Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Comparison of command shells
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Security features== {{importance section|date=July 2014}} {{sort-under}} {| class="wikitable sortable sort-under" style="width: auto; text-align: center; font-size: smaller;" |- !Shell ![[#Secure prompt|Secure (password) prompt]] !File/directory passwords ![[#Execute permission|Execute permission]] ![[#Restricted shell subset|Restricted shell subset]] ![[#Safe data subset|Safe data subset]] |- ![[Bourne shell]] |{{some|via {{mono|stty}}}}<ref group="nb" name="tty">The shell can use the {{mono|stty}} utility to suppress echoing of typed characters to the screen. This requires multiple steps: 1. reading the current echo state, 2. switching echo off, 3. reading the input, 4. switching echo state back to the original state.</ref> |? |{{N/A|N/A}}<ref group="nb" name="hashbang">The ''execute permission'' is enforced by a separate program, the program loader, by refusing to invoke the interpreter (possibly a shell) specified by the script's [[hashbang]]. The interpreter does not enforce the execute permission if invoked directly as the program loader would, with the file as an argument; this only requires read permission, as does piping the file as input to the interpreter, in which case the interpreter cannot see the execute permission.</ref> |{{yes}} |{{no}} |- ![[POSIX]] shell |{{some|via {{mono|stty}}}}<ref group="nb" name="tty"/> |? |{{N/A|N/A}}<ref group="nb" name="hashbang"/> |{{no}} |{{no}} |- ![[Bash (Unix shell)|bash]] (v4.0) |{{yes|{{mono|read -s}}}} |? |{{N/A|N/A}}<ref group="nb" name="hashbang"/> |{{yes}} |{{no}} |- ![[C shell|csh]] |{{some|via {{mono|stty}}}}<ref group="nb" name="tty"/> |? |{{N/A|N/A}}<ref group="nb" name="hashbang"/> |{{yes}} |{{no}} |- ![[tcsh]] |{{some|via {{mono|stty}}}}<ref group="nb" name="tty"/> |? |{{N/A|N/A}}<ref group="nb" name="hashbang"/> |{{yes}} |{{no}} |- ![[Hamilton C shell]] |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |- ![[Scsh]] |{{some|via {{mono|stty}}}}<ref group="nb" name="tty"/> |? |{{N/A|N/A}}<ref group="nb" name="hashbang"/> |{{no}} |{{no}} |- ![[Korn Shell|ksh]] (ksh93t+) |{{some|via {{mono|stty}}}}<ref group="nb" name="tty"/> |? |{{N/A|N/A}}<ref group="nb" name="hashbang"/> |{{yes}} |{{no}} |- ![[pdksh]] |{{some|via {{mono|stty}}}}<ref group="nb" name="tty"/> |? |{{N/A|N/A}}<ref group="nb" name="hashbang"/> |{{yes}} |{{no}} |- ![[zsh]] |{{yes|{{mono|read -s}}}} |? |{{N/A|N/A}}<ref group="nb" name="hashbang"/><ref group="nb" name="xperm-complete">The zsh and fish shells also honor the ''execute permission'' for command completion.</ref> |{{yes}} |{{no}} |- ![[Almquist shell|ash]] |{{some|via {{mono|stty}}}}<ref group="nb" name="tty"/> |? |{{N/A|N/A}}<ref group="nb" name="hashbang"/> |{{yes}} |{{no}} |- ![[CCP (CP/M)|CCP]] |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |- ![[COMMAND.COM]] |{{partial}} (only under DR-DOS, prompts for password if file/directory is protected) |{{partial}} (only under DR-DOS via {{mono|\dirname;dirpwd\filename;filepwd}} syntax)<ref group="nb" name="drpwd">Under DR-DOS the password separator for file and directory passwords is a semicolon. This is also supported under 4DOS for as long as the command does not support include lists. Under 4DOS, the password separator must be doubled for all commands supporting include lists in order to distinguish passwords from include lists. Commands not supporting include lists accept both forms. DR-DOS 7.02 and higher optionally accept a doubled semicolon as well, so that doubled semicolons work under both COMMAND.COM and 4DOS regardless of the command executed.</ref> |{{partial}} (only under DR-DOS, if files are password-protected for read and/or execute permission)<ref group="nb" name="drexec">DR-DOS supports file passwords for read/write/delete and optionally execute permissions. Files are not protected by default, but the system can be set up so that f.e. batch scripts require a password to read.</ref> |{{no}} |{{no}} |- !OS/2 [[CMD.EXE]] |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |- !Windows [[CMD.EXE]] |{{no}} |{{no}} |{{no}} |{{no}} |{{no}} |- ![[4DOS]] |{{yes}} (via {{mono|INPUT /P}} or {{mono|INKEY /P}})<ref group="nb" name="input/p">{{mono|INPUT /P}} and {{mono|INKEY /P}} echoes back asterisks for each typed character.