XYMer's Home away from Home

When http://bbs.xlr8yourmac.com is down (i.e. always)
Privacy Policy
It is currently Fri Dec 14, 2018 4:47 am

All times are UTC - 8 hours




Post new topic Reply to topic  [ 11 posts ] 
Author Message
 Post subject: shell script won't run
PostPosted: Thu Nov 29, 2018 8:27 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6304
Location: NYC
Got the following message from Sophos
Attachment:
Sophos Permissions warning.png
Sophos Permissions warning.png [ 48.69 KiB | Viewed 67 times ]


Next up, from the following article:
https://community.sophos.com/kb/en-us/131959

Checked permissions of /, /Library and /Library/Application\ Support. Did find an error in permissions of/ which I corrected (happened perhaps due to last security update for 10.12, which has been noted elsewhere for its weirdness.)

So all that's good now, but have been trying to run the script they suggest in that article. Have saved it both in TextEdit and TextWrangler (saves it as .sh by default) as an executable with chmod 700. Sophos suggests to run it with ./<name of script>

Script as it originally appears in that article:

#!/bin/bash
# see KBA 131749 (https://community.sophos.com/kb/en-us/131749)
test_directories=(/ '/Library/' '/Library/Caches/' '/Library/Application Support/')
root_owner='d[rwxsStT\-]{9}[^0-9]*[0-9]+ (0) .*'
not_group_or_other_writeable='d[rwxsS\-]{3}[r\-](-)[xsS\-][r\-](-).*'
result=0
for directory in "${test_directories[@]}"; do
dir_ls=`ls -ldn "$directory"`
if ! ( ( [[ $dir_ls =~ $not_group_or_other_writeable ]] || test -k "$directory" ) && [[ $dir_ls =~ $root_owner ]] ); then
echo 'BAD PERMISSIONS ' 'ls -ld' "$directory"
result=$(expr $result + 1)
fi
done
exit $result



Now that permissions for the root folder have been corrected, I'm no longer concerned (besides, according to Patrick Wardle, who discovered it, the vulnerability is only supposed to be present when the Sophos installer runs--not the case here, since I've had this for years), but do want to figure out why the damn script won't execute properly.

No matter how I try to run it, keep getting any 4 of the following (script is named "sophos":


(Here nothing happens. Just get new prompt. Is the output going somewhere else? Have checked Console, and Users, but find nothing there. Shouldn't think so, as I assume it would take some time to finish, and I get the new prompt immediately.)

Last login: Thu Nov 29 10:50:24 on ttys000
XX:~ xx$ cd ~/Desktop
XX:Desktop xx$ ./sophos
XX:Desktop xx$


Or as admin, with sudo

XX:~ xxx2$ sudo cd /Users/xx/Desktop
XX:~ xx2$ ./sophos
-bash: ./sophos: No such file or directory


Or if I simply drag it in to the Terminal window, or double click it where it is on the Desktop:

XX:~xx$ /Users/xx/Desktop/sophos ; exit;
logout
Saving session...
...copying shared history...
...saving history...truncating history files...
...completed.

[Process completed]


Or I get something along the lines of /bin/bash is a directory

EDIT: shouldn't /Library/Application Support appear in script as /Library/Application\ Support? Or does the enclosing parenthesis take care of that?

Also someone HERE is suggesting that the script as written contains
errors, and offers corrections. Have tried it both ways.


Top
 Profile  
 
PostPosted: Thu Nov 29, 2018 12:15 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10197
Location: Caught between the moon and NYC
They put $directory in quotes so \ won't work and the normal space will. You use \ when you don't use quotes.

Technically \ is an escape character which basically tells bash to treat the space as a space, which quotes also do for all spaces inside the quotes.

If you have more than two spaces it's shorter to just use quotes to enclose everything, although command completion (using tab in Terminal to fill out the rest of a path or filename) uses \ so I personally don't use quotes day to day.

What if you chmod +x ./sophos? Although given the directories involved I think you should sudo ./sophos so it has administrative privileges. The shell script looks okay to me at first glance but I'm coming down with something so maybe my foggy head is foggier than its letting on.


Top
 Profile  
 
PostPosted: Thu Nov 29, 2018 2:28 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6304
Location: NYC
Hadn't screwed around with anything Unix in some time. Forgot all about using quotes to escape characters. Besides, noticed the parenthesis, but not the quotes.

