octoleo
/
telegram-bot-bash
mirror of https://github.com/octoleo/telegram-bot-bash.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

some spellchecking of README

This commit is contained in:
Kay Marquardt (Gnadelwartz) 2020-07-25 15:15:15 +02:00
parent 6e0242368e
commit f3bb5d9a9a
3 changed files with 86 additions and 85 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
README.html
View File

@ -85,9 +85,9 @@ code span.wa { color: #60a0b0; font-weight: bold; font-style: italic; } /* Warni
<h2><img align="middle" src="https://raw.githubusercontent.com/odb/official-bash-logo/master/assets/Logos/Icons/PNG/64x64.png" >
Bashbot - A Telegram bot written in bash.
</h2>
Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadelwartz).
Written by Drew (@topkecleon) and Kay M (@gnadelwartz).
<p>Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.</p>
<p>Contributions by Daniil Gentili (@danogentili), JuanPotato, BigNerd95, TiagoDanin, and iicc1.</p>
<p>Released to the public domain wherever applicable. Elsewhere, consider it released under the <a href="http://www.wtfpl.net/txt/copying/">WTFPLv2</a>.</p>
<h2>Prerequisites</h2>
<p>Uses <a href="http://github.com/dominictarr/JSON.sh">JSON.sh</a> and the magic of sed.</p>
@ -153,11 +153,11 @@ Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadel
<li><a href="examples/README.md">Examples Dir</a></li>
</ul>
<h3>Your really first bashbot in a nutshell</h3>
<p>To install and run bashbot you need access to a linux/unix command line. If you don't know how to get access to a linux/unix/bsd like command line you should stop reading here :-(</p>
<p>To install and run bashbot you need access to a linux/unix command line. If you don't know how to get access to a linux/unixe command line you should stop reading here :-(</p>
<p>In addition you need a <a href="https://telegram.org">Telegram client</a> and a mobile phone to <a href="https://telegramguide.com/create-a-telegram-account/">register an account</a>. If you don't want to register for Telegram you should stop reading here ;-)</p>
<p>After you're registered to Telegram send a message to <a href="https://telegram.me/botfather">@botfather</a>, <a href="doc/1_firstbot.md">create a new Telegram Bot token</a> and write it down. You need the token to install the bot.</p>
<p>Now open a linux/unix/bsd terminal and check if bash is installed: <code>which bash &amp;&amp; echo "bash installed!"</code>. If you get an error message bash is not installed.</p>
<p>Create a new directory and change to it: <code>mkdir tbb; cd tbb</code> and download the latest '*.tar.gz' file from <a href="https://github.com/topkecleon/telegram-bot-bash/releases">https://github.com/topkecleon/telegram-bot-bash/releases</a>. This can be done with the commands:</p>
<p>Now open a terminal and check if bash is installed: <code>which bash &amp;&amp; echo "bash installed!"</code>. If you get an error message bash is not installed.</p>
<p>Create a new directory, change to it: <code>mkdir tbb; cd tbb</code> and download the latest '*.tar.gz' file from <a href="https://github.com/topkecleon/telegram-bot-bash/releases">https://github.com/topkecleon/telegram-bot-bash/releases</a>. This can be done with the commands:</p>
<div class="sourceCode" id="cb1"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb1-1" title="1"><span class="fu">wget</span> -q https://github.com/<span class="va">$(</span><span class="fu">wget</span> -q https://github.com/topkecleon/telegram-bot-bash/releases/latest -O - <span class="kw">|</span> <span class="fu">egrep</span> <span class="st">&#39;/.*/.*/.*tar.gz&#39;</span> -o<span class="va">)</span></a></code></pre></div>
<p>Extract the '*.tar.gz' file and change to bashbot directory: <code>tar -xzf *.tar.gz; cd telegram-bot-bash</code>, install bashbot: <code>./bashbot.sh init</code> and enter your bot token when asked. All other questions can be answered by hitting the &lt;Return&gt; key.</p>
<p>That's all, now you can start your bot with <code>./bashbot.sh start</code> and send him messages:</p>
@ -189,12 +189,12 @@ It features background tasks and interactive chats, and can serve as an interfac
<h2>Security Considerations</h2>
<p>Running a Telegram Bot means it is connected to the public and you never know what's send to your Bot.</p>
<p>Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see <a href="https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells">Implications of wrong quoting</a></p>
<p>Whenever you are processing input from from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, pls update if you use an older version! see <a href="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
