mirror of
https://github.com/octoleo/telegram-bot-bash.git
synced 2024-12-28 04:45:00 +00:00
some spellchecking of README
This commit is contained in:
parent
6e0242368e
commit
f3bb5d9a9a
46
README.html
46
README.html
@ -85,9 +85,9 @@ code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warni
|
||||
<h2><img align="middle" src="https://raw.githubusercontent.com/odb/official-bash-logo/master/assets/Logos/Icons/PNG/64x64.png" >
|
||||
Bashbot - A Telegram bot written in bash.
|
||||
</h2>
|
||||
Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadelwartz).
|
||||
Written by Drew (@topkecleon) and Kay M (@gnadelwartz).
|
||||
|
||||
<p>Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.</p>
|
||||
<p>Contributions by Daniil Gentili (@danogentili), JuanPotato, BigNerd95, TiagoDanin, and iicc1.</p>
|
||||
<p>Released to the public domain wherever applicable. Elsewhere, consider it released under the <a href="http://www.wtfpl.net/txt/copying/">WTFPLv2</a>.</p>
|
||||
<h2>Prerequisites</h2>
|
||||
<p>Uses <a href="http://github.com/dominictarr/JSON.sh">JSON.sh</a> and the magic of sed.</p>
|
||||
@ -153,11 +153,11 @@ Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadel
|
||||
<li><a href="examples/README.md">Examples Dir</a></li>
|
||||
</ul>
|
||||
<h3>Your really first bashbot in a nutshell</h3>
|
||||
<p>To install and run bashbot you need access to a linux/unix command line. If you don't know how to get access to a linux/unix/bsd like command line you should stop reading here :-(</p>
|
||||
<p>To install and run bashbot you need access to a linux/unix command line. If you don't know how to get access to a linux/unixe command line you should stop reading here :-(</p>
|
||||
<p>In addition you need a <a href="https://telegram.org">Telegram client</a> and a mobile phone to <a href="https://telegramguide.com/create-a-telegram-account/">register an account</a>. If you don't want to register for Telegram you should stop reading here ;-)</p>
|
||||
<p>After you're registered to Telegram send a message to <a href="https://telegram.me/botfather">@botfather</a>, <a href="doc/1_firstbot.md">create a new Telegram Bot token</a> and write it down. You need the token to install the bot.</p>
|
||||
<p>Now open a linux/unix/bsd terminal and check if bash is installed: <code>which bash && echo "bash installed!"</code>. If you get an error message bash is not installed.</p>
|
||||
<p>Create a new directory and change to it: <code>mkdir tbb; cd tbb</code> and download the latest '*.tar.gz' file from <a href="https://github.com/topkecleon/telegram-bot-bash/releases">https://github.com/topkecleon/telegram-bot-bash/releases</a>. This can be done with the commands:</p>
|
||||
<p>Now open a terminal and check if bash is installed: <code>which bash && echo "bash installed!"</code>. If you get an error message bash is not installed.</p>
|
||||
<p>Create a new directory, change to it: <code>mkdir tbb; cd tbb</code> and download the latest '*.tar.gz' file from <a href="https://github.com/topkecleon/telegram-bot-bash/releases">https://github.com/topkecleon/telegram-bot-bash/releases</a>. This can be done with the commands:</p>
|
||||
<div class="sourceCode" id="cb1"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb1-1" title="1"><span class="fu">wget</span> -q https://github.com/<span class="va">$(</span><span class="fu">wget</span> -q https://github.com/topkecleon/telegram-bot-bash/releases/latest -O - <span class="kw">|</span> <span class="fu">egrep</span> <span class="st">'/.*/.*/.*tar.gz'</span> -o<span class="va">)</span></a></code></pre></div>
|
||||
<p>Extract the '*.tar.gz' file and change to bashbot directory: <code>tar -xzf *.tar.gz; cd telegram-bot-bash</code>, install bashbot: <code>./bashbot.sh init</code> and enter your bot token when asked. All other questions can be answered by hitting the <Return> key.</p>
|
||||
<p>That's all, now you can start your bot with <code>./bashbot.sh start</code> and send him messages:</p>
|
||||
@ -189,12 +189,12 @@ It features background tasks and interactive chats, and can serve as an interfac
|
||||
<h2>Security Considerations</h2>
|
||||
<p>Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.</p>
|
||||
<p>Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a></p>
|
||||
<p>Whenever you are processing input from from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
|
||||
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, pls update if you use an older version! see <a href="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
|
||||
