Fail to run Linux command with double quotes using executeSystemCommand

[raine93]

I am trying to execute a Linux command using executeSystemCommand but it unable to execute

Command:
/bin/sh -c "chown 0777 /var/test/123.sh"

tried to follow this solution but it will just give error 0777: "chown: command not found
https://stackoverflow.com/questions/71204716/how-should-esapi-executesystemcommand-sanitise-the-file-path-properly-to-satisfy

I put the full path of chown, it will also give the error 0777: "/usr/bin/chown: No such file or directory

Code:

Executor executor = ESAPI.executor();
File binSh = new File("/bin/sh").getCanonicalFile();

Codec codec = new UnixCodec();
List params = new ArrayList();

File workdir = new File( "/var");

params.add("-c");
params.add("\"chown");
params.add("0777");
params.add("/var/test/123.sh\"");

ExecuteResult result = executor.executeSystemCommand(binSh, params, workdir, codec, true, false);

[kwwall]

First off, I would suggest looking at the Junit test example, here: https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/test/java/org/owasp/esapi/reference/ExecutorTest.java#L245-L279

(You shouldn't need the stuff on lines 259-265 since you presumably are not running this from JUnit so you don't need to override the ESAPI.properties configuration.)

However, what seems odd to me is that the places where you are explicitly including the double-quote. I don't think that is needed. I think ESAPI will add it for you when you call the executeSystemCommand method. (At least, I don't see that in the JUnit example.)

Thus, instead of:

params.add("\"chown");

and

params.add("/var/test/123.sh\"");

try:

params.add("chown");

and

params.add("/var/test/123.sh");

respectively. That's more in line with the JUnit example. Let us know if it works or not.

[raine93]

Hi, thanks for the quick response. I have tried your method and it returns me the error
chown: missing operand
Try 'chown --help' for more information.

First off, I would suggest looking at the Junit test example, here: https://github.com/ESAPI/esapi-java-legacy/blob/develop/src/test/java/org/owasp/esapi/reference/ExecutorTest.java#L245-L279

(You shouldn't need the stuff on lines 259-265 since you presumably are not running this from JUnit so you don't need to override the ESAPI.properties configuration.)

However, what seems odd to me is that the places where you are explicitly including the double-quote. I don't think that is needed. I think ESAPI will add it for you when you call the executeSystemCommand method. (At least, I don't see that in the JUnit example.)

Thus, instead of:

params.add("\"chown");

and

params.add("/var/test/123.sh\"");

try:

params.add("chown");

and

params.add("/var/test/123.sh");

respectively. That's more in line with the JUnit example. Let us know if it works or not.

[jeremiahjstacey]

@raine93 - That looks like you missed syntax to chown.
Did you happen to leave out your original line which defines the new permissions?
params.add("0777");

[raine93]

I change my code to this

params.add("-c");
params.add("chown");
params.add("user1");
params.add("/var/test/123.sh");

It is still the same error chown: missing operand
Try 'chown --help' for more information.

If I run the command (/usr/bin/bash -c chown user1 /var/test/123.sh) in the terminal, it will have the same error. Looks like it did not add the double quotes in the executeSystemCommand

@raine93 - That looks like you missed syntax to chown. Did you happen to leave out your original line which defines the new permissions? params.add("0777");

[jeremiahjstacey]

https://linux.die.net/man/1/chown
Still looks like your chown syntax is wrong to me.

EG:

• You may (or may not be) missing the group associated to your user
• if the -c is meant to be the changes option to chown, then your content is misordered.

From what I'm gathering, your command might look something like:
/usr/bin/bash chown -c user1:${userGroupHere} /var/test/123

to replicate that, I believe you would create the code much like below

params.add("chown");
params.add("-c");
params.add("user1:${userGroupHere}");
params.add("/var/test/123.sh");

Please note that you'll need to substitute a valid group for user1 on your system.
The quotes should not be needed unless your path has unescaped spaces, or you're trying to perform variable resolution (neither appears to be true)

[raine93]

No, the command is correct. in my code:

Executor executor = ESAPI.executor();
File binSh = new File("/bin/sh").getCanonicalFile();

Codec codec = new UnixCodec();
List params = new ArrayList();

File workdir = new File( "/var");

params.add("-c");
params.add("chown");
params.add("user1");
params.add("/var/test/123.sh");

ExecuteResult result = executor.executeSystemCommand(binSh, params, workdir, codec, true, false);

I am trying to execute command:
/bin/sh -c "chown user1 /var/test/123.sh"

-c is the option for bash to execute command string. I have tested the command in terminal and it works. However, without the double quotes, it will have the same error of missing operand

https://linux.die.net/man/1/chown Still looks like your chown syntax is wrong to me.