<p>One of the most powerful features of unix shells like bash is variable and command substitution using <code>${}</code> and <code>$()</code>, but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot even bash does much to avoid this. So it's more secure to escape or remove '$' in input from user, files or network.</p>
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
<h3>use printf whenever possible</h3>
<p>If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
<p>Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.</p>
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, please update if you use an older version! see <a href="https://github.com/topkecleon/telegram-bot-bash/issues/125">Issue #125</a></p>
<p>One of the most powerful features of unix shells is variable and command substitution using <code>${}</code> and <code>$()</code>, but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot. So it's more secure to escape or remove '$' in input from user, files or network.</p>
<p>A powerful tool to improve your scripts is <code>shellcheck</code>. You can <a href="https://www.shellcheck.net/">use it online</a> or <a href="https://github.com/koalaman/shellcheck#installing">install shellcheck locally</a>. Shellcheck is used extensive in bashbot development to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests. In addition bashbot has a <a href="doc/7_develop.md">test suite</a> to check if important functionality is working as expected.</p>
<h3>Use printf whenever possible</h3>
<p>If you're writing a script and it is taking external input (from the user as arguments or file system...), you shouldn't use echo to display it. <a href="https://unix.stackexchange.com/a/6581">Use printf whenever possible</a></p>
<div class="sourceCode" id="cb4"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb4-1" title="1"> <span class="co"># very simple</span></a>
<a class="sourceLine" id="cb4-2" title="2"> <span class="bu">echo</span> <span class="st">&quot;text with variables. PWD=</span><span class="va">$PWD</span><span class="st">&quot;</span></a>
<a class="sourceLine" id="cb4-3" title="3"> <span class="bu">printf</span> <span class="st">&#39;%s\n&#39;</span> <span class="st">&quot;text with variables. PWD=</span><span class="va">$PWD</span><span class="st">&quot;</span></a>
@ -209,26 +209,26 @@ It features background tasks and interactive chats, and can serve as an interfac
<a class="sourceLine" id="cb4-12" title="12"> <span class="ex">-</span><span class="op">&gt;</span>text with variables. float=1.23, integer=12345, PWD=/home/xxx</a></code></pre></div>
<h3>Do not use #!/usr/bin/env bash</h3>
<p><strong>We stay with /bin/bash shebang, because it's more save from security perspective.</strong></p>
<p>Using a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash and avoids using a possibly broken, mangled or compromised bash executable.</p>
<p>Use of a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash and avoids using a possibly broken, mangled or compromised bash executable.</p>
<p>If you are a BSD / MacOS user or must to use an other bash location, see <a href="doc/0_install.md">Install Bashbot</a></p>
<h3>Run your Bot as a restricted user</h3>
<p><strong>I recommend to run your bot as a user, with almost no access rights.</strong> All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked. For the same reason every file your Bot can read is in danger to be disclosed. Restict your Bots access rights to the absolute minimum.</p>
<p><strong>Never run your Bot as root, this is the most dangerous you can do!</strong> Usually the user 'nobody' has almost no rights on Unix/Linux systems. See <a href="doc/4_expert.md">Expert use</a> on how to run your Bot as an other user.</p>
<p><strong>I recommend to run your bot as a user, with almost no access rights.</strong> All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked. For the same reason every file your Bot can read is in danger to be disclosed. Restrict your Bots access rights to the absolute minimum.</p>
<p><strong>Never run your Bot as root, this is the most dangerous you can do!</strong> Usually the user 'nobody' has almost no rights on unix/linux systems. See <a href="doc/4_expert.md">Expert use</a> on how to run your Bot as an other user.</p>
<h3>Secure your Bot installation</h3>
<p><strong>Your Bot configuration must no be readable from other users.</strong> Everyone who can read your Bots token can act as your Bot and has access to all chats your Bot is in!</p>
<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in <code>token</code> must be protected against other users. No one except you must have write access to the Bot files. The Bot must be restricted to have write access to <code>count</code> and <code>tmp-bot-bash</code> only, all other files must be write protected.</p>
