Merge pull request #3 from h0tw1r3/script-syntax

fix scripts to be posix sh compliant
h0tw1r3 · Apr 22, 2024 · 7b51974 · 7b51974
2 parents a94457b + 001a3ee
commit 7b51974
Show file tree

Hide file tree

Showing 4 changed files with 184 additions and 167 deletions.
diff --git a/.github/workflows/qa.yaml b/.github/workflows/qa.yaml
@@ -0,0 +1,19 @@
+name: "QA"
+
+on:
+ pull_request:
+ branches:
+ - "main"
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: true
+
+jobs:
+ Shellcheck:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v4
+ - uses: reviewdog/action-shellcheck@v1
+ with:
+ check_all_files_with_shebangs: "true"
diff --git a/scripts/shield-trigger b/scripts/shield-trigger
@@ -1,6 +1,7 @@
-#! /bin/sh
+#!/bin/sh
+# shellcheck disable=SC2086
 #
-# shield-trigger
+# shield-trigger
 #
 # pam_shield 0.9.7
 # Copyright (C) 2007-2012 Walter de Jong <walter@heiho.net>
@@ -22,91 +23,90 @@
 #
 
 null_route() {
-#
-# louzy detection of IPv4 or IPv6 address
-#
- TASK="$1"
- INET=`echo "$2" | sed 's/[0-9\.]//g'`
- if [ -z "$INET" ]
- then
- INET=""
- GW="127.0.0.1"
- else
- INET="-f inet6"
- GW="::1"
- fi
-
- if [ -x /sbin/ip ]
- then
- if [ "$TASK" == "show" ]; then
- /sbin/ip $INET route $TASK $2 | read -t 1 -N 1
- if [ $? -eq 0 ]; then
- return
- fi
- TASK="add"
- fi
- /sbin/ip $INET route $TASK blackhole $2 2>/dev/null
- else
- if [ ! -z "$INET" ]
- then
- INET="-A inet6"
- fi
- /sbin/route $INET $TASK -host $2 gw $GW dev lo
- fi
-
-# mail -s "[security] pam_shield blocked $2" root <<EOF
-#Another monkey kept off our backs ...
-#EOF
+ #
+ # louzy detection of IPv4 or IPv6 address
+ #
+ TASK="$1"
+ INET=$(echo "$2" | sed 's/[0-9\.]//g')
+ if [ -z "$INET" ]
+ then
+ INET=""
+ GW="127.0.0.1"
+ else
+ INET="-f inet6"
+ GW="::1"
+ fi
+
+ if [ -x /sbin/ip ]
+ then
+ if [ "$TASK" = "show" ]; then
+ if /sbin/ip $INET route "$TASK" "$2" | read -r _x ; then
+ return
+ fi
+ TASK="add"
+ fi
+ /sbin/ip $INET route "$TASK" blackhole "$2" 2>/dev/null
+ else
+ if [ -n "$INET" ]
+ then
+ INET="-A inet6"
+ fi
+ /sbin/route $INET "$TASK" -host "$2" gw "$GW" dev lo
+ fi
+
+# mail -s "[security] pam_shield blocked $2" root <<EOF
+# Another monkey kept off our backs ...
+# EOF
 }
 
 
 ### usually no editing is needed beyond this point ###
 
 
 usage() {
- echo "shield-trigger"
- echo "usage: ${0##*/} [add|del|sync] <IP number>"
- echo
- echo "shield-trigger is normally called by the pam_shield PAM module"
- exit 1
+ echo "shield-trigger"
+ echo "usage: ${0##*/} [add|del|sync] <IP number>"
+ echo
+ echo "shield-trigger is normally called by the pam_shield PAM module"
+ exit 1
 }
 
 
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 
 if [ -z "$2" ]
 then
- usage
+ usage
 fi
 
 case "$1" in
- add)
- logger -i -t shield-trigger -p authpriv.info "blocking $2"
+ add)
+ logger -i -t shield-trigger -p authpriv.info "blocking $2"
 
- CMD="add"
- IP=$2
- ;;
+ CMD="add"
+ IP=$2
+ ;;
 
- del)
- logger -i -t shield-trigger -p authpriv.info "unblocking $2"
+ del)
+ logger -i -t shield-trigger -p authpriv.info "unblocking $2"
 
- CMD="del"
- IP=$2
- ;;
+ CMD="del"
+ IP=$2
+ ;;
 
- sync)
- logger -i -t shield-trigger -p authpriv.info "sync $2"
- CMD="show"
- IP=$2
- ;;
+ sync)
+ logger -i -t shield-trigger -p authpriv.info "sync $2"
+ CMD="show"
+ IP=$2
+ ;;
 
- *)
- usage
- ;;
+ *)
+ usage
+ ;;
 esac
 
 null_route "$CMD" "$IP"
 
