search

martinholovsky / Securix-Linux

Securix Main repository including installer and controll scripts
https://www.securix.org
GNU General Public License v3.0
14 stars 8 forks source link

some code paths for checking for non-zero exit code never reached tue to trap ERR #66

Open adrelanos opened 9 years ago

adrelanos commented 9 years ago

Due to trap ERR, I think currently a few [ $? -ne 0 ] checks will be never used.

https://github.com/martincmelik/Securix-Linux/blob/master/securix-install/install.sh#L404

# check networking
wget --timeout=30 --delete-after -q http://www.google.com
if [ $? -ne 0 ]; then
    f_msg error "ERROR: Unable to contact google.com!"
    f_msg info  "Yes, Google can be down, but Occam's Razor would suggest \
that you have problem with your Internet connectivity."
    f_msg info " --- Please setup http_proxy or fix network issue"
    exit_on_error
fi

https://github.com/martincmelik/Securix-Linux/blob/master/securix-install/install.sh#L419

    openssl dgst -sha512 -verify securix-codesign.pub -signature install.sh.sign ${BASH_SOURCE}
    if [ $? -ne 0 ]; then
        f_msg error "Verification failed!"
        f_msg warn "If YOU modified install script, you can skip this check by ./install.sh --skipsign"
        exit_on_error
    fi

https://github.com/martincmelik/Securix-Linux/blob/master/securix-install/install.sh#L861

shasum -a 512 -c checksum >/dev/null
if [ $? -eq 0 ]; then
    f_msg info "--- SHA512 checksum: OK"
    rm -f checksum
else
    f_msg error "--- Problem when computing checksum of Securix files!!"
    grep -E 'chroot.sh|conf.tar.gz' sha512.list && shasum -a 512 chroot.sh conf.tar.gz
    exit_on_error
fi

https://github.com/martincmelik/Securix-Linux/blob/master/securix-install/install.sh#L789

if [ $? -ne 0 ]; then
    f_msg error "Gentoo GPG signature of stage3 file do not match !!"
    exit_on_error
fi

https://github.com/martincmelik/Securix-Linux/blob/master/securix-install/install.sh#L797

statusc=$?

https://github.com/martincmelik/Securix-Linux/blob/master/securix-install/install.sh#L813

statusd=$?

https://github.com/martincmelik/Securix-Linux/blob/master/securix-install/chroot.sh#L130

eselect profile set $PROFILE
if [ $? -ne 0 ]; then
     f_msg error "ERROR: There seems to be problem when setup hardened profile"
     exit_on_error
fi

There might be a few others. In other scripts? Just search for $?.

Personally I am using something like this.

 id "$user_name" || { id_exit_code="$?" ; true; };

But how to fix this is a stylistic question.

martinholovsky commented 9 years ago

Yep, I need to make a cleanup.

If a sigspec is ERR, the command arg is executed whenever a simple command has a non-zero exit status, subject to the following conditions. The ERR trap is not executed if the failed command is part of the command list immediately following an until or while keyword, part of the test following the if or elif reserved words, part of a command executed in a && or || list, or if the command’s return status is being inverted using !. These are the same conditions obeyed by the errexit option.

Will plan to do this

martinholovsky commented 9 years ago

Few more notes: Consider use of this

set -o pipefail
set -o errtrace
set -o nounset
set -o errexit
adrelanos commented 9 years ago

Interesting! I found "nounset" to be unproductive. But I will be curious to see your conclusion!

"trap ERR"'s are my preferred way over "errexit". Combining those seems counterproductive to me leading to confusing results. Except, sometimes I find it useful to temporarily set "errexit" before setup of the real "trap ERR" has been done.

(Related: "enable errtrace" (#60))