Does AppleScript’s do shell script log in history

applescriptSecurityterminal

I frequently use the do shell script command in AppleScript (AS) to return some information, including encrypted text.

One such example is:

set encrypted to (do shell script "echo 'my secret text' | openssl enc -aes-256-cbc -a -pass pass:Pass123")

If run in Terminal, this command logs in the history and can be viewed by typing: history, then pressing the Return key.

Problem:
The above example includes the plain text password as a parameter, and it shows in the history (when run in Terminal), from where it can easily be copied and used to reverse the encrypted string, no knowledge required.

AppleScript's log do shell script "history" command returns no data. Likewise, running the history command in the terminal – after the example encryption was run through AS, it also does not display the AS terminal command in this history. All in all, it leads me to believe that the AS command was obviously executed through a different shell. Knowing that the shell differs for every user (ie. my account cannot see the terminal history of another account), the question follows.

Question:
Does that mean there is no record of the AS command in any of the histories and logs kept by macOS at any time? Or is it burried somewhere accessible where it can be read, interpreted and hence the encryption reversed?

Though perhaps thought-provoking and open to opinion, I think it is within the answerable realm of questions. I am interested in the answer from a security point-of-view and hope to get a clearer picture of if / how / where terminal logs AS commands – like Terminal does with the history.
Thanks everyone.

Best Answer

If you run the following do shell script command in Script Editor:

do shell script "set"

Shown farther below is what's returned.

As one can see, there are no history related shell variables set and as such, to make a longer story short, there is no command history being saved.

If you want to read further, have a look at the HISTORY section in the bash manual page,

Also may be of interest, other command history Shell Variables e.g., HISTCONTROL, HISTFILE HISTFILESIZE, HISTIGNORE, HISTSIZE, HISTIGNORE, HISTSIZE and HISTTIMEFORMAT.

Also of note, when a Run Shell Script action in an Automator workflow is run, the same applies there as well, for the same reason as with the do shell script command in Script Editor, no history related shell variables are set.

Output of the set command from an AppleScript do shell script command:

Apple_PubSub_Socket_Render=/private/tmp/com.apple.launchd.HPRIi1Tsop/Render
BASH=/bin/sh
BASH_ARGC=()
BASH_ARGV=()
BASH_EXECUTION_STRING=set
BASH_LINENO=()
BASH_SOURCE=()
BASH_VERSINFO=([0]=\"3\" [1]=\"2\" [2]=\"57\" [3]=\"1\" [4]=\"release\" [5]=\"x86_64-apple-darwin17\")
BASH_VERSION='3.2.57(1)-release'
DIRSTACK=()
EUID=501
GROUPS=()
HOME=/Users/me
HOSTNAME=mes-Mac.local
HOSTTYPE=x86_64
IFS='   
'
LOGNAME=me
MACHTYPE=x86_64-apple-darwin17
OPTERR=1
OPTIND=1
OSTYPE=darwin17
PATH=/usr/bin:/bin:/usr/sbin:/sbin
POSIXLY_CORRECT=y
PPID=4330
PS4='+ '
PWD=/
SHELL=/bin/bash
SHELLOPTS=braceexpand:hashall:interactive-comments:posix
SHLVL=1
SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.WQb3vmbYE7/Listeners
TERM=dumb
TMPDIR=/var/folders/w0/lht0h70x06b8hdb5lx474pkc0000gn/T/
UID=501
USER=me
XPC_FLAGS=0x0
XPC_SERVICE_NAME=0
_=sh
__CF_USER_TEXT_ENCODING=0x1F5:0x0:0x0

Related Solutions

Automator to execute shell script with an input text file, copy it to specific directory

EDIT: Workflow now works with one bug: running the workflow twice results in two copies of the control file being copied

Make a new Automator SERVICE. At the beginning, for "receives selected as input" choose "documents". Add the process "set value of variable" and make a new "destination path" variable (default variable name is "destination path"). Add the process "open finder items" to the beginning to open the control file. Add the process "run applescript" to the workflow the code is the following:

on run {input, parameters}

set LineNumber to (the line in which the path is specified in the control file)
tell application "TextEdit"
    set theVariable to paragraph LineNumber of document 1
    set thePath to POSIX path of theVariable
    set thePath to text 1 thru -2 of thePath
end tell

return thePath
end run

I don't know why this couldn't have been in the same block, but you need to add a separate AppleScript process. The code is as follows:

on run {input, parameters}

tell application "Finder"
    set theFolder to POSIX path of input & "/DEBIAN"
    try
        make new folder in folder input with properties {name:"DEBIAN"}
    end try
end tell

return theFolder
end run

Add the process "set value of variable" and make a new destination path variable (default name is "destination path 1").
Add the "get value of variable" process and get the value of the variable with the path of the input file ("destination path"). Click on "options" on this process and check "ignore this action's input".
After this, Automator has a process called "copy finder items" and this can be used to copy the input (the output of "get value of variable", which is the input file). This worked for me, hope it works for you as well. Good luck :)

MacOS – Why Does a Shell Script Trapping SIGTERM Work When Run Manually, But Not When Run via launchd

The ultimate problem here is that Bash does not normally kill its non-builtin children.

If bash is waiting for a command to complete and receives a signal for which a
trap has been set, the trap will not be executed until the command completes.
When bash is waiting for an asynchronous command  via  the  wait  builtin, the
reception of a signal for which a trap has been set will cause the wait builtin
to return immediately with an exit status greater than 128, immediately after
which  the trap is executed.

When you hit <CTRL>+<C> you're killing the shell script, which behaves normally -- but the sleep lives on. Use ps to see.

When try to stop things externally, via kill, then Bash as above. After some time-out period (I'm guessing 20 seconds) launchd then issues a kill -9 which the script cannot trap.

The solution is to issue a wait after the sleep, to indicate to Bash that it can interrupt itself:

sleep 86400 & wait

This will allow the script to be interrupted, but the sleep will still survive. I'm sure there's a way to kill the children, but I didn't bother looking it up...

Best Answer

Related Solutions

Automator to execute shell script with an input text file, copy it to specific directory

MacOS – Why Does a Shell Script Trapping SIGTERM Work When Run Manually, But Not When Run via launchd

Related Question