Decided to try running it directly in admin account, instead of suing to admin from the standard. Basically same result:

XX:Desktop xxx$ sudo ./sophos
sudo: unable to execute ./sophos: No such file or directory

XX:~ xxx$ /Users/xxx/Desktop/sophos ; exit;
-bash: /Users/xxx/Desktop/sophos: /bin/bash
#: bad interpreter: No such file or directory
logout
Saving session...
...copying shared history...
...saving history...truncating history files...
...completed.
Deleting expired sessions...none found.

[Process completed]


I'm completely at a loss. Have tried everything I can think of except standing on my head. Problem doesn't seem to be with the script itself or syntax, but with the execution.


Top
 Profile  
 
PostPosted: Fri Nov 30, 2018 6:14 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10197
Location: Caught between the moon and NYC
Try sudo /Users/xxx/Desktop/sophos and tab-complete the sophos to make sure it doesn't have any funny characters in it.

Though based on the second error it sounds like /bin/bash isn't present.

I generally like to give all my shell scripts .sh but that's just me being fussy I doubt anything like that is remotely needed here.

I'm still descending into illness so I don't have much insight tonight I'm afraid. I'm going to pick up some cold/flu medicine on the way home from work and then crawl into bed for a long rest. I normally have it but the last time I got sick I used it up, and as usual the cold/cough stuff isn't helping.


Top
 Profile  
 
PostPosted: Fri Nov 30, 2018 6:53 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:07 pm
Posts: 2591
Location: Inside Flatus Maximus
Or you could do it the easy way and type sudo followed by one space, then drag the shell script to your Terminal window and it'll automagically fill out the name for you without any muss or fuss. Then just hit Enter and put in your administrator password to give it a try.

Drag and drop is a lifesaver with Terminal.

_________________
Official Mac Tech Support Forum Cookie™ (Mint Chocolate Chip)
Guaranteed tasty; Potentially volatile when dipped in WWIII Forum Syrup®
Caution: This cookie bites back.


Top
 Profile  
 
PostPosted: Sat Dec 01, 2018 8:55 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6304
Location: NYC
ST, have already tried that (and every other variation I can think of), but gave it another shot just now in case:

XX:~ xx2$ sudo /Users/xx/Desktop/sophos
sudo: unable to execute /Users/xx/Desktop/sophos: No such file or directory


Or, after sudo cding to the Desktop and enter either name of script, or just drag it in, get "no such file or directory." And even tried running the script with SIP disabled--no dice there either.

Btw, definitely have /bin/bash/

Think I'm throwing in the towel, unless perhaps someone here out of curiosity wants to see if it will somehow execute for them.*

Not at all critical, since I've already manually inspected those directories. I'm running 10.12, but any OS will do. Just would like to know what's preventing it from executing here.

But in case, here it is again (no need to have Sophos installed):

Code:
#! /bin/bash
# see KBA 131749 (https://community.sophos.com/kb/en-us/131749)
test_directories=(/ '/Library/' '/Library/Caches/' '/Library/Application Support/')
root_owner='d[rwxsStT\-]{9}[^0-9]*[0-9]+ (0) .*'
not_group_or_other_writeable='d[rwxsS\-]{3}[r\-](-)[xsS\-][r\-](-).*'
result=0
for directory in "${test_directories[@]}"; do
dir_ls=`ls -ldn "$directory"`
if ! ( ( [[ $dir_ls =~ $not_group_or_other_writeable ]] || test -k "$directory" ) && [[ $dir_ls =~ $root_owner ]] ); then
echo 'BAD PERMISSIONS ' 'ls -ld' "$directory"
result=$(expr $result + 1)
fi
done
exit $result


*UNEXPECTED BONUS for the first 100 who successfully execute the script (with irrefutable evidence attached of having done so), a once in a lifetime chance to enter the mystery raffle.


Top
 Profile  
 
PostPosted: Sat Dec 01, 2018 3:21 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6304
Location: NYC
Eureka!! Booted to an older 10.11 volume, no longer used, ran the script (sudo /Users/xx/Desktop/sophos.sh -- just dragged it in and hit enter) with the result: BAD PERMISSIONS ls -ld /

(Note: created the file with Text Wrangler, which automatically assigned the .sh extension. Didn't try with plain text file from TextEdit with no .sh file extension.)

