2014-12-08 12:48:05 -0800, Linda Walsh:
[...]
> declare -x fmt='($(echo uid:$UID) $(echo euid:$EUID) $(date) $(uname -n))'
> declare -a out
> declare -l out=$fmt
> echo "out=${out[@]}"
> sudo bash --norc -c 'declare -a out;declare -l out=$fmt; echo
> "out=${out[@]}"'
>
>
> ----
> Run that and you get:
>
> out=uid:5013 euid:5013 mon dec 8 12:39:06 pst 2014 ishtar
> out=uid:0 euid:0 mon dec 8 12:39:06 pst 2014 ishtar
>
>
> All of the terms are evaluated at the time of final execution.
>
> --- This usage ***depends*** on delayed evaluation -- which you
> claim is "code injection". This is the way shell is supposed to
> operate. The programmer ***HAS*** to choose when to cause the expression
> to be evaluated depending on their need.
[...]
Hi Linda,
then change it to:
sudo bash --norc -c 'declare -a out;declare -l out; out=$fmt; echo
"out=${out[@]}"'
And you get the behaviour *I* expect (assign the content of $fmt
to out[0] (aka out)).
Would you then say that bash is broken there?
If I want the shell to evaluate the content of a variable as
code, I use "eval". And I know it's a dangerous command and
that I should use it carefully. I don't expect "declare" to do
the job of "eval", I don't expect "declare" to run commands, I
only expect it to declare variables (and possibly assign values
to them).
(BTW, don't forget to add back the "Defaults env_reset" to your
/etc/sudoers as your system is currently probably vulnerable to
local privilege escalation if you're using restricted sudoer
commands).
--
Stephane
