Verfication of command binaries before execution Are there any methods to check what you are actually executing from a bash script? Say your bash script is calling several commands (for example: `tar`, `mail`, `scp`,...--prophetes.ai

Verfication of command binaries before execution Are there any methods to check what you are actually executing from a bash script? Say your bash script is calling several commands (for example: `tar`, `mail`, `scp`, `mysqldump`) and you are willing to make sure that `tar` is the actual, real `tar`, which is determinable by the `root` user being the file and parent directory owner and the only one with write permissions and not some `/tmp/surprise/tar` with `www-data` or `apache2` being the owner. Sure I know about `PATH` and the environment, I'm curious to know whether this can be _additionally checked_ from a running bash script and, if so, how exactly? Example: (pseudo-code) tarfile=$(which tar) isroot=$(ls -l "$tarfile") | grep "root root" #and so on...

Instead of validating binaries you're going to execute, you could execute the right binaries from the start. E.g. if you want to make sure you're not going to run `/tmp/surprise/tar`, just run `/usr/bin/tar` in your script. Alternatively, set your `$PATH` to a sane value before running anything.

If you don't trust files in `/usr/bin/` and other system directories, there's no way to regain confidence. In your example, you're checking the owner with `ls`, but how do you know you can trust `ls`? The same argument applies to other solutions such as `md5sum` and `strace`.

Where high confidence in system integrity is required, specialized solutions like IMA are used. But this is not something you could use from a script: the whole system has to be set up in a special way, with the concept of immutable files in place.