EG:

• You may (or may not be) missing the group associated to your user
• if the -c is meant to be the changes option to chown, then your content is misordered.

From what I'm gathering, your command might look something like: /usr/bin/bash chown -c user1:${userGroupHere} /var/test/123

to replicate that, I believe you would create the code much like below

params.add("chown");
params.add("-c");
params.add("user1:${userGroupHere}");
params.add("/var/test/123.sh");

Please note that you'll need to substitute a valid group for user1 on your system. The quotes should not be needed unless your path has unescaped spaces, or you're trying to perform variable resolution (neither appears to be true)

[jeremiahjstacey]

What additional output do you see when you redirect the errorstream?
executor.executeSystemCommand(binSh, params, workdir, codec, true, true);

[raine93]

Is the same error: chown: missing operand
Try 'chown --help' for more information.

What additional output do you see when you redirect the errorstream? executor.executeSystemCommand(binSh, params, workdir, codec, true, true);

[xeno6696]

Your very first command should work if you use “chmod” instead of “chown”

Chown doesn’t take a permissions argument like you’re passing.

[xeno6696]

What Linux distro are you using?

chown and chmod each might be in /usr/sbin

also worth checking to see what user your Java process is running as, if it’s say, tomcat:tomcat it won’t have access to those commands.

[raine93]

Yes, i realized I made a mistake then I change to chown but the error is still happening because there is no double quotes if I do not specify and if I specify, it will escape my quotes

Your very first command should work if you use “chmod” instead of “chown”

Chown doesn’t take a permissions argument like you’re passing.

[raine93]

I am using oracle 8 with latest esapi release version. The error happening now is missing operand instead of command not found. I am thinking executeSystemCommand does not support executing command string with bash -c

What Linux distro are you using?

chown and chmod each might be in /usr/sbin

also worth checking to see what user your Java process is running as, if it’s say, tomcat:tomcat it won’t have access to those commands.

[xeno6696]

Apologies, Oracle 8 isn’t an operating system unless I’m missing something, Oracle 8 ought to be running on top of something else. I’m willing to try testing but it’s a crapshoot if I don’t use the same OS.  RHEL does some different things from Debian.

…

On Nov 22, 2024 at 22:32 -0700, PQ C ***@***.***>, wrote: I am using oracle 8 with latest esapi release version. The error happening now is missing operand instead of command not found. I am thinking executeSystemCommand does not support executing command string with bash -c > What Linux distro are you using? > chown and chmod each might be in /usr/sbin > also worth checking to see what user your Java process is running as, if it’s say, tomcat:tomcat it won’t have access to those commands. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: ***@***.***>

[kwwall]

Suggestion : run your code in a debugger and set a breakpoint in DefaultExecutor.executeSystemCommand in the variant you are using, and single step through it. Or maybe set the log level to DEBUG. I'm heading to bed, but will try to look at it tomorrow.

…

-kevin

On Sat, Nov 23, 2024, 12:32 AM PQ C ***@***.***> wrote: I am using oracle 8 with latest esapi release version. The error happening now is missing operand instead of command not found. I am thinking executeSystemCommand does not support executing command string with bash -c What Linux distro are you using? chown and chmod each might be in /usr/sbin also worth checking to see what user your Java process is running as, if it’s say, tomcat:tomcat it won’t have access to those commands. — Reply to this email directly, view it on GitHub <#858 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAO6PG7VZNZ5DMSM5GJAODL2CAHQRAVCNFSM6AAAAABSF5OIPCVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOJVGMZDKNBUGI> . You are receiving this because you commented.Message ID: ***@***.***>

[raine93]

I am using Oracle Linux 8 and it is built on RHEL

Apologies, Oracle 8 isn’t an operating system unless I’m missing something, Oracle 8 ought to be running on top of something else. I’m willing to try testing but it’s a crapshoot if I don’t use the same OS.  RHEL does some different things from Debian.
…
On Nov 22, 2024 at 22:32 -0700, PQ C @.>, wrote: I am using oracle 8 with latest esapi release version. The error happening now is missing operand instead of command not found. I am thinking executeSystemCommand does not support executing command string with bash -c > What Linux distro are you using? > chown and chmod each might be in /usr/sbin > also worth checking to see what user your Java process is running as, if it’s say, tomcat:tomcat it won’t have access to those commands. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you commented.Message ID: @.>