</ref> |{{partial}} (only under DR-DOS via {{mono|\dirname;;dirpwd\filename;;filepwd}} syntax)<ref group="nb" name="drpwd"/> |{{partial}} (only under DR-DOS, if files are password-protected for read and/or execute permission)<ref group="nb" name="drexec"/> |{{no}} |{{no}} |- ![[4OS2]] |? |{{no}} |{{no}} |{{no}} |{{no}} |- ![[Take Command Console|TCC]] (formerly 4NT) |{{yes}} (via {{mono|INPUT /P}}, {{mono|INKEY /P}} or {{mono|QUERYBOX /P}})<ref group="nb" name="input/p"/> |{{no}} |{{no}} |{{no}} |{{no}} |- ![[Windows PowerShell|PowerShell]] |{{yes}}<ref group="nb">{{mono|Read-Host -AsSecureString}} reads a string of characters from the input device into an encrypted string, one character at a time thus ensuring that there is no memory image of the clear text which could be gleaned from scanning memory, or from crash dumps, memory dumps, paging files, log files or similar.</ref> |{{no}} |{{no}}<ref group="nb">PowerShell script files ({{mono|.ps1}} files) are by default associated with the Notepad editor, not with the PowerShell execution engine. Invoking a {{mono|.ps1}} file will launch Notepad rather than executing the script.</ref> |{{yes}}<ref group="nb">Startup scripts per computer/user can import modules and expose a subset the commands/functions available in the modules.</ref> |{{yes}}<ref>{{cite web |url=https://technet.microsoft.com/en-us/library/hh848302.aspx |title=About Data Sections |publisher=Technet.microsoft.com |access-date=2015-02-24}}</ref> |- ![[Rc (Unix shell)|rc]] |{{some|via {{mono|stty}}}}<ref group="nb" name="tty"/> |? |{{N/A|N/A}}<ref group="nb" name="hashbang"/> |{{yes}}<ref>{{cite web |url=http://manpages.ubuntu.com/manpages/precise/man1/rc.1.html |title=Ubuntu Manpage: rc - shell |publisher=Manpages.ubuntu.com |date=2003-07-17 |access-date=2015-02-24}}</ref> |{{no}} |- ![[BeanShell]] |? |? |? |? |? |- ![[DIGITAL Command Language|VMS DCL]] |{{yes}} |{{no}} |{{yes}} |{{yes}} |{{no}} |- ![[Friendly interactive shell|fish]] |{{yes|{{mono|read -s}}}} |? |{{N/A|N/A}}<ref group="nb" name="hashbang"/><ref group="nb" name="xperm-complete"/> |{{yes| Yes (via {{mono|fish -l}})}} |? |} === Secure prompt === Some shell scripts need to query the user for sensitive information such as [[password]]s, private digital keys, [[Personal Identification Number|PIN codes]] or other confidential information. Sensitive input should not be echoed back to the screen/input device where it could be gleaned by unauthorized persons. Plaintext memory representation of sensitive information should also be avoided as it could allow the information to be compromised, e.g., through swap files, core dumps etc.<ref name="encryptmemory">{{cite web |author-last=Provos |author-first=Niels |title=Encrypting Virtual Memory |url=http://www.openbsd.org/papers/swapencrypt.ps |publisher=Center for Information Technology Integration, University of Michigan |access-date=2012-12-20}}</ref> The shells bash, zsh and PowerShell offer this as a specific feature.<ref>{{cite web |url=https://www.gnu.org/software/bash/manual/html_node/Bash-Builtins.html |title=bash - GNU Bourne-Again SHell |quote=read -s Silent mode. If input is coming from a terminal, characters are not echoed.}}</ref><ref>{{cite web |url=https://technet.microsoft.com/en-us/library/ee176935.aspx |title=Using the Read-Host Cmdlet |quote=By adding the -assecurestring parameter you can mask the data entered at the prompt}}</ref> Shells which do not offer this as a specific feature may still be able to turn off echoing through some other means. Shells executing on a Unix/Linux operating system can use the {{mono|[[stty]]}} external command to switch off/on echoing of input characters.