Write to a file without redirection?
Solution 1
How about this:
echo -n 'magic' | sudo tee /some/where/file > /dev/null
Sure there are redirections in this but only tee runs as root not a shell. Works with dd of=...
too.
Solution 2
Without output redirect, without pipe, but with "here string":
dd of=/some/where/file <<<'magic'
Solution 3
There's another consideration, which is that you don't want to put the value of the magic cookie on a command line, since that can be observed by other users. Even if the program is short-lived (including if the program zeros out the command line string), there is the opportunity for attack. So, a theoretical:
writestringtofile 'magic' /some/where/file
is a dangerous approach. Therefore, I endorse @stribika's suggestion: write the value to a temporary file and copy it into place. Make sure to use a secure function to create the temporary file (mkstemp()
) so that there's not a race condition there as well.
Solution 4
sponge from moreutils - soak up standard input and write to a file:
echo -n 'magic' | sponge /some/where/file
Unlike a shell redirect, sponge soaks up all its input before writing the output file. When possible, sponge creates or updates the output file atomically by renaming a temp file into place.
See more
Related videos on Youtube
zoul
Updated on September 17, 2022Comments
-
zoul over 1 year
I am writing a regular compiled application that needs to create a special file and write a magic cookie into it. I can’t write the file directly from the application, the system security model requires me to launch a helper tool with elevated privileges to do the trick. I can supply any number of arguments to the helper tool. Now I would like to pick some very simple system command that would serve as the helper tool and create the file for me. Something like this:
/bin/sh -c "/bin/echo -n 'magic' > /some/where/file"
Simple
touch
does not cut it as I need to write the cookie into the file, a simpleecho
without the shell wrapper does not work as it needs redirection to write the file. I don’t feel comfortable calling the shell with root privileges to do such a trivial task. Is there some really simple, constrained system command that I could call to write the file for me?-
Arcege about 13 yearsIs there a reason why
/bin/sh -c 'echo magic > /path/to/magic/file'
does not work? That would be an executable file and two arguments. You would need to build the last argument as a string (with sprintf or equivalent). Is there as reason this wouldn't work for you? From your question it sounds like doCommandAsRoot() does not take input to stream to the command, correct? Otherwise you could replace the last argument with'cat > /path/to/magic/file'
and pass the data instead of constructing a string. -
zoul about 13 yearsThe shell example works, but I’d hate to call the shell with root privileges just to create a simple file. The library does take a communication pipe argument (it’s AuthorizationExecuteWithPrivileges), that could be used to write the cookie using
tee
. Thanks! -
LDS over 7 yearsSee also stackoverflow.com/a/18146890/2032064
-
-
zoul about 13 yearsSorry, I obviously have trouble explaining myself lately. The problem is that when I want to run something with the elevated privileges, I have to go through a special library call (something like
doCommandAsRoot
). And this function only accepts a path to the command and its arguments, so there’s no way for me to use output redirection right away. I could go through shell (as shown in the question), but I don’t like that security-wise. -
stribika about 13 years@zoul: I thought you are writing a shell script. Is it OK to write the magic cookie to a file that is accessible for unprivileged processes? If it is then write it to such a file and call
doCommandAsRoot("dd", "if=/tmp/unprotected_file", "of=/some/where/file")
. -
zoul about 13 yearsNo, it’s a regular compiled application (question updated). I’m just looking for “shell” commands to serve as the helper so that I don’t have to write it myself. Yes, the cookie is nothing sensitive. The
dd
example is pretty close to what I want, thank you. Could you think of something even simpler? -
mattdm about 13 yearsSure — you could use
cp
ormv
instead ofdd
. -
zoul about 13 yearsI mean simpler as without the need to copy :)
-
mattdm about 13 yearsI don't think there are any standard programs which take a value on the command line and write that value to a file. However, since the command line and arguments aren't necessarily secure from snooping, you probably shouldn't do that with a magic cookie value anyway. So the copy approach is the best one I can think of.
-
zoul about 13 yearsThank you, this is a useful discussion. Fortunately the “magic cookie” is not a security device, it can be plainly seen by anybody.
-
Daco almost 6 yearsOne downside of this approach is dd writes some stats to stdout. You can use > /dev/null to hide them, but at that point you might as well use tee.
-
Amitav Pajni over 4 yearsThis worked for me in an unusual situation where I could not use output redirection or pipes.
status=none
will suppress all other output from modern versions of GNU coreutilsdd
. -
fei0x about 3 yearsYes, i used this to set data to a file inside an LXD container:
lxc exec $LXC -- dd of=/path/to/file/file.txt <<< "$MYMESSAGE" &> /dev/null