of a pipeline is the status of
                           the last command to exit with a non-zero status,
                           or zero if no command exited with a non-zero status
              posix        change the behavior of bash where the default
                           operation differs from the Posix standard to
                           match the standard
              privileged   same as -p
              verbose      same as -v
              vi           use a vi-style line editing interface
              xtrace       same as -x
      -p  Turned on whenever the real and effective user ids do not match.
          Disables processing of the $ENV file and importing of shell
          functions.  Turning this option off causes the effective uid and
          gid to be set to the real uid and gid.
      -t  Exit after reading and executing one command.
      -u  Treat unset variables as an error when substituting.
      -v  Print shell input lines as they are read.
      -x  Print commands and their arguments as they are executed.
      -B  the shell will perform brace expansion
      -C  If set, disallow existing regular files to be overwritten
          by redirection of output.
      -E  If set, the ERR trap is inherited by shell functions.
      -H  Enable ! style history substitution.  This flag is on
          by default when the shell is interactive.
      -P  If set, do not resolve symbolic links when executing commands
          such as cd which change the current directory.
      -T  If set, the DEBUG and RETURN traps are inherited by shell functions.
      --  Assign any remaining arguments to the positional parameters.
          If there are no remaining arguments, the positional parameters
          are unset.
      -   Assign any remaining arguments to the positional parameters.
          The -x and -v options are turned off.

    Using + rather than - causes these flags to be turned off.  The
    flags can also be used upon invocation of the shell.  The current
    set of flags may be found in $-.  The remaining n ARGs are positional
    parameters and are assigned, in order, to $1, $2, .. $n.  If no
    ARGs are given, all shell variables are printed.

    Exit Status:
    Returns success unless an invalid option is given.

set -u

Treat unset variables as an error when substituting.

通过对待未定义的变量报错，禁止没有定义的变量执行

[21:42:38 root@C8-3-55 ~]#name=bpz ##定义一个变量
[21:46:58 root@C8-3-55 ~]#echo $name ##显示该变量
bpz
[21:47:04 root@C8-3-55 ~]#unset name ##清空该变量
[21:47:14 root@C8-3-55 ~]#echo $name ##再次显示未定义的变量
    ##默认并不会报错
[21:47:21 root@C8-3-55 ~]#set -u ##启用-u功能
[21:47:30 root@C8-3-55 ~]#echo $name ##再次显示未定义的变量
-bash: name: 未绑定的变量 ##提示错误

例：利用set -u功能，避免未定义变量被引用

  1 #!/bash/bin
  2 set -u
  3 DIR=/data
  4
  5 rm -rf $D1R/*
  6
  7 echo Del $DIR Already!

set -e

Exit immediately if a command exits with a non-zero status.

前面任何一个命令执行错误了，都停住不再继续执行了

确保安全，脚本第一句话set -ue

set -O 显示功能开启情况

[22:09:14 root@C8-3-55 ~]#set -o
allexport       off
braceexpand     on
emacs           on
errexit         off
errtrace        off
functrace       off
hashall         on
histexpand      on
history         on
ignoreeof       off
interactive-comments    on
keyword         off
monitor         on
noclobber       off
noexec          off
noglob          off
nolog           off
notify          off
nounset         on
onecmd          off
physical        off
pipefail        off
posix           off
privileged      off
verbose         off
vi              off
xtrace          off