<p><strong>Your Bot configuration must no be readable from other users.</strong> Everyone who can read your Bots token is able to act as your Bot and has access to all chats the Bot is in!</p>
<p>Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in <code>token</code> must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to <code>count</code> and <code>tmp-bot-bash</code> only, all other files must be write protected.</p>
<p>To set access rights for your bashbot installation to a reasonable default run <code>sudo ./bashbot.sh init</code> after every update or change to your installation directory.</p>
<h2>FAQ</h2>
<h3>Is this Bot insecure?</h3>
<p>Bashbot is not more (in)secure as any other Bot written in any other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...</p>
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version!</p>
<p>Bashbot is not more (in)secure as any Bot written in an other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...</p>
<p><strong>Note:</strong> Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, please update if you use an older version!</p>
<h3>Why Bash and not the much better xyz?</h3>
<p>Well, that's a damn good question ... may be because I'm an Unix/Linux admin from stone age. Nevertheless there are more reasons from my side:</p>
<p>Well, that's a damn good question ... may be because I'm an unix admin from stone age. Nevertheless there are more reasons from my side:</p>
<ul>
<li>bashbot will run everywhere where bash and (gnu) sed is available, from embedded linux to mainframe</li>
<li>easy to integrate with other shell script, e.g. for sending system message / health status</li>
<li>no need to install or learn a new programming language, library or framework</li>
<li>no database, not event driven, not OO ...</li>
<li>no database, not event driven, not object oriented ...</li>
</ul>
<h3>Can I have the single bashbot.sh file back?</h3>
<p>At the beginning bashbot was simply the file <code>bashbot.sh</code> you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.</p>
@ -255,12 +255,12 @@ It features background tasks and interactive chats, and can serve as an interfac
<a class="sourceLine" id="cb6-4" title="4"><span class="fu">wget</span> -t 1 -T 10 https://api.telegram.org/bot</a>
<a class="sourceLine" id="cb6-5" title="5"><span class="co">#Connecting to api.telegram.org (api.telegram.org)|46.38.243.234|:443... failed: Connection timed out.</span></a></code></pre></div>
<p>Since Version 0.96 bashbot offers the option to recover from broken connections (aka blocked). Therefore you can provide a function named <code>bashbotBlockRecover()</code> in <code>mycommands.sh</code>. If the function exists it is called every time when a broken connection is detected.</p>
<p>Possible actions are: Check if network is working, change IP or simply wait some time.</p>
<p>Possible actions are: Check if network is working, change IP-Adress or simply wait some time.</p>
<p>If everything seems OK return 0 for retry or any non 0 value to give up.</p>
<div class="sourceCode" id="cb7"><pre class="sourceCode bash"><code class="sourceCode bash"><a class="sourceLine" id="cb7-1" title="1"><span class="co"># called when bashbot sedn command failed because we can not connect to telegram</span></a>
<a class="sourceLine" id="cb7-2" title="2"><span class="co"># return 0 to retry, return non 0 to give up</span></a>
<a class="sourceLine" id="cb7-3" title="3"><span class="fu">bashbotBlockRecover()</span> <span class="kw">{</span></a>
<a class="sourceLine" id="cb7-4" title="4"> <span class="co"># place your commands to unblock here, e.g. change IP or simply wait</span></a>
<a class="sourceLine" id="cb7-4" title="4"> <span class="co"># place your commands to unblock here, e.g. change IP-Adess or simply wait</span></a>
<a class="sourceLine" id="cb7-5" title="5"> <span class="fu">sleep</span> 60 <span class="kw">&amp;&amp;</span> <span class="bu">return</span> 0 <span class="co"># may be temporary</span></a>
<a class="sourceLine" id="cb7-6" title="6"> <span class="bu">return</span> 1 </a>
<a class="sourceLine" id="cb7-7" title="7"> <span class="kw">}</span></a>
@ -268,6 +268,6 @@ It features background tasks and interactive chats, and can serve as an interfac
<p>@Gnadelwartz</p>
<h2>That's it!</h2>
<p>If you feel that there's something missing or if you found a bug, feel free to submit a pull request!</p>
<h4>$$VERSION$$ v0.99-dev2-6-gb641a18</h4>
<h4>$$VERSION$$ v0.99-dev2-14-g6e02423</h4>
</body>
</html>

50
README.md
View File

@ -1,9 +1,9 @@
<h2><img align="middle" src="https://raw.githubusercontent.com/odb/official-bash-logo/master/assets/Logos/Icons/PNG/64x64.png" >
Bashbot - A Telegram bot written in bash.
