From 4699007206f822c2458f9cde4ee91059841877a1 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 13:10:13 +0100 Subject: [PATCH 01/12] SC2006: Use $(...) notation instead of legacy backticks --- checkLdapPwdExpiration.sh | 94 +++++++++++++++++++-------------------- 1 file changed, 47 insertions(+), 47 deletions(-) diff --git a/checkLdapPwdExpiration.sh b/checkLdapPwdExpiration.sh index 0e2ef55..7745648 100644 --- a/checkLdapPwdExpiration.sh +++ b/checkLdapPwdExpiration.sh @@ -190,7 +190,7 @@ MY_MAIL_BIN="mail" # Log header format # Could include unix commands # -MY_LOG_HEADER="`date +\"%b %e %T\"` `hostname` $0[$$]:" +MY_LOG_HEADER="$(date +\"%b %e %T\") $(hostname) $0[$$]:" # # Path to GAWK (GNU awk) binary @@ -208,24 +208,24 @@ MY_GAWK_BIN="/usr/bin/gawk" # getTimeInSeconds() { date=0 - os=`uname -s` + os=$(uname -s) if [ "$1" ]; then - date=`TZ=UTC ${MY_GAWK_BIN} 'BEGIN { \ + date=$(TZ=UTC ${MY_GAWK_BIN} 'BEGIN { \ if (ARGC == 2) { \ print mktime(ARGV[1]) \ } \ - exit 0 }' "$1"` + exit 0 }' "$1") else if [ "${os}" = "SunOS" ]; then # Under Sun Solaris, there is no simple way to # retrieve epoch time. # TODO: manage zulu time (GMT) - date=`/usr/bin/truss /usr/bin/date 2>&1 | nawk -F= \ - '/^time\(\)/ {gsub(/ /,"",$2);print $2}'` + date=$(/usr/bin/truss /usr/bin/date 2>&1 | nawk -F= \ + '/^time\(\)/ {gsub(/ /,"",$2);print $2}') else - now=`date +"%Y %m %d %H %M %S" -u` - date=`getTimeInSeconds "$now"` + now=$(date +"%Y %m %d %H %M %S" -u) + date=$(getTimeInSeconds "$now") fi fi @@ -273,25 +273,25 @@ do fi # Process ldap search - dn=`echo ${dnStr} | cut -d : -f 2` + dn=$(echo ${dnStr} | cut -d : -f 2) # Increment users counter - nb_users=`expr ${nb_users} + 1` + nb_users=$(expr ${nb_users} + 1) ${MY_LDAP_SEARCHBIN} ${ldap_param} -s base -b "${dn}" \ ${MY_LDAP_NAME_ATTR} ${MY_LDAP_LOGIN_ATTR} ${MY_LDAP_MAIL_ATTR} pwdChangedTime pwdPolicySubentry \ > ${buffer_file} - login=`grep -w "${MY_LDAP_LOGIN_ATTR}:" ${buffer_file} | cut -d : -f 2 \ - | sed "s/^ *//;s/ *$//"` - name=`grep -w "${MY_LDAP_NAME_ATTR}:" ${buffer_file} | cut -d : -f 2\ - | sed "s/^ *//;s/ *$//"` - mail=`grep -w "${MY_LDAP_MAIL_ATTR}:" ${buffer_file} | cut -d : -f 2 \ - | sed "s/^ *//;s/ *$//"` - pwdChangedTime=`grep -w "pwdChangedTime:" ${buffer_file} \ - | cut -d : -f 2 | cut -c 1-15 | sed "s/^ *//;s/ *$//"` - pwdPolicySubentry=`grep -w "pwdPolicySubentry:" ${buffer_file} \ - | cut -d : -f 2 | sed "s/^ *//;s/ *$//"` + login=$(grep -w "${MY_LDAP_LOGIN_ATTR}:" ${buffer_file} | cut -d : -f 2 \ + | sed "s/^ *//;s/ *$//") + name=$(grep -w "${MY_LDAP_NAME_ATTR}:" ${buffer_file} | cut -d : -f 2\ + | sed "s/^ *//;s/ *$//") + mail=$(grep -w "${MY_LDAP_MAIL_ATTR}:" ${buffer_file} | cut -d : -f 2 \ + | sed "s/^ *//;s/ *$//") + pwdChangedTime=$(grep -w "pwdChangedTime:" ${buffer_file} \ + | cut -d : -f 2 | cut -c 1-15 | sed "s/^ *//;s/ *$//") + pwdPolicySubentry=$(grep -w "pwdPolicySubentry:" ${buffer_file} \ + | cut -d : -f 2 | sed "s/^ *//;s/ *$//") # Go to next entry if