Join Log in
Score:0
Thomas Aichinger avatar Ubuntu

incron and files with round brackets

cn flag
Thomas Aichinger

I have installed incron and the following incrontab.

/inputdir IN_ALL_EVENTS /root/jobs/monitor $@ $% $#

Here is the monitor script that is called on all events.

!/bin/bash
#
LOG=/var/log/incron.log
TS="$(date '+%Y-%m-%d %H:%M:%S')"

# $1 - monitored dir
# $2 - action
# $3 - file in action
#
echo -e "${TS}  ${1} : ${2} : ${3}" >> ${LOG}

As soon as I copy a file to /inputdir I get a log entry in incron.log. This is the expected behavior.

But if I copy a file with round brackets e.g. test(1).pdf nothing happens. Altough there is an entry in journald monitor script is not called and I dont have an entry in my incron.log.

I think this is an error. Has anyone an idea how to fix that?

22
1 + 0
Score:1
muru avatar Ubuntu
us flag
muru

I had a look at the code, and the way incron works is:

  1. Escape spaces and backslashes in the filename (IncronTabEntry::GetSafePath
  2. Substitute the directory name, filename, etc. in the command line
  3. Run the processed command line using either /bin/sh -c (using system() for the root user) or /bin/bash -c (for normal users - UserTable::RunAsUser)

In neither case is ( or ) safe to pass unescaped. (And not just these, but other special characters like ;, *, [/], &&, $( ... ), etc.) This is a command injection vulnerability waiting to be exploited. See, e.g., this Unix & Linux post or this one for the pitfalls in embedding filenames directly into shell command strings. Arch Linux has a patch expanding the set of characters that are escaped which will solve your particular problem since it includes ( and ), but still misses out on *, ;, |, etc.

You can work around this somewhat by trying to quote the command line in the incrontab:

/inputdir IN_ALL_EVENTS /root/jobs/monitor '$@' $% '$#'

But this will still fail for filenames with ' in them. All you can really do is file a bug report asking for more escaping, or ask them to use execve and family to run the command directly instead of using system() or running /bin/bash -c '...'. The problem then is that they will have to parse the command line differently, splitting it into words, and implement an escaping mechanism, etc.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.