</h2>
Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M (@gnadelwartz).
Written by Drew (@topkecleon) and Kay M (@gnadelwartz).
Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.
Contributions by Daniil Gentili (@danogentili), JuanPotato, BigNerd95, TiagoDanin, and iicc1.
Released to the public domain wherever applicable.
Elsewhere, consider it released under the [WTFPLv2](http://www.wtfpl.net/txt/copying/).
@ -64,7 +64,7 @@ Bashbot [Documentation](https://github.com/topkecleon/telegram-bot-bash) and [Do
### Your really first bashbot in a nutshell
To install and run bashbot you need access to a linux/unix command line. If you don't know how to get access to a linux/unix/bsd like command line you should stop reading here :-(
To install and run bashbot you need access to a linux/unix command line. If you don't know how to get access to a linux/unixe command line you should stop reading here :-(
In addition you need a [Telegram client](https://telegram.org) and a mobile phone to [register an account](https://telegramguide.com/create-a-telegram-account/).
If you don't want to register for Telegram you should stop reading here ;-)
@ -72,10 +72,10 @@ If you don't want to register for Telegram you should stop reading here ;-)
After you're registered to Telegram send a message to [@botfather](https://telegram.me/botfather),
[create a new Telegram Bot token](doc/1_firstbot.md) and write it down. You need the token to install the bot.
Now open a linux/unix/bsd terminal and check if bash is installed: ```which bash && echo "bash installed!"```.
Now open a terminal and check if bash is installed: ```which bash && echo "bash installed!"```.
If you get an error message bash is not installed.
Create a new directory and change to it: ```mkdir tbb; cd tbb``` and download the latest '*.tar.gz' file from
Create a new directory, change to it: ```mkdir tbb; cd tbb``` and download the latest '*.tar.gz' file from
[https://github.com/topkecleon/telegram-bot-bash/releases](https://github.com/topkecleon/telegram-bot-bash/releases). This can be done with the commands:
```bash
wget -q https://github.com/$(wget -q https://github.com/topkecleon/telegram-bot-bash/releases/latest -O - | egrep '/.*/.*/.*tar.gz' -o)
@ -125,21 +125,21 @@ Running a Telegram Bot means it is connected to the public and you never know wh
Bash scripts in general are not designed to be bullet proof, so consider this Bot as a proof of concept. Bash programmers often struggle with 'quoting hell' and globbing, see [Implications of wrong quoting](https://unix.stackexchange.com/questions/171346/security-implications-of-forgetting-to-quote-a-variable-in-bash-posix-shells)
Whenever you are processing input from from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
Whenever you are processing input from untrusted sources (messages, files, network) you must be as careful as possible, e.g. set IFS appropriate, disable globbing (set -f) and quote everything. In addition delete unused scripts and examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable all not used commands.
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, pls update if you use an older version!
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code execution (RCE) bug, please update if you use an older version!
see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
One of the most powerful features of unix shells like bash is variable and command substitution using ```${}``` and ```$()```,
but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot
even bash does much to avoid this. So it's more secure to escape or remove '$' in input from user, files or network.
One of the most powerful features of unix shells is variable and command substitution using ```${}``` and ```$()```,
but as they are expanded in double quotes, this can lead to RCE and information disclosing bugs in complex scripts like bashbot.
So it's more secure to escape or remove '$' in input from user, files or network.
A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to enshure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
A powerful tool to improve your scripts is ```shellcheck```. You can [use it online](https://www.shellcheck.net/) or [install shellcheck locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used extensive in bashbot development to ensure a high code quality, e.g. it's not allowed to push changes without passing all shellcheck tests.
In addition bashbot has a [test suite](doc/7_develop.md) to check if important functionality is working as expected.
### use printf whenever possible
### Use printf whenever possible
If you're writing a script and it is taking external input (from the user as arguments, or file names from the file system...),
If you're writing a script and it is taking external input (from the user as arguments or file system...),
you shouldn't use echo to display it. [Use printf whenever possible](https://unix.stackexchange.com/a/6581)
```bash
@ -161,7 +161,7 @@ you shouldn't use echo to display it. [Use printf whenever possible](https://uni
**We stay with /bin/bash shebang, because it's more save from security perspective.**
Using a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash
Use of a fixed path to the system provided bash makes it harder for attackers or users to place alternative versions of bash
and avoids using a possibly broken, mangled or compromised bash executable.