<p>One of the most powerful features of unix shells like bash is variable and command substitution using <code>${}</code> and <code>$()</code>, but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot even bash does much to avoid this. So it's more secure to escape or remove '$' in input from user, files or network.</p>
|
||||
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
|
||||
<h3>use printf whenever possible</h3>
|
||||
<p>If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
|
||||
<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
|
||||
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, please update if you use an older version! see <a href="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
|
||||
<p>One of the most powerful features of unix shells is variable and command substitution using <code>${}</code> and <code>$()</code>, but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot. So it's more secure to escape or remove '$' in input from user, files or network.</p>
|
||||
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensive in bashbot development to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
|
||||
<h3>Use printf whenever possible</h3>
|
||||
<p>If you're writing a script and it is taking external input (from the user as arguments or file system...), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
|
||||
<div class="sourceCode" id="cb4"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb4-1" title="1"> <span class="co"># very simple</span></a>
|
||||
<a class="sourceLine" id="cb4-2" title="2"> <span class="bu">echo</span> <span class="st">"text with variables. PWD=</span><span class="va">$PWD</span><span class="st">"</span></a>
|
||||
<a class="sourceLine" id="cb4-3" title="3"> <span class="bu">printf</span> <span class="st">'%s\n'</span> <span class="st">"text with variables. PWD=</span><span class="va">$PWD</span><span class="st">"</span></a>
|
||||
@ -209,26 +209,26 @@ It features background tasks and interactive chats, and can serve as an interfac
|
||||
<a class="sourceLine" id="cb4-12" title="12"> <span class="ex">-</span><span class="op">></span>text with variables. float=1.23, integer=12345, PWD=/home/xxx</a></code></pre></div>
|
||||
<h3>Do not use #!/usr/bin/env bash</h3>
|
||||
<p><strong>We stay with /bin/bash shebang, because it's more save from security perspective.</strong></p>
|
||||
<p>Using a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash and avoids using a possibly broken, mangled or compromised bash executable.</p>
|
||||
<p>Use of a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash and avoids using a possibly broken, mangled or compromised bash executable.</p>
|
||||
<p>If you are a BSD / MacOS user or must to use an other bash location, see <a href="doc/0_install.md">Install Bashbot</a></p>
|
||||
<h3>Run your Bot as a restricted user</h3>
|
||||
<p><strong>I recommend to run your bot as a user, with almost no access rights.</strong> All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked. For the same reason every file your Bot can read is in danger to be disclosed. Restict your Bots access rights to the absolute minimum.</p>
|
||||
<p><strong>Never run your Bot as root, this is the most dangerous you can do!</strong> Usually the user 'nobody' has almost no rights on Unix/Linux systems. See <a href="doc/4_expert.md">Expert use</a> on how to run your Bot as an other user.</p>
|
||||
<p><strong>I recommend to run your bot as a user, with almost no access rights.</strong> All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked. For the same reason every file your Bot can read is in danger to be disclosed. Restrict your Bots access rights to the absolute minimum.</p>
|
||||
<p><strong>Never run your Bot as root, this is the most dangerous you can do!</strong> Usually the user 'nobody' has almost no rights on unix/linux systems. See <a href="doc/4_expert.md">Expert use</a> on how to run your Bot as an other user.</p>
|
||||
<h3>Secure your Bot installation</h3>
|
||||
<p><strong>Your Bot configuration must no be readable from other users.</strong> Everyone who can read your Bots token can act as your Bot and has access to all chats your Bot is in!</p>
|
||||
<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in <code>token</code> must be protected against other users. No one except you must have write access to the Bot files. The Bot must be restricted to have write access to <code>count</code> and <code>tmp-bot-bash</code> only, all other files must be write protected.</p>
|
||||
<p><strong>Your Bot configuration must no be readable from other users.</strong> Everyone who can read your Bots token is able to act as your Bot and has access to all chats the Bot is in!</p>
|
||||
