I need to write a Linux shell script that looks something like this -- it will be executed by a job-scheduling tool where ordinary end users can configure $1 and $2:
SERVER=$1
OPTIONS=$2
ssh -t remote_user_name@$SERVER 'ksh -lc "remote_command_name $OPTIONS"'
Looking here, I can see that I need to be careful how I write this to avoid "injection" issues.
(Not to mention, being inside single quotes, I don't actually have $OPTIONS interpolating at this point.)
In my case, acceptable options for remote_command_name are things like:
--helpconfig_file_path_to_run_against--verbose config_file_path_to_run_against
I'm not really a Linux person -- how would I get $OPTIONS interpolating and, to the extent possible, minimize "injection" vulnerabilities? (Note that the scheduling tool's configuration panel is already behind a login-wall that, if breached, probably means someone is already running amok. But to the extent possible, I'd like to avoid being the person who wrote something new for the scheduling tool that turns a phished user account into a lever to elevated wild privileges on the machines it schedules or that provides a handy privilege elevation lever for a malicious end user.)
FWIW, it looks like the shell of choice on both machines defaults to ksh.