no pwdChangedTime if [ ! "${pwdChangedTime}" ]; then @@ -314,14 +314,14 @@ do fi ldap_search="$ldap_search pwdMaxAge pwdExpireWarning pwdMinLength pwdInHistory" - pwdMaxAge=`${ldap_search} | grep -w "pwdMaxAge:" | cut -d : -f 2 \ - | sed "s/^ *//;s/ *$//"` - pwdExpireWarning=`${ldap_search} | grep -w "pwdExpireWarning:" | cut -d : -f 2 \ - | sed "s/^ *//;s/ *$//"` - pwdMinLength=`${ldap_search} | grep -w "pwdMinLength:" | cut -d : -f 2 \ - | sed "s/^ *//;s/ *$//"` - pwdInHistory=`${ldap_search} | grep -w "pwdInHistory:" | cut -d : -f 2 \ - | sed "s/^ *//;s/ *$//"` + pwdMaxAge=$(${ldap_search} | grep -w "pwdMaxAge:" | cut -d : -f 2 \ + | sed "s/^ *//;s/ *$//") + pwdExpireWarning=$(${ldap_search} | grep -w "pwdExpireWarning:" | cut -d : -f 2 \ + | sed "s/^ *//;s/ *$//") + pwdMinLength=$(${ldap_search} | grep -w "pwdMinLength:" | cut -d : -f 2 \ + | sed "s/^ *//;s/ *$//") + pwdInHistory=$(${ldap_search} | grep -w "pwdInHistory:" | cut -d : -f 2 \ + | sed "s/^ *//;s/ *$//") # Go to next user if no pwdMaxAge (no expiration) if [ ! "${pwdMaxAge}" ]; then @@ -334,32 +334,32 @@ do # Retrieves time difference between today and last change. if [ "${pwdChangedTime}" ]; then - s=`echo ${pwdChangedTime} | cut -c 13-14` - m=`echo ${pwdChangedTime} | cut -c 11-12` - h=`echo ${pwdChangedTime} | cut -c 9-10` - d=`echo ${pwdChangedTime} | cut -c 7-8` - M=`echo ${pwdChangedTime} | cut -c 5-6` - y=`echo ${pwdChangedTime} | cut -c 1-4` - currentTime=`getTimeInSeconds` - pwdChangedTime=`getTimeInSeconds "$y $M $d $h $m $s"` - diffTime=`expr ${currentTime} - ${pwdChangedTime}` + s=$(echo ${pwdChangedTime} | cut -c 13-14) + m=$(echo ${pwdChangedTime} | cut -c 11-12) + h=$(echo ${pwdChangedTime} | cut -c 9-10) + d=$(echo ${pwdChangedTime} | cut -c 7-8) + M=$(echo ${pwdChangedTime} | cut -c 5-6) + y=$(echo ${pwdChangedTime} | cut -c 1-4) + currentTime=$(getTimeInSeconds) + pwdChangedTime=$(getTimeInSeconds "$y $M $d $h $m $s") + diffTime=$(expr ${currentTime} - ${pwdChangedTime}) fi # Go to next user if password already expired - expireTime=`expr ${pwdChangedTime} + ${pwdMaxAge}` + expireTime=$(expr ${pwdChangedTime} + ${pwdMaxAge}) if [ ${currentTime} -gt ${expireTime} ]; then - nb_expired_users=`expr ${nb_expired_users} + 1` + nb_expired_users=$(expr ${nb_expired_users} + 1) echo "${MY_LOG_HEADER} Password expired for ${login}" >&2 continue fi - expireTimeTZ=`date -d @$expireTime "+%A %d %B %Y %T"` + expireTimeTZ=$(date -d @$expireTime "+%A %d %B %Y %T") - expireTimeMail=`date -d @$expireTime "+%s"` + expireTimeMail=$(date -d @$expireTime "+%s") - now=`date +%s` + now=$(date +%s) - expireDays=`echo $(( (${expireTimeMail} - ${now} )/(60*60*24) ))` + expireDays=$(echo $(( (${expireTimeMail} - ${now} )/(60*60*24) ))) # Print debug information on STDERR when there is no mail if [ -z "${mail}" ];then @@ -371,12 +371,12 @@ do -a "${login}" -a "${diffTime}" -a "${pwdMaxAge}" ] then # Ajusts time with delay - diffTime=`expr ${diffTime} + ${MY_MAIL_DELAY}` + diffTime=$(expr ${diffTime} + ${MY_MAIL_DELAY}) if [ ${diffTime} -gt ${pwdMaxAge} ]; then logmsg="${MY_MAIL_BODY}" - logmsg=`echo ${logmsg} | sed "s/%name/${name}/; \ + logmsg=$(echo ${logmsg} | sed "s/%name/${name}/; \ s/%login/${login}/; s/%expireTimeTZ/${expireTimeTZ}/; s/%pwdMinLength/${pwdMinLength}/; s/%pwdInHistory/${pwdInHistory}/; \ - s/%expireDays/${expireDays}/"` + s/%expireDays/${expireDays}/") # Sending mail... echo "${logmsg}" | ${MY_MAIL_BIN} "${MY_MAIL_FROM}" -s "${MY_MAIL_SUBJECT}" ${mail} >&2 @@ -385,7 +385,7 @@ do echo "${MY_LOG_HEADER} Mail sent to user ${login} (${mail})" >&2 # Increment warning counter - nb_warning_users=`expr ${nb_warning_users} + 1` + nb_warning_users=$(expr ${nb_warning_users} + 1) fi fi From 333ffa97a6f7ea6f536ee8f5f9b39b9d5f1397ba Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 13:24:26 +0100 Subject: [PATCH 02/12] SC2086: Double quote to prevent globbing and word splitting --- checkLdapPwdExpiration.sh | 46 +++++++++++++++++++-------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/checkLdapPwdExpiration.sh b/checkLdapPwdExpiration.sh index 7745648..ace4bb3 100644 --- a/checkLdapPwdExpiration.sh +++ b/checkLdapPwdExpiration.sh @@ -229,7 +229,7 @@ getTimeInSeconds() { fi fi - echo ${date} + echo "${date}" } #==================================================================== @@ -255,12 +255,12 @@ if [ -d ${tmp_dir} ]; then fi mkdir ${tmp_dir} -if [ ${MY_LDAP_ROOTDN} ]; then +if [ "${MY_LDAP_ROOTDN}" ]; then ldap_param="${ldap_param} -D ${MY_LDAP_ROOTDN} -w ${MY_LDAP_ROOTPW}" fi ## Performs global search -${MY_LDAP_SEARCHBIN} ${ldap_param} -s ${MY_LDAP_SEARCHSCOPE} \ +${MY_LDAP_SEARCHBIN} "${ldap_param}" -s ${MY_LDAP_SEARCHSCOPE} \ -b "${MY_LDAP_SEARCHBASE}" "${MY_LDAP_SEARCHFILTER}" \ "dn" | grep -iE '^dn:' > ${result_file} @@ -273,12 +273,12 @@ do fi # Process ldap search - dn=$(echo ${dnStr} | cut -d : -f 2) + dn=$(echo "${dnStr}" | cut -d : -f 2) # Increment users counter - nb_users=$(expr ${nb_users} + 1) + nb_users=$(expr "${nb_users}" + 1) - ${MY_LDAP_SEARCHBIN} ${ldap_param} -s base -b "${dn}" \ + ${MY_LDAP_SEARCHBIN} "${ldap_param}" -s base -b "${dn}" \ ${MY_LDAP_NAME_ATTR} ${MY_LDAP_LOGIN_ATTR} ${MY_LDAP_MAIL_ATTR} pwdChangedTime pwdPolicySubentry \ > ${buffer_file} @@ -334,28 +334,28 @@ do # Retrieves time difference between today and last change. if [ "${pwdChangedTime}" ]; then - s=$(echo ${pwdChangedTime} | cut -c 13-14) - m=$(echo ${pwdChangedTime} | cut -c 11-12) - h=$(echo ${pwdChangedTime} | cut -c 9-10) - d=$(echo ${pwdChangedTime} | cut -c 7-8) - M=$(echo ${pwdChangedTime} | cut -c 5-6) - y=$(echo ${pwdChangedTime} | cut -c 1-4) + s=$(echo "${pwdChangedTime}" | cut -c 13-14) + m=$(echo "${pwdChangedTime}" | cut -c 11-12) + h=$(echo "${pwdChangedTime}" | cut -c 9-10) + d=$(echo "${pwdChangedTime}" | cut -c 7-8) + M=$(echo "${pwdChangedTime}" | cut -c 5-6) + y=$(echo "${pwdChangedTime}" | cut -c 1-4) currentTime=$(getTimeInSeconds) pwdChangedTime=$(getTimeInSeconds "$y $M $d $h $m $s") - diffTime=$(expr ${currentTime} - ${pwdChangedTime}) + diffTime=$(expr "${currentTime}" - "${pwdChangedTime}") fi # Go to next user if password already expired - expireTime=$(expr ${pwdChangedTime} + ${pwdMaxAge}) - if [ ${currentTime} -gt ${expireTime} ]; then - nb_expired_users=$(expr ${nb_expired_users} + 1) + expireTime=$(expr "${pwdChangedTime}" + "${pwdMaxAge}") + if [ "${currentTime}" -gt "${expireTime}" ]; then + nb_expired_users=$(expr "${nb_expired_users}" + 1) echo "${MY_LOG_HEADER} Password expired for ${login}" >&2 continue fi - expireTimeTZ=$(date -d @$expireTime "+%A %d %B %Y %T") + expireTimeTZ=$(date -d @"$expireTime" "+%A %d %B %Y %T") - expireTimeMail=$(date -d @$expireTime "+%s") + expireTimeMail=$(date -d @"$expireTime" "+%s") now=$(date +%s) @@ -371,21 +371,21 @@ do -a "${login}" -a "${diffTime}" -a "${pwdMaxAge}" ] then # Ajusts time with delay - diffTime=$(expr ${diffTime} + ${MY_MAIL_DELAY}) - if [ ${diffTime} -gt ${pwdMaxAge} ]; then + diffTime=$(expr "${diffTime}" + "${MY_MAIL_DELAY}") + if [ "${diffTime}" -gt "${pwdMaxAge}" ]; then logmsg="${MY_MAIL_BODY}" - logmsg=$(echo ${logmsg} | sed "s/%name/${name}/; \ + logmsg=$(echo "${logmsg}" | sed "s/%name/${name}/; \ s/%login/${login}/; s/%expireTimeTZ/${expireTimeTZ}/; s/%pwdMinLength/${pwdMinLength}/; s/%pwdInHistory/${pwdInHistory}/; \ s/%expireDays/${expireDays}/") # Sending mail... - echo "${logmsg}" | ${MY_MAIL_BIN} "${MY_MAIL_FROM}" -s "${MY_MAIL_SUBJECT}" ${mail} >&2 + echo "${logmsg}" | ${MY_MAIL_BIN} "${MY_MAIL_FROM}" -s "${MY_MAIL_SUBJECT}" "${mail}" >&2 # Print debug information on STDERR echo "${MY_LOG_HEADER} Mail sent to user ${login} (${mail})" >&2 # Increment warning counter - nb_warning_users=$(expr ${nb_warning_users} + 1) + nb_warning_users=$(expr "${nb_warning_users}" + 1) fi fi From c33a389740c1d090784a49f631546b00a35177f0 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 15:09:47 +0100 Subject: [PATCH 03/12] SC2003: drop use of expr --- checkLdapPwdExpiration.sh | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/checkLdapPwdExpiration.sh b/checkLdapPwdExpiration.sh index ace4bb3..c1343e4 100644 --- a/checkLdapPwdExpiration.sh +++ b/checkLdapPwdExpiration.sh @@ -276,7 +276,7 @@ do dn=$(echo "${dnStr}" | cut -d : -f 2) # Increment users counter - nb_users=$(expr "${nb_users}" + 1) + nb_users=$(("${nb_users}" + 1)) ${MY_LDAP_SEARCHBIN} "${ldap_param}" -s base -b "${dn}" \ ${MY_LDAP_NAME_ATTR} ${MY_LDAP_LOGIN_ATTR} ${MY_LDAP_MAIL_ATTR} pwdChangedTime pwdPolicySubentry \ @@ -342,13 +342,13 @@ do y=$(echo "${pwdChangedTime}" | cut -c 1-4) currentTime=$(getTimeInSeconds) pwdChangedTime=$(getTimeInSeconds "$y $M $d $h $m $s") - diffTime=$(expr "${currentTime}" - "${pwdChangedTime}") + diffTime=$(("${currentTime}" - "${pwdChangedTime}")) fi # Go to next user if password already expired - expireTime=$(expr "${pwdChangedTime}" + "${pwdMaxAge}") + expireTime=$(("${pwdChangedTime}" + "${pwdMaxAge}")) if [ "${currentTime}" -gt "${expireTime}" ]; then - nb_expired_users=$(expr "${nb_expired_users}" + 1) + nb_expired_users=$(("${nb_expired_users}" + 1)) echo "${MY_LOG_HEADER} Password expired for ${login}" >&2 continue fi @@ -371,7 +371,7 @@ do -a "${login}" -a "${diffTime}" -a "${pwdMaxAge}" ] then # Ajusts time with delay - diffTime=$(expr "${diffTime}" + "${MY_MAIL_DELAY}") + diffTime=$(("${diffTime}" + "${MY_MAIL_DELAY}")) if [ "${diffTime}" -gt "${pwdMaxAge}" ]; then logmsg="${MY_MAIL_BODY}" logmsg=$(echo "${logmsg}" | sed "s/%name/${name}/; \ @@ -385,7 +385,7 @@ do echo "${MY_LOG_HEADER} Mail sent to user ${login} (${mail})" >&2 # Increment warning counter - nb_warning_users=$(expr "${nb_warning_users}" + 1) + nb_warning_users=$(("${nb_warning_users}" + 1)) fi fi From 08a804dce9a0deceb693c2760ff0000e4e468baa Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 15:16:42 +0100 Subject: [PATCH 04/12] SC2116: useless use of echo --- checkLdapPwdExpiration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkLdapPwdExpiration.sh b/checkLdapPwdExpiration.sh index c1343e4..898ed16 100644 --- a/checkLdapPwdExpiration.sh +++ b/checkLdapPwdExpiration.sh @@ -359,7 +359,7 @@ do now=$(date +%s) - expireDays=$(echo $(( (${expireTimeMail} - ${now} )/(60*60*24) ))) + expireDays=$(( (${expireTimeMail} - ${now}) / (60*60*24) )) # Print debug information on STDERR when there is no mail if [ -z "${mail}" ];then From 7b5c7541593ab7953df0e38e31704c6bcff09918 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 15:57:45 +0100 Subject: [PATCH 05/12] SC2166: Prefer [ p ] && [ q ] as [ p -a q ] is not well defined --- checkLdapPwdExpiration.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/checkLdapPwdExpiration.sh b/checkLdapPwdExpiration.sh index 898ed16..bb028a6 100644 --- a/checkLdapPwdExpiration.sh +++ b/checkLdapPwdExpiration.sh @@ -300,7 +300,7 @@ do fi # Go to next entry if no pwdPolicySubEntry and no default policy - if [ ! "${pwdPolicySubentry}" -a ! "${MY_LDAP_DEFAULTPWDPOLICYDN}" ]; then + if [ ! "${pwdPolicySubentry}" ] && [ ! "${MY_LDAP_DEFAULTPWDPOLICYDN}" ]; then echo "${MY_LOG_HEADER} No password policy for ${login}" >&2 continue fi @@ -367,8 +367,8 @@ do fi # ALL LDAP attributes should be there, else continue to next user - if [ "${mail}" -a "${name}" \ - -a "${login}" -a "${diffTime}" -a "${pwdMaxAge}" ] + if [ "${mail}" ] && [ "${name}" ] \ + && [ "${login}" ] && [ "${diffTime}" ] && [ "${pwdMaxAge}" ] then # Ajusts time with delay diffTime=$(("${diffTime}" + "${MY_MAIL_DELAY}")) From 8ef85664f88d195158d3f3cbefbff66f7e779518 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 16:11:22 +0100 Subject: [PATCH 06/12] SC2004: $/${} is unnecessary on arithmetic variables --- checkLdapPwdExpiration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkLdapPwdExpiration.sh b/checkLdapPwdExpiration.sh index bb028a6..25d00f6 100644 --- a/checkLdapPwdExpiration.sh +++ b/checkLdapPwdExpiration.sh @@ -359,7 +359,7 @@ do now=$(date +%s) - expireDays=$(( (${expireTimeMail} - ${now}) / (60*60*24) )) + expireDays=$(( (expireTimeMail - now) / (60*60*24) )) # Print debug information on STDERR when there is no mail if [ -z "${mail}" ];then From 0aa10025d0524d30ba544dd0a776073880b08904 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 16:22:13 +0100 Subject: [PATCH 07/12] Disable SC2153 for MY_LDAP_ROOTPW --- checkLdapPwdExpiration.