<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in <code>token</code> must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to <code>count</code> and <code>tmp-bot-bash</code> only, all other files must be write protected.</p>
|
||||
<p>To set access rights for your bashbot installation to a reasonable default run <code>sudo ./bashbot.sh init</code> after every update or change to your installation directory.</p>
|
||||
<h2>FAQ</h2>
|
||||
<h3>Is this Bot insecure?</h3>
|
||||
<p>Bashbot is not more (in)secure as any other Bot written in any other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...</p>
|
||||
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version!</p>
|
||||
<p>Bashbot is not more (in)secure as any Bot written in an other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...</p>
|
||||
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, please update if you use an older version!</p>
|
||||
<h3>Why Bash and not the much better xyz?</h3>
|
||||
<p>Well, that's a damn good question ... may be because I'm an Unix/Linux admin from stone age. Nevertheless there are more reasons from my side:</p>
|
||||
<p>Well, that's a damn good question ... may be because I'm an unix admin from stone age. Nevertheless there are more reasons from my side:</p>
|
||||
<ul>
|
||||
<li>bashbot will run everywhere where bash and (gnu) sed is available, from embedded linux to mainframe</li>
|
||||
<li>easy to integrate with other shell script, e.g. for sending system message / health status</li>
|
||||
<li>no need to install or learn a new programming language, library or framework</li>
|
||||
<li>no database, not event driven, not OO ...</li>
|
||||
<li>no database, not event driven, not object oriented ...</li>
|
||||
</ul>
|
||||
<h3>Can I have the single bashbot.sh file back?</h3>
|
||||
<p>At the beginning bashbot was simply the file <code>bashbot.sh</code> you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.</p>
|
||||
@ -255,12 +255,12 @@ It features background tasks and interactive chats, and can serve as an interfac
|
||||
<a class="sourceLine" id="cb6-4" title="4"><span class="fu">wget</span> -t 1 -T 10 https://api.telegram.org/bot</a>
|
||||
<a class="sourceLine" id="cb6-5" title="5"><span class="co">#Connecting to api.telegram.org (api.telegram.org)|46.38.243.234|:443... failed: Connection timed out.</span></a></code></pre></div>
|
||||
<p>Since Version 0.96 bashbot offers the option to recover from broken connections (aka blocked). Therefore you can provide a function named <code>bashbotBlockRecover()</code> in <code>mycommands.sh</code>. If the function exists it is called every time when a broken connection is detected.</p>
|
||||
<p>Possible actions are: Check if network is working, change IP or simply wait some time.</p>
|
||||
<p>Possible actions are: Check if network is working, change IP-Adress or simply wait some time.</p>
|
||||
<p>If everything seems OK return 0 for retry or any non 0 value to give up.</p>
|
||||
<div class="sourceCode" id="cb7"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb7-1" title="1"><span class="co"># called when bashbot sedn command failed because we can not connect to telegram</span></a>
|
||||
<a class="sourceLine" id="cb7-2" title="2"><span class="co"># return 0 to retry, return non 0 to give up</span></a>
|
||||
<a class="sourceLine" id="cb7-3" title="3"><span class="fu">bashbotBlockRecover()</span> <span class="kw">{</span></a>
|
||||
<a class="sourceLine" id="cb7-4" title="4"> <span class="co"># place your commands to unblock here, e.g. change IP or simply wait</span></a>
|
||||
<a class="sourceLine" id="cb7-4" title="4"> <span class="co"># place your commands to unblock here, e.g. change IP-Adess or simply wait</span></a>
|
||||
<a class="sourceLine" id="cb7-5" title="5"> <span class="fu">sleep</span> 60 <span class="kw">&&</span> <span class="bu">return</span> 0 <span class="co"># may be temporary</span></a>
|
||||
<a class="sourceLine" id="cb7-6" title="6"> <span class="bu">return</span> 1 </a>
|
||||
<a class="sourceLine" id="cb7-7" title="7"> <span class="kw">}</span></a>
|
||||
@ -268,6 +268,6 @@ It features background tasks and interactive chats, and can serve as an interfac
|
||||
<p>@Gnadelwartz</p>
|
||||
<h2>That's it!</h2>
|
||||
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
|
||||
<h4>$$VERSION$$ v0.99-dev2-6-gb641a18</h4>
|
||||
<h4>$$VERSION$$ v0.99-dev2-14-g6e02423</h4>
|
||||
</body>
|
||||
</html>
|
||||
|
50
README.md
50
README.md
@ -1,9 +1,9 @@
|
||||
<h2><img align="middle" src="https://raw.githubusercontent.com/odb/official-bash-logo/master/assets/Logos/Icons/PNG/64x64.png" >
|
||||
Bashbot - A Telegram bot written in bash.