If you are a BSD / MacOS user or must to use an other bash location, see [Install Bashbot](doc/0_install.md)
@ -169,31 +169,31 @@ If you are a BSD / MacOS user or must to use an other bash location, see [Insta
### Run your Bot as a restricted user
**I recommend to run your bot as a user, with almost no access rights.**
All files your Bot have write access to are in danger to be overwritten/deleted if your bot is hacked.
For the same reason every file your Bot can read is in danger to be disclosed. Restict your Bots access rights to the absolute minimum.
For the same reason every file your Bot can read is in danger to be disclosed. Restrict your Bots access rights to the absolute minimum.
**Never run your Bot as root, this is the most dangerous you can do!** Usually the user 'nobody' has almost no rights on Unix/Linux systems. See [Expert use](doc/4_expert.md) on how to run your Bot as an other user.
**Never run your Bot as root, this is the most dangerous you can do!** Usually the user 'nobody' has almost no rights on unix/linux systems. See [Expert use](doc/4_expert.md) on how to run your Bot as an other user.
### Secure your Bot installation
**Your Bot configuration must no be readable from other users.** Everyone who can read your Bots token can act as your Bot and has access to all chats your Bot is in!
**Your Bot configuration must no be readable from other users.** Everyone who can read your Bots token is able to act as your Bot and has access to all chats the Bot is in!
Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in ```token``` must be protected against other users. No one except you must have write access to the Bot files. The Bot must be restricted to have write access to ```count``` and ```tmp-bot-bash``` only, all other files must be write protected.
Everyone with read access to your Bot files can extract your Bots data. Especially your Bot Token in ```token``` must be protected against other users. No one except you should have write access to the Bot files. The Bot should be restricted to have write access to ```count``` and ```tmp-bot-bash``` only, all other files must be write protected.
To set access rights for your bashbot installation to a reasonable default run ```sudo ./bashbot.sh init``` after every update or change to your installation directory.
## FAQ
### Is this Bot insecure?
Bashbot is not more (in)secure as any other Bot written in any other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...
Bashbot is not more (in)secure as any Bot written in an other language, we have done our best to make it as secure as possible. But YOU are responsible for the bot commands you wrote and you should know about the risks ...
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, pls update if you use an older version!
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code execution bug, please update if you use an older version!
### Why Bash and not the much better xyz?
Well, that's a damn good question ... may be because I'm an Unix/Linux admin from stone age. Nevertheless there are more reasons from my side:
Well, that's a damn good question ... may be because I'm an unix admin from stone age. Nevertheless there are more reasons from my side:
- bashbot will run everywhere where bash and (gnu) sed is available, from embedded linux to mainframe
- easy to integrate with other shell script, e.g. for sending system message / health status
- no need to install or learn a new programming language, library or framework
- no database, not event driven, not OO ...
- no database, not event driven, not object oriented ...
### Can I have the single bashbot.sh file back?
At the beginning bashbot was simply the file ```bashbot.sh``` you can copy everywhere and run the bot. Now we have 'commands.sh', 'mycommands.sh', 'modules/*.sh' and much more.
@ -237,7 +237,7 @@ wget -t 1 -T 10 https://api.telegram.org/bot
Since Version 0.96 bashbot offers the option to recover from broken connections (aka blocked). Therefore you can provide a function
named `bashbotBlockRecover()` in `mycommands.sh`. If the function exists it is called every time when a broken connection is detected.
Possible actions are: Check if network is working, change IP or simply wait some time.
Possible actions are: Check if network is working, change IP-Adress or simply wait some time.
If everything seems OK return 0 for retry or any non 0 value to give up.
@ -245,7 +245,7 @@ If everything seems OK return 0 for retry or any non 0 value to give up.
# called when bashbot sedn command failed because we can not connect to telegram
# return 0 to retry, return non 0 to give up
bashbotBlockRecover() {
# place your commands to unblock here, e.g. change IP or simply wait
# place your commands to unblock here, e.g. change IP-Adess or simply wait
sleep 60 && return 0 # may be temporary
return 1
}
@ -259,4 +259,4 @@ bashbotBlockRecover() {
If you feel that there's something missing or if you found a bug, feel free to submit a pull request!
