From ae510203a2833bedbf0498091aea0022f6a2d2b5 Mon Sep 17 00:00:00 2001 From: Jeffrey Clark Date: Sun, 21 Apr 2024 20:07:24 -0500 Subject: [PATCH 1/3] fix scripts to be posix sh compliant --- scripts/shield-trigger | 14 +++++++------- scripts/shield-trigger-iptables | 14 ++++++-------- scripts/shield-trigger-ufw | 4 ++-- 3 files changed, 15 insertions(+), 17 deletions(-) diff --git a/scripts/shield-trigger b/scripts/shield-trigger index 8823149..71f3418 100755 --- a/scripts/shield-trigger +++ b/scripts/shield-trigger @@ -1,4 +1,5 @@ #! /bin/sh +# shellcheck disable=SC2086 # # shield-trigger # @@ -26,7 +27,7 @@ null_route() { # louzy detection of IPv4 or IPv6 address # TASK="$1" - INET=`echo "$2" | sed 's/[0-9\.]//g'` + INET=$(echo "$2" | sed 's/[0-9\.]//g') if [ -z "$INET" ] then INET="" @@ -38,20 +39,19 @@ null_route() { if [ -x /sbin/ip ] then - if [ "$TASK" == "show" ]; then - /sbin/ip $INET route $TASK $2 | read -t 1 -N 1 - if [ $? -eq 0 ]; then + if [ "$TASK" = "show" ]; then + if /sbin/ip $INET route "$TASK" "$2" | read -r _x ; then return fi TASK="add" fi - /sbin/ip $INET route $TASK blackhole $2 2>/dev/null + /sbin/ip $INET route "$TASK" blackhole "$2" 2>/dev/null else - if [ ! -z "$INET" ] + if [ -n "$INET" ] then INET="-A inet6" fi - /sbin/route $INET $TASK -host $2 gw $GW dev lo + /sbin/route $INET "$TASK" -host "$2" gw "$GW" dev lo fi # mail -s "[security] pam_shield blocked $2" root </dev/null` + CHAIN_TEST=$($IPT -L pam_shield 2>/dev/null) if [ -z "$CHAIN_TEST" ] then "$IPT" -N pam_shield "$IPT" -I pam_shield -j DROP - if [ "$TASK" == "-D" ]; then + if [ "$TASK" = "-D" ]; then return fi fi @@ -66,10 +66,8 @@ run_iptables() { # * add additional rules for additional services as needed # - "$IPT" "$TASK" INPUT -p tcp -s "$2" -j pam_shield - - if [ $? -ne 0 ]; then - if [ "$TASK" == "-C" ]; then + if ! "$IPT" "$TASK" INPUT -p tcp -s "$2" -j pam_shield ; then + if [ "$TASK" = "-C" ]; then run_iptables "-I" "$2" fi fi diff --git a/scripts/shield-trigger-ufw b/scripts/shield-trigger-ufw index f8b45f6..fb80f2c 100755 --- a/scripts/shield-trigger-ufw +++ b/scripts/shield-trigger-ufw @@ -40,7 +40,7 @@ fi case "$1" in add) logger -i -t shield-trigger-ufw -p authpriv.info "blocking $2" - ufw insert 1 deny from $2 + ufw insert 1 deny from "$2" # mail -s "[security] pam_shield blocked $2" root < Date: Sun, 21 Apr 2024 20:15:22 -0500 Subject: [PATCH 2/3] add qa workflow shellcheck --- .github/workflows/qa.yaml | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) create mode 100644 .github/workflows/qa.yaml diff --git a/.github/workflows/qa.yaml b/.github/workflows/qa.yaml new file mode 100644 index 0000000..6352cf8 --- /dev/null +++ b/.github/workflows/qa.yaml @@ -0,0 +1,19 @@ +name: "QA" + +on: + pull_request: + branches: + - "main" + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + Shellcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: reviewdog/action-shellcheck@v1 + with: + check_all_files_with_shebangs: "true" From 001a3ee105fc6ff04fd54a0962a49eaba824e1bd Mon Sep 17 00:00:00 2001 From: Jeffrey Clark Date: Sun, 21 Apr 2024 20:20:28 -0500 Subject: [PATCH 3/3] no changes, reformat --- scripts/shield-trigger | 122 ++++++++++++------------- scripts/shield-trigger-iptables | 152 ++++++++++++++++---------------- scripts/shield-trigger-ufw | 54 ++++++------ 3 files changed, 164 insertions(+), 164 deletions(-) diff --git a/scripts/shield-trigger b/scripts/shield-trigger index 71f3418..9aed262 100755 --- a/scripts/shield-trigger +++ b/scripts/shield-trigger @@ -1,7 +1,7 @@ -#! /bin/sh +#!