|
||||
</h2>
|
||||
Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadelwartz).
|
||||
Written by Drew (@topkecleon) and Kay M (@gnadelwartz).
|
||||
|
||||
Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.
|
||||
Contributions by Daniil Gentili (@danogentili), JuanPotato, BigNerd95, TiagoDanin, and iicc1.
|
||||
|
||||
Released to the public domain wherever applicable.
|
||||
Elsewhere, consider it released under the [WTFPLv2](http://www.wtfpl.net/txt/copying/).
|
||||
@ -64,7 +64,7 @@ Bashbot [Documentation](https://github.com/topkecleon/telegram-bot-bash) and [Do
|
||||
|
||||
### Your really first bashbot in a nutshell
|
||||
|
||||
To install and run bashbot you need access to a linux/unix command line. If you don't know how to get access to a linux/unix/bsd like command line you should stop reading here :-(
|
||||
To install and run bashbot you need access to a linux/unix command line. If you don't know how to get access to a linux/unixe command line you should stop reading here :-(
|
||||
|
||||
In addition you need a [Telegram client](https://telegram.org) and a mobile phone to [register an account](https://telegramguide.com/create-a-telegram-account/).
|
||||
If you don't want to register for Telegram you should stop reading here ;-)
|
||||
@ -72,10 +72,10 @@ If you don't want to register for Telegram you should stop reading here ;-)
|
||||
After you're registered to Telegram send a message to [@botfather](https://telegram.me/botfather),
|
||||
[create a new Telegram Bot token](doc/1_firstbot.md) and write it down. You need the token to install the bot.
|
||||
|
||||
Now open a linux/unix/bsd terminal and check if bash is installed: ```which bash && echo "bash installed!"```.
|
||||
Now open a terminal and check if bash is installed: ```which bash && echo "bash installed!"```.
|
||||
If you get an error message bash is not installed.
|
||||
|
||||
Create a new directory and change to it: ```mkdir tbb; cd tbb``` and download the latest '*.tar.gz' file from
|
||||
Create a new directory, change to it: ```mkdir tbb; cd tbb``` and download the latest '*.tar.gz' file from
|
||||
[https://github.com/topkecleon/telegram-bot-bash/releases](https://github.com/topkecleon/telegram-bot-bash/releases). This can be done with the commands:
|
||||
```bash
|
||||
wget -q https://github.com/$(wget -q https://github.com/topkecleon/telegram-bot-bash/releases/latest -O - | egrep '/.*/.*/.*tar.gz' -o)
|
||||
@ -125,21 +125,21 @@ Running a Telegram Bot means it is connected to the public and you never know wh
|
||||
|
||||
Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)
|
||||
|
||||
Whenever you are processing input from from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
|
||||
Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
|
||||
|
||||
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, pls update if you use an older version!
|
||||
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, please update if you use an older version!