So, what's been driving me NUTS all this time, is that when nothing happened it meant that there were no permissions errors for any of those directories in my 10.12--would have been nice if Sophos had entered that somewhere in the script to echo, or at least in the related article explained that there would only be output IF there were any errors found (had already found and corrected that error for the 10.12, which explains why nothing happens when I run that script--of course, doesn't explain all the other nonsense I encountered. Using sudo <path to file.sh> it worked immediately. Article suggests using ./<name of script>, which never worked properly.

And I suppose I should have inspected that script more carefully to see that the only output would be if an error was found, but nothing otherwise.

Not going to bother fixing the wrong permissions for / in that EC volume, since I never boot to it, and if I do it's air gapped.


Top
 Profile  
 
PostPosted: Sat Dec 01, 2018 8:29 pm 
Offline
User avatar

Joined: Thu May 15, 2008 8:13 pm
Posts: 10197
Location: Caught between the moon and NYC
This is me being sick and woozy but in your earlier examples I think you showed /sophos and in the working example it shows /sophos.sh

I suppose its possible their root protection thing is interfering under 10.12+


Top
 Profile  
 
PostPosted: Sat Dec 01, 2018 10:54 pm 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6304
Location: NYC
MonkeyBoy wrote:
This is me being sick and woozy but in your earlier examples I think you showed /sophos and in the working example it shows /sophos.sh

I suppose its possible their root protection thing is interfering under 10.12+


Thought about that, why I tried wth SIP disabled, but made no difference.

I tried it so many different ways, a number of times it ran without complaining, but it just immediately went to a new prompt without a word of output, which I mistakenly assumed meant it hadn't run at all.

Now I know that when it went immediately to a new prompt, it had actually run fully, but had nothing to report. Didn't understand that the only output it could produce was BAD if bad but nothing if OK.

The error it found in the 10.11 was the same one I found and set right in the 10.12 prior to running the script. (Wonder how that got there in the first place?) Had I run the script before making the correction (chmod 755 /), it would have found "bad permissions" in the 10.12 as well -- at least if I had run it the same way I eventually did for the 10.11. (For ./<name of script> kept saying "no such command")


Top
 Profile  
 
PostPosted: Sun Dec 02, 2018 12:25 am 
Offline
User avatar

Joined: Thu May 15, 2008 8:07 pm
Posts: 2591
Location: Inside Flatus Maximus
The issue you're having appears to deal with Apple's new Secure Boot (Secure Installation) requirements. The actual enforcement of secure boot only affects Macs that shipped with a T2 security chip installed (that's an ARM processor). Sophos is merely being proactive and preventing installs (at least easy installs) on systems that don't have the secure boot/installation permissions on the required directories. My own system lacks proper directory permissions on root ( / ), so I'd get the same issue you're getting with Sophos.

_________________
Official Mac Tech Support Forum Cookie™ (Mint Chocolate Chip)
Guaranteed tasty; Potentially volatile when dipped in WWIII Forum Syrup®
Caution: This cookie bites back.


Top
 Profile  
 
PostPosted: Sun Dec 02, 2018 4:59 am 
Offline

Joined: Sat Apr 11, 2009 2:15 pm
Posts: 6304
Location: NYC
Squishy Tia wrote:
The issue you're having appears to deal with Apple's new Secure Boot (Secure Installation) requirements. The actual enforcement of secure boot only affects Macs that shipped with a T2 security chip installed (that's an ARM processor). Sophos is merely being proactive and preventing installs (at least easy installs) on systems that don't have the secure boot/installation permissions on the required directories. My own system lacks proper directory permissions on root ( / ), so I'd get the same issue you're getting with Sophos.

Interesting, didn't know about that. Sophos doesn't seem to be in any particular rush, as they say that these messages about insecure permissions will recur every 2 weeks, and maybe at some point in the future, those with still insecure permissions will receive no further updates. This vulnerability appears to be low risk -- first discovered by Patrick Wardle back in 2017. Took them some time to do anything about it. As mentioned at the outset, I think the exploit can only occur during the Sophos installation. Sophos doesn't say anything about having seen this in the wild. Like most vulns, it's an obscure PoC. And it would never have any effect on either of my Macs, which are both '10s.

Also curious that the permissions for root were already set correctly at the Mini, but not the iMac. Both running 10.12.6, with latest sec update applied.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 11 posts ] 

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group