/bin/sh # shellcheck disable=SC2086 # -# shield-trigger +# shield-trigger # # pam_shield 0.9.7 # Copyright (C) 2007-2012 Walter de Jong @@ -23,40 +23,40 @@ # null_route() { -# -# louzy detection of IPv4 or IPv6 address -# - TASK="$1" - INET=$(echo "$2" | sed 's/[0-9\.]//g') - if [ -z "$INET" ] - then - INET="" - GW="127.0.0.1" - else - INET="-f inet6" - GW="::1" - fi - - if [ -x /sbin/ip ] - then - if [ "$TASK" = "show" ]; then - if /sbin/ip $INET route "$TASK" "$2" | read -r _x ; then - return - fi - TASK="add" - fi - /sbin/ip $INET route "$TASK" blackhole "$2" 2>/dev/null - else - if [ -n "$INET" ] - then - INET="-A inet6" - fi - /sbin/route $INET "$TASK" -host "$2" gw "$GW" dev lo - fi - -# mail -s "[security] pam_shield blocked $2" root </dev/null + else + if [ -n "$INET" ] + then + INET="-A inet6" + fi + /sbin/route $INET "$TASK" -host "$2" gw "$GW" dev lo + fi + +# mail -s "[security] pam_shield blocked $2" root <" - echo - echo "shield-trigger is normally called by the pam_shield PAM module" - exit 1 + echo "shield-trigger" + echo "usage: ${0##*/} [add|del|sync] " + echo + echo "shield-trigger is normally called by the pam_shield PAM module" + exit 1 } @@ -76,37 +76,37 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin if [ -z "$2" ] then - usage + usage fi case "$1" in - add) - logger -i -t shield-trigger -p authpriv.info "blocking $2" + add) + logger -i -t shield-trigger -p authpriv.info "blocking $2" - CMD="add" - IP=$2 - ;; + CMD="add" + IP=$2 + ;; - del) - logger -i -t shield-trigger -p authpriv.info "unblocking $2" + del) + logger -i -t shield-trigger -p authpriv.info "unblocking $2" - CMD="del" - IP=$2 - ;; + CMD="del" + IP=$2 + ;; - sync) - logger -i -t shield-trigger -p authpriv.info "sync $2" - CMD="show" - IP=$2 - ;; + sync) + logger -i -t shield-trigger -p authpriv.info "sync $2" + CMD="show" + IP=$2 + ;; - *) - usage - ;; + *) + usage + ;; esac null_route "$CMD" "$IP" -exit 0 # make pam_shield happy +exit 0 # make pam_shield happy # EOB diff --git a/scripts/shield-trigger-iptables b/scripts/shield-trigger-iptables index 9a3e58c..3f7e92b 100755 --- a/scripts/shield-trigger-iptables +++ b/scripts/shield-trigger-iptables @@ -1,6 +1,6 @@ -#! /bin/sh +#!/bin/sh # -# shield-trigger-iptables +# shield-trigger-iptables # # pam_shield 0.9.7 # Copyright (C) 2007-2012 Walter de Jong @@ -22,59 +22,59 @@ # run_iptables() { -# -# louzy detection of IPv4 or IPv6 address -# - IPT=$(echo "$2" | sed 's/[0-9\.]//g') - if [ -z "$IPT" ] - then - IPT=iptables - else - IPT=ip6tables - fi - -# switch -A for iptables to -I - if [ "$1" = "-A" ] - then - TASK="-I" - else - TASK=$1 - fi - -# check to see if pam_shield chain exists and create if necessary - CHAIN_TEST=$($IPT -L pam_shield 2>/dev/null) - if [ -z "$CHAIN_TEST" ] - then - "$IPT" -N pam_shield - "$IPT" -I pam_shield -j DROP - if [ "$TASK" = "-D" ]; then - return - fi - fi + # + # louzy detection of IPv4 or IPv6 address + # + IPT=$(echo "$2" | sed 's/[0-9\.]