#### $$VERSION$$ v0.99-dev2-6-gb641a18
#### $$VERSION$$ v0.99-dev2-14-g6e02423

75
README.txt
View File

@ -3,10 +3,10 @@ src="https://raw.githubusercontent.com/odb/official-bash-logo/master/assets/Logo
s/Icons/PNG/64x64.png" >
Bashbot - A Telegram bot written in bash.
</h2>
Written by Drew (@topkecleon), Daniil Gentili (@danogentili), and Kay M
(@gnadelwartz).
Written by Drew (@topkecleon) and Kay M (@gnadelwartz).
Contributions by JuanPotato, BigNerd95, TiagoDanin, and iicc1.
Contributions by Daniil Gentili (@danogentili), JuanPotato, BigNerd95,
TiagoDanin, and iicc1.
Released to the public domain wherever applicable.
Elsewhere, consider it released under the
@ -78,8 +78,8 @@ available on www.github.com
### Your really first bashbot in a nutshell
To install and run bashbot you need access to a linux/unix command line. If you
don't know how to get access to a linux/unix/bsd like command line you should
stop reading here :-(
don't know how to get access to a linux/unixe command line you should stop
reading here :-(
In addition you need a [Telegram client](https://telegram.org) and a mobile
phone to [register an
@ -91,12 +91,12 @@ After you're registered to Telegram send a message to
[create a new Telegram Bot token](doc/1_firstbot.md) and write it down. You
need the token to install the bot.
Now open a linux/unix/bsd terminal and check if bash is installed: ```which
bash && echo "bash installed!"```.
Now open a terminal and check if bash is installed: ```which bash && echo "bash
installed!"```.
If you get an error message bash is not installed.
Create a new directory and change to it: ```mkdir tbb; cd tbb``` and download
the latest '*.tar.gz' file from
Create a new directory, change to it: ```mkdir tbb; cd tbb``` and download the
latest '*.tar.gz' file from
[https://github.com/topkecleon/telegram-bot-bash/releases](https://github.com/to
pkecleon/telegram-bot-bash/releases). This can be done with the commands:
```bash
@ -162,35 +162,35 @@ and globbing, see [Implications of wrong
quoting](https://unix.stackexchange.com/questions/171346/security-implications-o
f-forgetting-to-quote-a-variable-in-bash-posix-shells)
Whenever you are processing input from from untrusted sources (messages, files,
Whenever you are processing input from untrusted sources (messages, files,
network) you must be as careful as possible, e.g. set IFS appropriate, disable
globbing (set -f) and quote everything. In addition delete unused scripts and
examples from your Bot, e.g. scripts 'notify', 'calc', 'question', and disable
all not used commands.
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash had a remote code
execution (RCE) bug, pls update if you use an older version!
execution (RCE) bug, please update if you use an older version!
see [Issue #125](https://github.com/topkecleon/telegram-bot-bash/issues/125)
One of the most powerful features of unix shells like bash is variable and
command substitution using ```${}``` and ```$()```,
One of the most powerful features of unix shells is variable and command
substitution using ```${}``` and ```$()```,
but as they are expanded in double quotes, this can lead to RCE and information
disclosing bugs in complex scripts like bashbot
even bash does much to avoid this. So it's more secure to escape or remove '$'
in input from user, files or network.
disclosing bugs in complex scripts like bashbot.
So it's more secure to escape or remove '$' in input from user, files or
network.
A powerful tool to improve your scripts is ```shellcheck```. You can [use it
online](https://www.shellcheck.net/) or [install shellcheck
locally](https://github.com/koalaman/shellcheck#installing). Shellcheck is used
extensive in bashbot development to enshure a high code quality, e.g. it's not
extensive in bashbot development to ensure a high code quality, e.g. it's not
allowed to push changes without passing all shellcheck tests.
In addition bashbot has a [test suite](doc/7_develop.md) to check if important
functionality is working as expected.
