tags:

views:

177

answers:

3
+4  Q: 

Preferred way of #! in shell scripts

I searched google but couldn't find an answer to this rather simple question. I have a python script that has the hash-bang (#!) on the first line:

#!/usr/bin/python

However, what if this is run on a computer with python in /bin/python or /usr/local/bin/python, or some other place? There has to be a better way to set the interpreter for a shell script. It should be possible to set it via $PATH, as that will know where to find python if it's installed on the system.

+9  A: 

Use env.

#!/usr/bin/env python

It's not bulletproof, but it covers more cases than /usr/bin/python.

Phil  2009-02-05 12:03:58
I did not know env did that! But, this is a minor security risk -- a malicious user may place their own binary code in ./python and execute actions as the target user whenever a user who has "." in their $PATH runs a Python script with this hash-bang line.
j_random_hacker  2009-02-05 12:20:15
Searching PATH for your binaries is normal. The problem in your scenario is that the user has "." in their path, not that they are using the shell builtins PATH to run commands.
Phil  2009-02-05 12:24:45
@Phil: In principle I agree that the problem is with the $PATH, but in practice, if users commonly make this mistake then it's to some extent irresponsible to ignore it.
j_random_hacker  2009-02-05 13:40:34
I'm sorry, that's just simply incorrect. The fundamental problem with the situation you describe is that the user has "." in their PATH. That opens up security vulnerabilities. What you're saying is that we should never run commands without using the full path, use system libraries etc. etc.
Phil  2009-02-05 13:47:16
In a world of ideal security, that's right, you wouldn't use $PATH at all -- but in the real world $PATH's just too convenient to pass up. Interesting that you mention system libraries -- $LD_LIBRARY_PATH has been a notorious rootkit attack vector.
j_random_hacker  2009-02-05 14:19:27
Your comment was meant to highlight a security risk in what I've posted. The security risk is not directly related to the answer, it's related to the shell environment in which situation means running any command could potentially cause a security risk, hence it's irrelevance.
Phil  2009-02-05 14:30:14
No. Suppose the script is a CGI script or will be run as a cron job. "#!/usr/bin/env python" creates a (minor) security risk; "#!/usr/bin/python" does not. I say "minor" because an attacker can only gain the privileges of the user running the script, not root.
j_random_hacker  2009-02-05 14:39:03
That is akin to saying that a particular car has poor security, because if you leave the window open, someone can steal your belongings. This is where I bow out, we're going around in circles.
Phil  2009-02-05 15:01:35
Yes that's a pretty good analogy! I would say that a car with windows that can't be wound down is more secure (though a pain to use). Anyway, "." in $PATH is not something I lose sleep over, I'll be using your env trick in future.
j_random_hacker  2009-02-05 15:33:12
+3  A: 

Use

#!/usr/bin/env python

env is virtually always in /usr/bin, and will execute any program in the PATH.

phihag  2009-02-05 12:04:14
+2  A: 

Some people prefer to start with:

#!/usr/bin/env python

Not sure that this is a vast improvement as you're now assuming that python is in the path and that it's the right version, but it's an option.

Stephen Darlington  2009-02-05 12:04:50

related questions

Provide password using Shell script
How do I calculate the previous business day in ksh shell script ?
Asynchronous shell exec in PHP
JavaDoc like framework for shell scripts?
Elegant way to search for UTF-8 files with BOM?
Find all storage devices attached to a Linux machine
In the bash script how do I know the script file name?
How to stop java process gracefully?
How do I extract xml properties using shell scripts?
Quick-and-dirty way to ensure only one instance of a shell script is running at a time
KSH scripting: how to split on ',' when values have escaped commas? [solved]
How can I test if a list of files exist?
is bash getopts function destructive to the command-line options?
Using Powershell to access IIS logs?
Checking if a directory contains files
Exit Shell Script Based on Process Exit Code
In a bash script, how do I sanitize user input?
design patterns or best practices for shell scripts
Change IP address via shellscript on Slackware
Can Unix shell script be used to manipulate databases?
How to check if a directory exists in a bash shell script
Boolean Expressions in Shell Scripts
Generate disk usage graphs/charts with CLI only tools in Linux
DOS filename escaping for use with *nix commands
How do I send a file as an email attachment using Linux command line?