|
||||
see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
|
||||
|
||||
One of the most powerful features of unix shells like bash is variable and command substitution using ```${}``` and ```$()```,
|
||||
but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot
|
||||
even bash does much to avoid this. So it's more secure to escape or remove '$' in input from user, files or network.
|
||||
One of the most powerful features of unix shells is variable and command substitution using ```${}``` and ```$()```,
|
||||
but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot.
|
||||
So it's more secure to escape or remove '$' in input from user, files or network.
|
||||
|
||||
A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
|
||||
A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
|
||||
In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected.
|
||||
|
||||
### use printf whenever possible
|
||||
### Use printf whenever possible
|
||||
|
||||
If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...),
|
||||
If you're writing a script and it is taking external input (from the user as arguments or file system...),
|
||||
you shouldn't use echo to display it. [Use printf whenever possible](https://unix.stackexchange.com/a/6581)
|
||||
|
||||
```bash
|
||||
@ -161,7 +161,7 @@ you shouldn't use echo to display it. [Use printf whenever possible](https://uni
|
||||
|
||||
**We stay with /bin/bash shebang, because it's more save from security perspective.**
|
||||
|
||||
Using a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash
|
||||
Use of a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash
|
||||
and avoids using a possibly broken, mangled or compromised bash executable.
|
||||
|
||||
If you are a BSD / MacOS user or must to use an other bash location, see [Install Bashbot](doc/0_install.md)
|
||||
@ -169,31 +169,31 @@ If you are a BSD / MacOS user or must to use an other bash location, see [Insta
|
||||
### Run your Bot as a restricted user
|
||||
**I recommend to run your bot as a user, with almost no access rights.**
|
||||
All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked.
|
||||
For the same reason every file your Bot can read is in danger to be disclosed. Restict your Bots access rights to the absolute minimum.
|
||||
For the same reason every file your Bot can read is in danger to be disclosed. Restrict your Bots access rights to the absolute minimum.
|
||||
|
||||
**Never run your Bot as root, this is the most dangerous you can do!** Usually the user 'nobody' has almost no rights on Unix/Linux systems. See [Expert use](doc/4_expert.md) on how to run your Bot as an other user.
|
||||
**Never run your Bot as root, this is the most dangerous you can do!** Usually the user 'nobody' has almost no rights on unix/linux systems. See [Expert use](doc/4_expert.md) on how to run your Bot as an other user.
|
||||
|
||||
### Secure your Bot installation
|
||||
**Your Bot configuration must no be readable from other users.** Everyone who can read your Bots token can act as your Bot and has access to all chats your Bot is in!
|
||||
**Your Bot configuration must no be readable from other users.** Everyone who can read your Bots token is able to act as your Bot and has access to all chats the Bot is in!
|
||||
|
||||
Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in ```token``` must be protected against other users. No one except you must have write access to the Bot files. The Bot must be restricted to have write access to ```count``` and ```tmp-bot-bash``` only, all other files must be write protected.
|
||||
Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in ```token``` must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to ```count``` and ```tmp-bot-bash``` only, all other files must be write protected.
|
||||
|
||||
To set access rights for your bashbot installation to a reasonable default run ```sudo ./bashbot.sh init``` after every update or change to your installation directory.
|
||||
|
||||
## FAQ
|
||||
|
||||
### Is this Bot insecure?
|
||||
Bashbot is not more (in)secure as any other Bot written in any other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...
|
||||
Bashbot is not more (in)secure as any Bot written in an other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...
|
||||
|
||||
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version!
|
||||
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, please update if you use an older version!
|
||||
|
||||
### Why Bash and not the much better xyz?
|
||||
Well, that's a damn good question ... may be because I'm an Unix/Linux admin from stone age. Nevertheless there are more reasons from my side:
|
||||
Well, that's a damn good question ... may be because I'm an unix admin from stone age. Nevertheless there are more reasons from my side:
|
||||
|
||||
- bashbot will run everywhere where bash and (gnu) sed is available, from embedded linux to mainframe
|
||||
- easy to integrate with other shell script, e.g. for sending system message / health status
|
||||
- no need to install or learn a new programming language, library or framework
|
||||
- no database, not event driven, not OO ...