### use printf whenever possible
### Use printf whenever possible
If you're writing a script and it is taking external input (from the user as
arguments, or file names from the file system...),
arguments or file system...),
you shouldn't use echo to display it. [Use printf whenever
possible](https://unix.stackexchange.com/a/6581)
@ -215,8 +215,8 @@ possible](https://unix.stackexchange.com/a/6581)
**We stay with /bin/bash shebang, because it's more save from security
perspective.**
Using a fixed path to the system provided bash makes it harder for attackers or
users to place alternative versions of bash
Use of a fixed path to the system provided bash makes it harder for attackers
or users to place alternative versions of bash
and avoids using a possibly broken, mangled or compromised bash executable.
If you are a BSD / MacOS user or must to use an other bash location, see
@ -227,20 +227,20 @@ If you are a BSD / MacOS user or must to use an other bash location, see
All files your Bot have write access to are in danger to be overwritten/deleted
if your bot is hacked.
For the same reason every file your Bot can read is in danger to be disclosed.
Restict your Bots access rights to the absolute minimum.
Restrict your Bots access rights to the absolute minimum.
**Never run your Bot as root, this is the most dangerous you can do!** Usually
the user 'nobody' has almost no rights on Unix/Linux systems. See [Expert
the user 'nobody' has almost no rights on unix/linux systems. See [Expert
use](doc/4_expert.md) on how to run your Bot as an other user.
### Secure your Bot installation
**Your Bot configuration must no be readable from other users.** Everyone who
can read your Bots token can act as your Bot and has access to all chats your
Bot is in!
can read your Bots token is able to act as your Bot and has access to all chats
the Bot is in!
Everyone with read access to your Bot files can extract your Bots data.
Especially your Bot Token in ```token``` must be protected against other users.
No one except you must have write access to the Bot files. The Bot must be
No one except you should have write access to the Bot files. The Bot should be
restricted to have write access to ```count``` and ```tmp-bot-bash``` only,
all other files must be write protected.
@ -251,23 +251,23 @@ directory.
## FAQ
### Is this Bot insecure?
Bashbot is not more (in)secure as any other Bot written in any other language,
we have done our best to make it as secure as possible. But YOU are responsible
for the bot commands you wrote and you should know about the risks ...
Bashbot is not more (in)secure as any Bot written in an other language, we have
done our best to make it as secure as possible. But YOU are responsible for the
bot commands you wrote and you should know about the risks ...
**Note:** Until v0.941 (mai/22/2020) telegram-bot-bash has a remote code
execution bug, pls update if you use an older version!
execution bug, please update if you use an older version!
### Why Bash and not the much better xyz?
Well, that's a damn good question ... may be because I'm an Unix/Linux admin
from stone age. Nevertheless there are more reasons from my side:
Well, that's a damn good question ... may be because I'm an unix admin from
stone age. Nevertheless there are more reasons from my side:
- bashbot will run everywhere where bash and (gnu) sed is available, from
embedded linux to mainframe
- easy to integrate with other shell script, e.g. for sending system message /
health status
- no need to install or learn a new programming language, library or framework
- no database, not event driven, not OO ...
- no database, not event driven, not object oriented ...
### Can I have the single bashbot.sh file back?
At the beginning bashbot was simply the file ```bashbot.sh``` you can copy
@ -324,8 +324,8 @@ Since Version 0.96 bashbot offers the option to recover from broken connections
named `bashbotBlockRecover()` in `mycommands.sh`. If the function exists it is
called every time when a broken connection is detected.
Possible actions are: Check if network is working, change IP or simply wait
some time.
Possible actions are: Check if network is working, change IP-Adress or simply
wait some time.
If everything seems OK return 0 for retry or any non 0 value to give up.
@ -333,7 +333,8 @@ If everything seems OK return 0 for retry or any non 0 value to give up.
# called when bashbot sedn command failed because we can not connect to telegram
# return 0 to retry, return non 0 to give up
bashbotBlockRecover() {
# place your commands to unblock here, e.g. change IP or simply wait
# place your commands to unblock here, e.g. change IP-Adess or simply
wait
sleep 60 && return 0 # may be temporary
return 1
}
@ -348,4 +349,4 @@ bashbotBlockRecover() {
If you feel that there's something missing or if you found a bug, feel free to
submit a pull request!
#### $$VERSION$$ v0.99-dev2-6-gb641a18
#### $$VERSION$$ v0.99-dev2-14-g6e02423