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/checkLdapPwdExpiration.sh b/checkLdapPwdExpiration.sh index 25d00f6..6d6791e 100644 --- a/checkLdapPwdExpiration.sh +++ b/checkLdapPwdExpiration.sh @@ -256,6 +256,7 @@ fi mkdir ${tmp_dir} if [ "${MY_LDAP_ROOTDN}" ]; then + # shellcheck disable=SC2153 ldap_param="${ldap_param} -D ${MY_LDAP_ROOTDN} -w ${MY_LDAP_ROOTPW}" fi From 7e6ee9b0e67650ccd000c73e59d29c51858294ac Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 16:23:54 +0100 Subject: [PATCH 08/12] SC2162: read without -r will mangle backslashes --- checkLdapPwdExpiration.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/checkLdapPwdExpiration.sh b/checkLdapPwdExpiration.sh index 6d6791e..7d4daf0 100644 --- a/checkLdapPwdExpiration.sh +++ b/checkLdapPwdExpiration.sh @@ -266,7 +266,7 @@ ${MY_LDAP_SEARCHBIN} "${ldap_param}" -s ${MY_LDAP_SEARCHSCOPE} \ "dn" | grep -iE '^dn:' > ${result_file} ## Loops on results -while read dnStr +while read -r dnStr do # Do not use blank lines if [ ! "${dnStr}" ]; then From 7c66a076d4e457c7c7a4b1f2cfe7e5ee67fbe34c Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 16:36:27 +0100 Subject: [PATCH 09/12] SC2006: Use $(...) notation instead of legacy backticks --- cleanLdapBrokenAliases.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cleanLdapBrokenAliases.sh b/cleanLdapBrokenAliases.sh index 4893d28..8826d85 100644 --- a/cleanLdapBrokenAliases.sh +++ b/cleanLdapBrokenAliases.sh @@ -71,7 +71,7 @@ MY_LDAP_BINDPW="secret" # Log header format # Could include unix commands # -MY_LOG_HEADER="`date +\"%b %e %T\"` `hostname` `basename $0`[$$]:" +MY_LOG_HEADER="$(date +\"%b %e %T\") $(hostname) $(basename $0)[$$]:" #------------------------------------------------------------------------ # INIT @@ -92,11 +92,11 @@ MY_SCRIPTNAME="$0" # delete_broken_aliases() { # $1: search base dn - for alias_dn in `search_dn "$1" "sub" "(objectclass=alias)"` + for alias_dn in $(search_dn "$1" "sub" "(objectclass=alias)") do - object_dn=`search_aliasedObjectName "${alias_dn}"` - if [ `test_dn "${object_dn}"` -ne 0 ] ; then - if [ `delete_dn "${alias_dn}"` -eq 0 ] ; then + object_dn=$(search_aliasedObjectName "${alias_dn}") + if [ $(test_dn "${object_dn}") -ne 0 ] ; then + if [ $(delete_dn "${alias_dn}") -eq 0 ] ; then print_trace "removing broken alias ${alias_dn} [OK]" else print_trace "removing broken alias ${alias_dn} [FAILED]" From 29a917ab8d0606461d8944ab42e52dbdcd4d635b Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 16:39:53 +0100 Subject: [PATCH 10/12] SC2086: Double quote to prevent globbing and word splitting --- cleanLdapBrokenAliases.