-exit 0 # make pam_shield happy
+exit 0 # make pam_shield happy
 
 # EOB
diff --git a/scripts/shield-trigger-iptables b/scripts/shield-trigger-iptables
@@ -1,6 +1,6 @@
-#! /bin/sh
+#!/bin/sh
 #
-# shield-trigger-iptables
+# shield-trigger-iptables
 #
 # pam_shield 0.9.7
 # Copyright (C) 2007-2012 Walter de Jong <walter@heiho.net>
@@ -22,106 +22,104 @@
 #
 
 run_iptables() {
-#
-# louzy detection of IPv4 or IPv6 address
-#
- IPT=`echo "$2" | sed 's/[0-9\.]//g'`
- if [ -z "$IPT" ]
- then
- IPT=iptables
- else
- IPT=ip6tables
- fi
-
-# switch -A for iptables to -I
- if [ "$1" == "-A" ]
- then
- TASK="-I"
- else
- TASK=$1
- fi
-
-# check to see if pam_shield chain exists and create if necessary
- CHAIN_TEST=`$IPT -L pam_shield 2>/dev/null`
- if [ -z "$CHAIN_TEST" ]
- then
- "$IPT" -N pam_shield
- "$IPT" -I pam_shield -j DROP
- if [ "$TASK" == "-D" ]; then
- return
- fi
- fi
+ #
+ # louzy detection of IPv4 or IPv6 address
+ #
+ IPT=$(echo "$2" | sed 's/[0-9\.]//g')
+ if [ -z "$IPT" ]
+ then
+ IPT=iptables
+ else
+ IPT=ip6tables
+ fi
+
+# switch -A for iptables to -I
+if [ "$1" = "-A" ]
+then
+ TASK="-I"
+else
+ TASK=$1
+fi
+
+# check to see if pam_shield chain exists and create if necessary
+CHAIN_TEST=$($IPT -L pam_shield 2>/dev/null)
+if [ -z "$CHAIN_TEST" ]
+then
+ "$IPT" -N pam_shield
+ "$IPT" -I pam_shield -j DROP
+ if [ "$TASK" = "-D" ]; then
+ return
+ fi
+fi
 
 #
-# CUSTOMIZE THIS RULE if you want to
+# CUSTOMIZE THIS RULE if you want to
 #
-# $TASK is the iptables command: -A/-I or -D
-# $2 is the IP number
+# $TASK is the iptables command: -A/-I or -D
+# $2 is the IP number
 #
-# * put in the correct chain name (pam_shield or INPUT)
-# * put in the correct network interface name (e.g. -i eth0)
-#  Currently blocks on all interfaces
-# * put in a port number (e.g.--destination-port 22 for ssh only) 
-#  Currently blocks all ports
-# * add additional rules for additional services as needed
+# * put in the correct chain name (pam_shield or INPUT)
+# * put in the correct network interface name (e.g. -i eth0)
+# Currently blocks on all interfaces
+# * put in a port number (e.g.--destination-port 22 for ssh only) 
+# Currently blocks all ports
+# * add additional rules for additional services as needed
 #
 
- "$IPT" "$TASK" INPUT -p tcp -s "$2" -j pam_shield
-
- if [ $? -ne 0 ]; then
- if [ "$TASK" == "-C" ]; then
- run_iptables "-I" "$2"
- fi
- fi
+if ! "$IPT" "$TASK" INPUT -p tcp -s "$2" -j pam_shield ; then
+ if [ "$TASK" = "-C" ]; then
+ run_iptables "-I" "$2"
+ fi
+fi
 
-# mail -s "[security] pam_shield blocked $2" root <<EOF
-#Another monkey kept off our backs ...
-#EOF
+# mail -s "[security] pam_shield blocked $2" root <<EOF
+# Another monkey kept off our backs ...
+# EOF
 }
 
 
 ### usually no editing is needed beyond this point ###
 
 
 usage() {
- echo "shield-trigger-iptables"
- echo "usage: ${0##*/} [add|del|sync] <IP number>"
- echo
- echo "shield-trigger-iptables is normally called by the pam_shield PAM module"
- exit 1
+ echo "shield-trigger-iptables"
+ echo "usage: ${0##*/} [add|del|sync] <IP number>"
+ echo
+ echo "shield-trigger-iptables is normally called by the pam_shield PAM module"
+ exit 1
 }
 
 
 PATH=/sbin:/usr/sbin:/bin:/usr/bin
 
 if [ -z "$2" ]
 then
- usage
+ usage
 fi
 
 case "$1" in
- add)
- logger -i -t shield-trigger -p authpriv.info "blocking $2"
-
- CMD="-A"
- IP=$2
- ;;
-
- del)
- logger -i -t shield-trigger -p authpriv.info "unblocking $2"
-
- CMD="-D"
- IP=$2
- ;;
-
- sync)
- logger -i -t shield-trigger -p authpriv.info "sync $2"
- CMD="-C"
- IP=$2
- ;;
- *)
- usage
- ;;
+ add)
+ logger -i -t shield-trigger -p authpriv.info "blocking $2"
+
+ CMD="-A"
+ IP=$2
+ ;;
+
+ del)
+ logger -i -t shield-trigger -p authpriv.info "unblocking $2"
+
+ CMD="-D"
+ IP=$2
+ ;;
+
+ sync)
+ logger -i -t shield-trigger -p authpriv.info "sync $2"
+ CMD="-C"
+ IP=$2
+ ;;
+ *)
+ usage
+ ;;
 esac
 
 run_iptables "$CMD" "$IP"