[HIGH] Shell Scripts Generated and Executed at Runtime #3
Description
Description
Shell scripts are dynamically generated and written to disk, then executed. While the content is hardcoded (not user-controlled), this pattern is risky. An attacker who can write to `/etc/patchmon/` could potentially replace the script between creation and execution.
Locations
- `cmd/patchmon-agent/commands/serve.go` lines 501-531
- `cmd/patchmon-agent/commands/version_update.go` lines 566-597, 605-647
helperScript := \`#!/bin/sh
sleep 2
systemctl restart patchmon-agent 2>&1 || systemctl start patchmon-agent 2>&1
rm -f "$0"
\`
helperPath := "/etc/patchmon/patchmon-restart-helper.sh"
if err := os.WriteFile(helperPath, []byte(helperScript), 0755); err != nil {
// ...
}
cmd := exec.Command("sh", "-c", fmt.Sprintf("nohup %s > /dev/null 2>&1 &", helperPath))Impact
- TOCTOU race condition between file creation and execution
- Script could be replaced by attacker with file system access
- Elevated code execution risk
Recommended Fix
- Use direct system calls or Go-native methods to restart services:
// Instead of shell script, use systemd D-Bus interface
import "github.com/coreos/go-systemd/v22/dbus"
func restartService() error {
conn, err := dbus.NewSystemdConnection()
if err != nil {
return err
}
defer conn.Close()
_, err = conn.RestartUnit("patchmon-agent.service", "replace", nil)
return err
}- If scripts must be used:
- Create script with restrictive permissions (0700)
- Verify script content integrity before execution
- Use atomic file operations
- Consider using a fixed script installed during setup
Severity
🟠 HIGH - Privilege escalation risk
Labels
security, high