<p>Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.</p>
<p>Released to the public domain wherever applicable. Elsewhere, consider it released under the <ahref="http://www.wtfpl.net/txt/copying/">WTFPLv2</a>.</p>
<p>Even bashbot is written in bash, it depends on commands typically availible in a Unix/Linux Environment. More concret on the common commands provided by recent versions of <ahref="https://en.wikipedia.org/wiki/List_of_GNU_Core_Utilities_commands">coreutils</a>, <ahref="https://en.wikipedia.org/wiki/BusyBox#Commands">busybox</a> or <ahref="https://landley.net/toybox/help.html">toybox</a>, see <ahref="doc/7_develop.md#common-commands">Developer Notes</a></p>
<p><em>Note for MacOS and BSD Users:</em> As bashbot use behavior of recent bash and (gnu)sed versions, bashbot may not run without installing additional software, see <ahref="doc/0_install.md">Install Bashbot</a></p>
<p>Bashbot <ahref="https://github.com/topkecleon/telegram-bot-bash">Documentation</a> and <ahref="https://github.com/topkecleon/telegram-bot-bash/releases">Downloads</a> are availible on www.github.com</p>
<p>To install and run bashbot you need acess to a linux/unix command line. If you don't know how to get accces to a linux/unix/bsd like command line you should stop reading here :-(</p>
<p>In addition you need a <ahref="https://telegram.org">Telegram client</a> and a mobile phone to <ahref="https://telegramguide.com/create-a-telegram-account/">register an account</a>. If you don't want to register for Telegram you should stop reading here ;-)</p>
<p>After you're registered to Telegram send a message to <ahref="https://telegram.me/botfather">@botfather</a>, <ahref="doc/1_firstbot.md">create a new Telegram Bot token</a> and write it down. You need the token to install the bot.</p>
<p>Now open a linux/unix/bsd terminal and check if bash is installed: <code>which bash && echo "bash installed!"</code>. If you get an error message bash is not installed.</p>
<p>Create a new directory and change to it: <code>mkdir tbb; cd tbb</code> and download the latest '*.tar.gz' file from <ahref="https://github.com/topkecleon/telegram-bot-bash/releases">https://github.com/topkecleon/telegram-bot-bash/releases</a>. This can be done with the commands:</p>
<p>Extract the '*.tar.gz' file and change to bashbot directory: <code>tar -xzf *.tar.gz; cd telegram-bot-bash</code>, install bashbot: <code>./bashbot.sh init</code> and enter your bot token when asked. All other questions can be answered by hitting the <Return> key.</p>
<p>Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <ahref="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a></p>
<p>Whenever you are processing input from from untrusted sources (messages, files, network) you must be as carefull as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everthing. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version! One of the most powerful features of unix shells like bash is variable and command substitution, this can lead to RCE and information disclosing bugs if you do not escape '$' porperly, see <ahref="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <ahref="https://www.shellcheck.net/">use it online</a> or <ahref="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <ahref="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
<p>If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...), you shouldn't use echo to display it. <ahref="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
<divclass="sourceCode"id="cb3"><preclass="sourceCode bash"><codeclass="sourceCode bash"><aclass="sourceLine"id="cb3-1"title="1"><spanclass="co"># very simple</span></a>
<aclass="sourceLine"id="cb3-2"title="2"><spanclass="bu">echo</span><spanclass="st">"text with variables. PWD=</span><spanclass="va">$PWD</span><spanclass="st">"</span></a>
<aclass="sourceLine"id="cb3-3"title="3"><spanclass="bu">printf</span><spanclass="st">'%s\n'</span><spanclass="st">"text with variables. PWD=</span><spanclass="va">$PWD</span><spanclass="st">"</span></a>
<aclass="sourceLine"id="cb3-4"title="4"><spanclass="ex">-</span><spanclass="op">></span> text with variables. PWD=/home/xxx</a>
<aclass="sourceLine"id="cb3-5"title="5"></a>
<aclass="sourceLine"id="cb3-6"title="6"><spanclass="co"># more advanced</span></a>
<p>Using a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash and avoids using a possibly broken, mangled or compromised bash executable.</p>
<p>If you are a BSD / MacOS user or must to use an other bash location, see <ahref="doc/0_install.md">Install Bashbot</a></p>
<p><strong>I recommend to run your bot as a user, with almost no access rights.</strong> All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked. For the same reason ervery file your Bot can read is in danger to be disclosed. Restict your Bots access rigths to the absolute minimum.</p>
<p><strong>Never run your Bot as root, this is the most dangerous you can do!</strong> Usually the user 'nobody' has almost no rights on Unix/Linux systems. See <ahref="doc/4_expert.md">Expert use</a> on how to run your Bot as an other user.</p>
<p><strong>Your Bot configuration must no be readable from other users.</strong> Everyone who can read your Bots token can act as your Bot and has access to all chats your Bot is in!</p>
<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in <code>token</code> must be protected against other users. No one exept you must have write access to the Bot files. The Bot must be restricted to have write access to <code>count</code> and <code>tmp-bot-bash</code> only, all other files must be write protected.</p>
<p>To set access rights for your bashbot installation to a reasonable default run <code>sudo ./bashbot.sh init</code> after every update or change to your installation directory.</p>
<p>Bashbot is not more (in)secure as any other Bot written in any other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...</p>
<h3>Can I have the single bashbot.sh file back?</h3>
<p>At the beginning bashbot was simply the file <code>bashbot.sh</code> you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.</p>
<p>Hey no Problem, if you are finished with your cool bot run <code>dev/make-standalone.sh</code> to create a stripped down Version of your bot containing only 'bashbot.sh' and 'commands.sh'! For more information see <ahref="doc/7_develop.md">Create a stripped down Version of your Bot</a></p>
<h3>Can I send messages from CLI and scripts?</h3>
<p>Of course, you can send messages from CLI and scripts, simply install bashbot as <ahref="#Your-really-first-bashbot-in-a-nutshell">described here</a>, send the messsage '/start' to set yourself as botadmin and stop the bot with <code>./bashbot.sh kill</code>.</p>
<p>This may happen if to many wrong requests are sent to api.telegram.org, e.g. using a wrong token or not existing API calls. If you have a fixed IP you can ask telegram service to unblock your ip or change your IP. If you are running a socks or tor proxy on your server look for the <code>BASHBOT_CURL_ARGS</code> lines in 'mycommands.sh' as example.</p>