//g') + if [ -z "$IPT" ] + then + IPT=iptables + else + IPT=ip6tables + fi + +# switch -A for iptables to -I +if [ "$1" = "-A" ] +then + TASK="-I" +else + TASK=$1 +fi + +# check to see if pam_shield chain exists and create if necessary +CHAIN_TEST=$($IPT -L pam_shield 2>/dev/null) +if [ -z "$CHAIN_TEST" ] +then + "$IPT" -N pam_shield + "$IPT" -I pam_shield -j DROP + if [ "$TASK" = "-D" ]; then + return + fi +fi # -# CUSTOMIZE THIS RULE if you want to +# CUSTOMIZE THIS RULE if you want to # -# $TASK is the iptables command: -A/-I or -D -# $2 is the IP number +# $TASK is the iptables command: -A/-I or -D +# $2 is the IP number # -# * put in the correct chain name (pam_shield or INPUT) -# * put in the correct network interface name (e.g. -i eth0) -# Currently blocks on all interfaces -# * put in a port number (e.g.--destination-port 22 for ssh only) -# Currently blocks all ports -# * add additional rules for additional services as needed +# * put in the correct chain name (pam_shield or INPUT) +# * put in the correct network interface name (e.g. -i eth0) +# Currently blocks on all interfaces +# * put in a port number (e.g.--destination-port 22 for ssh only) +# Currently blocks all ports +# * add additional rules for additional services as needed # - if ! "$IPT" "$TASK" INPUT -p tcp -s "$2" -j pam_shield ; then - if [ "$TASK" = "-C" ]; then - run_iptables "-I" "$2" - fi - fi +if ! "$IPT" "$TASK" INPUT -p tcp -s "$2" -j pam_shield ; then + if [ "$TASK" = "-C" ]; then + run_iptables "-I" "$2" + fi +fi -# mail -s "[security] pam_shield blocked $2" root <" - echo - echo "shield-trigger-iptables is normally called by the pam_shield PAM module" - exit 1 + echo "shield-trigger-iptables" + echo "usage: ${0##*/} [add|del|sync] " + echo + echo "shield-trigger-iptables is normally called by the pam_shield PAM module" + exit 1 } @@ -94,32 +94,32 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin if [ -z "$2" ] then - usage + usage fi case "$1" in - add) - logger -i -t shield-trigger -p authpriv.info "blocking $2" - - CMD="-A" - IP=$2 - ;; - - del) - logger -i -t shield-trigger -p authpriv.info "unblocking $2" - - CMD="-D" - IP=$2 - ;; - - sync) - logger -i -t shield-trigger -p authpriv.info "sync $2" - CMD="-C" - IP=$2 - ;; - *) - usage - ;; + add) + logger -i -t shield-trigger -p authpriv.info "blocking $2" + + CMD="-A" + IP=$2 + ;; + + del) + logger -i -t shield-trigger -p authpriv.info "unblocking $2" + + CMD="-D" + IP=$2 + ;; + + sync) + logger -i -t shield-trigger -p authpriv.info "sync $2" + CMD="-C" + IP=$2 + ;; + *) + usage + ;; esac run_iptables "$CMD" "$IP" diff --git a/scripts/shield-trigger-ufw b/scripts/shield-trigger-ufw index fb80f2c..2eb57b2 100755 --- a/scripts/shield-trigger-ufw +++ b/scripts/shield-trigger-ufw @@ -1,6 +1,6 @@ -#! /bin/sh +#!/bin/sh # -# shield-trigger-ufw +# shield-trigger-ufw # # pam_shield 0.9.7 # Copyright (C) 2007-2012 Walter de Jong @@ -22,11 +22,11 @@ # usage() { - echo "shield-trigger-ufw" - echo "usage: ${0##*/} [add|del] " - echo - echo "shield-trigger-ufw is normally called by the pam_shield PAM module" - exit 1 + echo "shield-trigger-ufw" + echo "usage: ${0##*/} [add|del] " + echo + echo "shield-trigger-ufw is normally called by the pam_shield PAM module" + exit 1 } @@ -34,29 +34,29 @@ PATH=/sbin:/usr/sbin:/bin:/usr/bin if [ -z "$2" ] then - usage + usage fi case "$1" in - add) - logger -i -t shield-trigger-ufw -p authpriv.info "blocking $2" - ufw insert 1 deny from "$2" -# mail -s "[security] pam_shield blocked $2" root <