Revisions to I/O error when passing command line argument to a shell script

added 118 characters in body

Source Link

edited Nov 13, 2018 at 11:32

355.8k
42
735
1.1k

The $1 in the sh -c script will expand to the first command line argument of that script, not to the first command line argument of the calling script (since the sh -c script is single quoted).

The correct solution is not to inject the value of $1 from the calling script into the sudo script (this would allow for various interesting code injection vulnerabilities), but to pass $1 from the outer script to the inner:

sudo sh -c 'printf "%s\n" "$1" > /sys/class/backlight/intel_backlight/brightness' sh "$1"

Alternatively, use sudo tee to write to the file as root:

printf '%s\n' "$1" | sudo tee /sys/class/backlight/intel_backlight/brightness >/dev/null

If the data printed to the file is always an integer, use %d as the printf format placeholder instead of %s.

The $1 in the sh -c script will expand to the first command line argument of that script, not to the first command line argument of the calling script (since the sh -c script is single quoted).

The correct solution is not to inject the value of $1 from the calling script into the sudo script (this would allow for various interesting code injection vulnerabilities), but to pass $1 from the outer script to the inner:

sudo sh -c 'printf "%s\n" "$1" > /sys/class/backlight/intel_backlight/brightness' sh "$1"

Alternatively, use sudo tee to write to the file as root:

printf '%s\n' "$1" | sudo tee /sys/class/backlight/intel_backlight/brightness >/dev/null

The $1 in the sh -c script will expand to the first command line argument of that script, not to the first command line argument of the calling script (since the sh -c script is single quoted).

The correct solution is not to inject the value of $1 from the calling script into the sudo script (this would allow for various interesting code injection vulnerabilities), but to pass $1 from the outer script to the inner:

sudo sh -c 'printf "%s\n" "$1" > /sys/class/backlight/intel_backlight/brightness' sh "$1"

Alternatively, use sudo tee to write to the file as root:

printf '%s\n' "$1" | sudo tee /sys/class/backlight/intel_backlight/brightness >/dev/null

If the data printed to the file is always an integer, use %d as the printf format placeholder instead of %s.

added 9 characters in body

Source Link

edited Nov 13, 2018 at 10:53

Kusalananda ♦

355.8k
42
735
1.1k

The $1 in the sh -c script will expand to the first command line argument of that script, not to the first command line argument of the calling script (since the sh -c script is single quoted).

The correct solution is not to inject the value of $1 from the calling script into the sudo script (this would allow for various interesting code injection vulnerabilities), but to pass $1 from the outer script to the inner:

sudo sh -c 'echo'printf "%s\n" "$1" > /sys/class/backlight/intel_backlight/brightness' sh "$1"

Alternatively, use sudo tee to write to the file as root:

printf '%s\n' "$1" | sudo tee /sys/class/backlight/intel_backlight/brightness >/dev/null

The $1 in the sh -c script will expand to the first command line argument of that script, not to the first command line argument of the calling script (since the sh -c script is single quoted).

The correct solution is not to inject the value of $1 from the calling script into the sudo script (this would allow for various interesting code injection vulnerabilities), but to pass $1 from the outer script to the inner:

sudo sh -c 'echo "$1" > /sys/class/backlight/intel_backlight/brightness' sh "$1"

Alternatively, use sudo tee to write to the file as root:

printf '%s\n' "$1" | sudo tee /sys/class/backlight/intel_backlight/brightness >/dev/null

The $1 in the sh -c script will expand to the first command line argument of that script, not to the first command line argument of the calling script (since the sh -c script is single quoted).

The correct solution is not to inject the value of $1 from the calling script into the sudo script (this would allow for various interesting code injection vulnerabilities), but to pass $1 from the outer script to the inner:

sudo sh -c 'printf "%s\n" "$1" > /sys/class/backlight/intel_backlight/brightness' sh "$1"

Alternatively, use sudo tee to write to the file as root:

printf '%s\n' "$1" | sudo tee /sys/class/backlight/intel_backlight/brightness >/dev/null

Source Link

answered Nov 13, 2018 at 10:46

Kusalananda ♦

355.8k
42
735
1.1k

The $1 in the sh -c script will expand to the first command line argument of that script, not to the first command line argument of the calling script (since the sh -c script is single quoted).

The correct solution is not to inject the value of $1 from the calling script into the sudo script (this would allow for various interesting code injection vulnerabilities), but to pass $1 from the outer script to the inner:

sudo sh -c 'echo "$1" > /sys/class/backlight/intel_backlight/brightness' sh "$1"

Alternatively, use sudo tee to write to the file as root:

printf '%s\n' "$1" | sudo tee /sys/class/backlight/intel_backlight/brightness >/dev/null

Stack Exchange Network

Return to Answer