|
||||
- no database, not event driven, not object oriented ...
|
||||
|
||||
### Can I have the single bashbot.sh file back?
|
||||
At the beginning bashbot was simply the file ```bashbot.sh``` you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.
|
||||
@ -237,7 +237,7 @@ wget -t 1 -T 10 https://api.telegram.org/bot
|
||||
Since Version 0.96 bashbot offers the option to recover from broken connections (aka blocked). Therefore you can provide a function
|
||||
named `bashbotBlockRecover()` in `mycommands.sh`. If the function exists it is called every time when a broken connection is detected.
|
||||
|
||||
Possible actions are: Check if network is working, change IP or simply wait some time.
|
||||
Possible actions are: Check if network is working, change IP-Adress or simply wait some time.
|
||||
|
||||
If everything seems OK return 0 for retry or any non 0 value to give up.
|
||||
|
||||
@ -245,7 +245,7 @@ If everything seems OK return 0 for retry or any non 0 value to give up.
|
||||
# called when bashbot sedn command failed because we can not connect to telegram
|
||||
# return 0 to retry, return non 0 to give up
|
||||
bashbotBlockRecover() {
|
||||
# place your commands to unblock here, e.g. change IP or simply wait
|
||||
# place your commands to unblock here, e.g. change IP-Adess or simply wait
|
||||
sleep 60 && return 0 # may be temporary
|
||||
return 1
|
||||
}
|
||||
@ -259,4 +259,4 @@ bashbotBlockRecover() {
|
||||
|
||||
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
|
||||
|
||||
#### $$VERSION$$ v0.99-dev2-6-gb641a18
|
||||
#### $$VERSION$$ v0.99-dev2-14-g6e02423
|
||||
|
75
README.txt
75
README.txt
@ -3,10 +3,10 @@ src="https://raw.githubusercontent.com/odb/official-bash-logo/master/assets/Logo
|
||||
s/Icons/PNG/64x64.png" >
|
||||
Bashbot - A Telegram bot written in bash.
|
||||
</h2>
|
||||
Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M
|
||||
(@gnadelwartz).
|
||||
Written by Drew (@topkecleon) and Kay M (@gnadelwartz).
|
||||
|
||||
Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.
|
||||
Contributions by Daniil Gentili (@danogentili), JuanPotato, BigNerd95,
|
||||
TiagoDanin, and iicc1.
|
||||
|
||||
Released to the public domain wherever applicable.
|
||||
Elsewhere, consider it released under the
|
||||
@ -78,8 +78,8 @@ available on www.github.com
|
||||
### Your really first bashbot in a nutshell
|
||||
|
||||
To install and run bashbot you need access to a linux/unix command line. If you
|
||||
don't know how to get access to a linux/unix/bsd like command line you should
|
||||
stop reading here :-(
|
||||
don't know how to get access to a linux/unixe command line you should stop
|
||||
reading here :-(
|
||||
|
||||
In addition you need a [Telegram client](https://telegram.org) and a mobile
|
||||
phone to [register an
|
||||
@ -91,12 +91,12 @@ After you're registered to Telegram send a message to
|
||||
[create a new Telegram Bot token](doc/1_firstbot.md) and write it down. You
|
||||
need the token to install the bot.
|
||||
|
||||
Now open a linux/unix/bsd terminal and check if bash is installed: ```which
|
||||
bash && echo "bash installed!"```.
|
||||
Now open a terminal and check if bash is installed: ```which bash && echo "bash
|
||||
installed!"```.
|
||||
If you get an error message bash is not installed.