<ref>{{cite web |title=Linux / Unix Command: stty |url=http://linux.about.com/od/commands/l/blcmdl1_stty.htm |publisher=Linux.about.com |access-date=2015-02-24 |archive-date=2015-02-25 |archive-url=https://web.archive.org/web/20150225005431/http://linux.about.com/od/commands/l/blcmdl1_stty.htm |url-status=dead }}</ref> In addition to not echoing back the characters, PowerShell's {{code|-AsSecureString}} option also encrypts the input character-by-character during the input process, ensuring that the string is never represented unencrypted in memory where it could be compromised through memory dumps, scanning, transcription etc. === Execute permission === Some operating systems define an ''execute'' permission which can be granted to users/groups for a file when the [[file system]] itself supports it. On Unix systems, the execute permission controls access to invoking the file as a program, and applies both to executables and scripts. As the permission is enforced in the [[Loader (computing)|program loader]], no obligation is needed from the invoking program, nor the invoked program, in enforcing the execute permission{{Snd}} this also goes for shells and other interpreter programs. The behaviour is mandated by the [[C POSIX library|POSIX C library]] that is used for interfacing with the kernel. POSIX specifies that the <code>exec</code> family of functions shall fail with EACCESS (permission denied) if the file denies execution permission (see {{man|sh|execve|SUS}}). The ''execute'' permission only applies when the script is run directly. If a script is invoked as an argument to the interpreting shell, it will be executed regardless of whether the user holds the ''execute'' permission for that script. Although Windows also specifies an ''execute'' permission, none of the Windows-specific shells block script execution if the permission has not been granted. === Restricted shell subset === Several shells can be started or be configured to start in a mode where only a limited set of commands and actions is available to the user. While not a security ''boundary'' (the command accessing a resource is blocked rather than the resource) this is nevertheless typically used to restrict users' actions before logging in. A restricted mode is part of the [[POSIX]] specification for shells, and most of the Linux/Unix shells support such a mode where several of the built-in commands are disabled and only external commands from a certain directory can be invoked.<ref>{{cite web |url=http://pwet.fr/man/linux/commandes/posix/sh |title=man sh - shell, the standard command language interpreter / posix |language=fr |publisher=Pwet.fr |access-date=2013-08-18 |archive-url=https://web.archive.org/web/20141221210713/http://pwet.fr/man/linux/commandes/posix/sh |archive-date=21 December 2014 |url-status=dead }}</ref><ref>{{cite web |url=https://www.gnu.org/software/bash/manual/html_node/The-Restricted-Shell.html |title=Bash Reference Manual: The Restricted Shell |publisher=Gnu.org |date=2010-12-28 |access-date=2013-08-18}}</ref> PowerShell supports restricted modes through ''session configuration files'' or session configurations. A session configuration file can define visible (available) cmdlets, aliases, functions, path providers and more.<ref>{{cite web |url=https://technet.microsoft.com/en-us/library/hh849712.aspx |title=New-PSSessionConfigurationFile |publisher=Technet.microsoft.com |access-date=2013-08-18}}</ref> === Safe data subset === Scripts that invoke other scripts can be a security risk as they can potentially execute foreign code in the context of the user who launched the initial script. Scripts will usually be designed to exclusively include scripts from known safe locations; but in some instances, e.g. when offering the user a way to configure the environment or loading localized messages, the script may need to include other scripts/files.<ref>{{cite book |author-last1=Albing |author-first1=Carl |title=Bash cookbook |year=2007 |publisher=[[O'Reilly Media]] |location=Sebastopol, California, USA |isbn=978-0-596-52678-8 |edition=1st |author-last2=Vossen |author-first2=J. P. |author-last3=Newham |author-first3=Cameron |quote=[...] is hardly what one thinks of as a passive list of configured variables. It can run other commands (e.g., cat) and use if statements to vary its choices. It even ends by echoing a message. Be careful when you source something, as it's a wide open door into your script.}}</ref> One way to address this risk is for the shell to offer a safe subset of commands which can be executed by an included script.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)