Timeline for Replace number from regexp capture with the output of a command using that number in sed
Current License: CC BY-SA 4.0
19 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Nov 1, 2024 at 18:36 | comment | added | Stéphane Chazelas | "with the result of the executed command" should probably be "with the standard output of the executed command stripped of up to one trailing newline character" | |
| Nov 1, 2024 at 18:33 | comment | added | Stéphane Chazelas | a b c are placeholders for 3 space separated words (type=SYSCALL msg=audit(1730485493.366:1135): arch=c000003e for instance), so you could match on ^\S+ \S+ \S+ syscall=... to avoid matching another potential occurrence of syscall= on the line. Using LC_ALL=C would avoid text decoding issue (possibly not possible with ausearch output though) and let you use [0-9] safely. Also note the T command of GNU sed which would simplify your branching. | |
| Nov 1, 2024 at 18:27 | comment | added | Stéphane Chazelas | Beware that if there's POSIXLY_CORRECT=something in the environment, [^\n] matches on characters other than backslash and n. You can just use s/^(.*)\n.../.../ here, since there will be only one newline. | |
| Nov 1, 2024 at 18:20 | comment | added | Digital Trauma | @StéphaneChazelas I refactored it more to remove the unnecessary printf dependency. Now the only command that can get is evaled is ausyscall <digit-string> | |
| Nov 1, 2024 at 18:18 | history | edited | Digital Trauma | CC BY-SA 4.0 | added 16 characters in body |
| Nov 1, 2024 at 16:57 | comment | added | Stéphane Chazelas | Much better now after your edit, though you'd want to add a \n. Note that the actual output of ausearch (which this is obviously about here) will have other digits before syscall=257 (a b c are just place holders), so the pattern would have to be amended. | |
| Nov 1, 2024 at 16:14 | history | edited | Digital Trauma | CC BY-SA 4.0 | added 16 characters in body |
| Nov 1, 2024 at 16:07 | history | edited | Digital Trauma | CC BY-SA 4.0 | added 24 characters in body |
| Nov 1, 2024 at 16:06 | history | rollback | Digital Trauma | Rollback to Revision 3 | |
| Nov 1, 2024 at 16:06 | history | edited | Digital Trauma | CC BY-SA 4.0 | added 40 characters in body |
| Nov 1, 2024 at 12:38 | comment | added | Stéphane Chazelas | Even your Update is highly unsafe. Single quoting doesn't help if the input may contain single quotes, %s are a problem for printf format. Beware [0-9] may match many characters besides 0123456789 depending on the locale. That e flag should really never be used. | |
| Nov 1, 2024 at 2:13 | comment | added | PRouleau | One point to highlight is that the beginning of the string of the first echo ends up being processed by the shell if not completely consumed. So if one would like to ensure that the number extracted is located at the right spot, the regexp would need to include 'syscall=' . To process lines of audit log and expand the system call # by its name the sed command could be: sed -E "s/^(.+ syscall=)([0-9]+) (.*)$/printf -- '\1%s \3' \$(ausyscall \2)/e". The -- in the printf handles a line taht starts with a dash. | |
| Nov 1, 2024 at 1:45 | vote | accept | PRouleau | ||
| Nov 1, 2024 at 1:45 | comment | added | PRouleau | You are correct, @Digital Trauma, the data validation is done by extracting the number (and in my original code I was giving context to where the number is located). | |
| Nov 1, 2024 at 1:39 | comment | added | Digital Trauma | @PRouleau Because the input is effectively validated as numeric-only in this case, I think with the printf version I just added, this should be safe against code-injection attacks. | |
| Nov 1, 2024 at 1:38 | history | edited | Digital Trauma | CC BY-SA 4.0 | added 594 characters in body |
| Nov 1, 2024 at 1:19 | comment | added | PRouleau | I am tempted to mark this as the solution, but now face the security dilemma that Kusalananda was trying to avoid. On the one hand promoting knowledge is good, one the other ensuring that everybody reading it really reads it and understands the potential danger remains. Perhaps adding a big caution note at the beginning of the port would complement the one that is at the end? | |
| Nov 1, 2024 at 0:59 | history | edited | Digital Trauma | CC BY-SA 4.0 | added 172 characters in body |
| Nov 1, 2024 at 0:54 | history | answered | Digital Trauma | CC BY-SA 4.0 |