|
||||
|
||||
Create a new directory and change to it: ```mkdir tbb; cd tbb``` and download
|
||||
the latest '*.tar.gz' file from
|
||||
Create a new directory, change to it: ```mkdir tbb; cd tbb``` and download the
|
||||
latest '*.tar.gz' file from
|
||||
[https://github.com/topkecleon/telegram-bot-bash/releases](https://github.com/to
|
||||
pkecleon/telegram-bot-bash/releases). This can be done with the commands:
|
||||
```bash
|
||||
@ -162,35 +162,35 @@ and globbing, see [Implications of wrong
|
||||
quoting](https://unix.stackexchange.com/questions/171346/security-implications-o
|
||||
f-forgetting-to-quote-a-variable-in-bash-posix-shells)
|
||||
|
||||
Whenever you are processing input from from untrusted sources (messages, files,
|
||||
Whenever you are processing input from untrusted sources (messages, files,
|
||||
network) you must be as careful as possible, e.g. set IFS appropriate, disable
|
||||
globbing (set -f) and quote everything. In addition delete unused scripts and
|
||||
examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable
|
||||
all not used commands.
|
||||
|
||||
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code
|
||||
execution (RCE) bug, pls update if you use an older version!
|
||||
execution (RCE) bug, please update if you use an older version!
|
||||
see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
|
||||
|
||||
One of the most powerful features of unix shells like bash is variable and
|
||||
command substitution using ```${}``` and ```$()```,
|
||||
One of the most powerful features of unix shells is variable and command
|
||||
substitution using ```${}``` and ```$()```,
|
||||
but as they are expanded in double quotes, this can lead to RCE and information
|
||||
disclosing bugs in complex scripts like bashbot
|
||||
even bash does much to avoid this. So it's more secure to escape or remove '$'
|
||||
in input from user, files or network.
|
||||
disclosing bugs in complex scripts like bashbot.
|
||||
So it's more secure to escape or remove '$' in input from user, files or
|
||||
network.
|
||||
|
||||
A powerful tool to improve your scripts is ```shellcheck```. You can [use it
|
||||
online](https://www.shellcheck.net/) or [install shellcheck
|
||||
locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used
|
||||
extensive in bashbot development to enshure a high code quality, e.g. it's not
|
||||
extensive in bashbot development to ensure a high code quality, e.g. it's not
|
||||
allowed to push changes without passing all shellcheck tests.
|
||||
In addition bashbot has a [test suite](doc/7_develop.md) to check if important
|
||||
functionality is working as expected.
|
||||
|
||||
### use printf whenever possible
|
||||
### Use printf whenever possible
|
||||
|
||||
If you're writing a script and it is taking external input (from the user as
|
||||
arguments, or file names from the file system...),
|
||||
arguments or file system...),
|
||||
you shouldn't use echo to display it. [Use printf whenever
|
||||
possible](https://unix.stackexchange.com/a/6581)
|
||||
|
||||
@ -215,8 +215,8 @@ possible](https://unix.stackexchange.com/a/6581)
|
||||
**We stay with /bin/bash shebang, because it's more save from security
|
||||
perspective.**
|
||||
|
||||
Using a fixed path to the system provided bash makes it harder for attackers or
|
||||
users to place alternative versions of bash
|
||||
Use of a fixed path to the system provided bash makes it harder for attackers
|
||||
or users to place alternative versions of bash
|
||||
and avoids using a possibly broken, mangled or compromised bash executable.
|
||||
|
||||
If you are a BSD / MacOS user or must to use an other bash location, see
|
||||
@ -227,20 +227,20 @@ If you are a BSD / MacOS user or must to use an other bash location, see
|
||||
All files your Bot have write access to are in danger to be overwritten/deleted
|
||||
if your bot is hacked.
|
||||
For the same reason every file your Bot can read is in danger to be disclosed.
|
||||
Restict your Bots access rights to the absolute minimum.
|
||||
Restrict your Bots access rights to the absolute minimum.
|
||||
|
||||
**Never run your Bot as root, this is the most dangerous you can do!** Usually
|
||||
the user 'nobody' has almost no rights on Unix/Linux systems. See [Expert
|
||||
the user 'nobody' has almost no rights on unix/linux systems. See [Expert
|
||||
use](doc/4_expert.md) on how to run your Bot as an other user.