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/cleanLdapBrokenAliases.sh b/cleanLdapBrokenAliases.sh index 8826d85..6037892 100644 --- a/cleanLdapBrokenAliases.sh +++ b/cleanLdapBrokenAliases.sh @@ -71,7 +71,7 @@ MY_LDAP_BINDPW="secret" # Log header format # Could include unix commands # -MY_LOG_HEADER="$(date +\"%b %e %T\") $(hostname) $(basename $0)[$$]:" +MY_LOG_HEADER="$(date +\"%b %e %T\") $(hostname) $(basename "$0")[$$]:" #------------------------------------------------------------------------ # INIT @@ -110,7 +110,7 @@ delete_broken_aliases() { # delete_dn() { # $1: entry dn - ldapdelete ${MY_LDAP_AUTHTOKEN} "$1" > /dev/null 2>&1 + ldapdelete "${MY_LDAP_AUTHTOKEN}" "$1" > /dev/null 2>&1 echo $? } @@ -135,7 +135,7 @@ print_usage() { # search_aliasedObjectName() { # $1: alias dn - ldapsearch -LLL ${MY_LDAP_AUTHTOKEN} -b "$1" -s base aliasedObjectName \ + ldapsearch -LLL "${MY_LDAP_AUTHTOKEN}" -b "$1" -s base aliasedObjectName \ | perl -p0e 's/\n //g' | grep -i "aliasedObjectName" | awk -F': ' '{print $2}' } @@ -146,7 +146,7 @@ search_dn() { # $1: base dn # $2: scope # $3: filter - ldapsearch -LLL ${MY_LDAP_AUTHTOKEN} -b "$1" -S "" -s "$2" "$3" dn \ + ldapsearch -LLL "${MY_LDAP_AUTHTOKEN}" -b "$1" -S "" -s "$2" "$3" dn \ | perl -p0e 's/\n //g' | awk -F': ' '{print $2}' } @@ -155,7 +155,7 @@ search_dn() { # test_dn() { # $1: entry dn - ldapsearch -LLL ${MY_LDAP_AUTHTOKEN} -b "$1" -s base dn > /dev/null 2>&1 + ldapsearch -LLL "${MY_LDAP_AUTHTOKEN}" -b "$1" -s base dn > /dev/null 2>&1 echo $? } From 8cf191228d56dd14ad85248fde5c10ce9164daa5 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 16:48:59 +0100 Subject: [PATCH 11/12] Workaround SC2028: echo may not expand escape sequences. Use printf --- cleanLdapBrokenAliases.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cleanLdapBrokenAliases.sh b/cleanLdapBrokenAliases.sh index 6037892..ba1f4d2 100644 --- a/cleanLdapBrokenAliases.sh +++ b/cleanLdapBrokenAliases.sh @@ -127,7 +127,7 @@ print_trace() { # print_usage() { echo "Usage : ${MY_SCRIPTNAME}]" 1>&2 - echo "\t-b " 1>&2 + echo " -b " 1>&2 } # From 8e70190bd83687d102b1ff96407b7d56cfaae2f3 Mon Sep 17 00:00:00 2001 From: Xavier Bachelot Date: Mon, 13 Nov 2023 16:50:16 +0100 Subject: [PATCH 12/12] More double quotes --- cleanLdapBrokenAliases.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cleanLdapBrokenAliases.sh b/cleanLdapBrokenAliases.sh index ba1f4d2..9b50979 100644 --- a/cleanLdapBrokenAliases.sh +++ b/cleanLdapBrokenAliases.sh @@ -95,8 +95,8 @@ delete_broken_aliases() { for alias_dn in $(search_dn "$1" "sub" "(objectclass=alias)") do object_dn=$(search_aliasedObjectName "${alias_dn}") - if [ $(test_dn "${object_dn}") -ne 0 ] ; then - if [ $(delete_dn "${alias_dn}") -eq 0 ] ; then + if [ "$(test_dn "${object_dn}")" -ne 0 ] ; then + if [ "$(delete_dn "${alias_dn}")" -eq 0 ] ; then print_trace "removing broken alias ${alias_dn} [OK]" else print_trace "removing broken alias ${alias_dn} [FAILED]"