|
||||
|
||||
### Secure your Bot installation
|
||||
**Your Bot configuration must no be readable from other users.** Everyone who
|
||||
can read your Bots token can act as your Bot and has access to all chats your
|
||||
Bot is in!
|
||||
can read your Bots token is able to act as your Bot and has access to all chats
|
||||
the Bot is in!
|
||||
|
||||
Everyone with read access to your Bot files can extract your Bots data.
|
||||
Especially your Bot Token in ```token``` must be protected against other users.
|
||||
No one except you must have write access to the Bot files. The Bot must be
|
||||
No one except you should have write access to the Bot files. The Bot should be
|
||||
restricted to have write access to ```count``` and ```tmp-bot-bash``` only,
|
||||
all other files must be write protected.
|
||||
|
||||
@ -251,23 +251,23 @@ directory.
|
||||
## FAQ
|
||||
|
||||
### Is this Bot insecure?
|
||||
Bashbot is not more (in)secure as any other Bot written in any other language,
|
||||
we have done our best to make it as secure as possible. But YOU are responsible
|
||||
for the bot commands you wrote and you should know about the risks ...
|
||||
Bashbot is not more (in)secure as any Bot written in an other language, we have
|
||||
done our best to make it as secure as possible. But YOU are responsible for the
|
||||
bot commands you wrote and you should know about the risks ...
|
||||
|
||||
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code
|
||||
execution bug, pls update if you use an older version!
|
||||
execution bug, please update if you use an older version!
|
||||
|
||||
### Why Bash and not the much better xyz?
|
||||
Well, that's a damn good question ... may be because I'm an Unix/Linux admin
|
||||
from stone age. Nevertheless there are more reasons from my side:
|
||||
Well, that's a damn good question ... may be because I'm an unix admin from
|
||||
stone age. Nevertheless there are more reasons from my side:
|
||||
|
||||
- bashbot will run everywhere where bash and (gnu) sed is available, from
|
||||
embedded linux to mainframe
|
||||
- easy to integrate with other shell script, e.g. for sending system message /
|
||||
health status
|
||||
- no need to install or learn a new programming language, library or framework
|
||||
- no database, not event driven, not OO ...
|
||||
- no database, not event driven, not object oriented ...
|
||||
|
||||
### Can I have the single bashbot.sh file back?
|
||||
At the beginning bashbot was simply the file ```bashbot.sh``` you can copy
|
||||
@ -324,8 +324,8 @@ Since Version 0.96 bashbot offers the option to recover from broken connections
|
||||
named `bashbotBlockRecover()` in `mycommands.sh`. If the function exists it is
|
||||
called every time when a broken connection is detected.
|
||||
|
||||
Possible actions are: Check if network is working, change IP or simply wait
|
||||
some time.
|
||||
Possible actions are: Check if network is working, change IP-Adress or simply
|
||||
wait some time.
|
||||
|
||||
If everything seems OK return 0 for retry or any non 0 value to give up.
|
||||
|
||||
@ -333,7 +333,8 @@ If everything seems OK return 0 for retry or any non 0 value to give up.
|
||||
# called when bashbot sedn command failed because we can not connect to telegram
|
||||
# return 0 to retry, return non 0 to give up
|
||||
bashbotBlockRecover() {
|
||||
# place your commands to unblock here, e.g. change IP or simply wait
|
||||
# place your commands to unblock here, e.g. change IP-Adess or simply
|
||||
wait
|
||||
sleep 60 && return 0 # may be temporary
|
||||
return 1
|
||||
}
|
||||
@ -348,4 +349,4 @@ bashbotBlockRecover() {
|
||||
If you feel that there's something missing or if you found a bug, feel free to
|
||||
submit a pull request!
|
||||
|
||||
#### $$VERSION$$ v0.99-dev2-6-gb641a18
|
||||
#### $$VERSION$$ v0.99-dev2-14-g6e02423
|
||||
|
Loading…
Reference in New Issue
Block a user