.Sh file execution through IBM BigFix

Hello All,

I have a .sh file which need to be downloaded and executed in non windows Server.
Can anyone guide me how to create a action script if I have .sh file.

Any help me will be appreciated.

In a new action, change “Script Type” to sh. Copy & Paste. Done.

Edit: Also this: https://www.bigfix.me/content/shelltoaction

thanks runstymyers. Information was helpful but I have .sh file with two dependencies files which need to be placed together and after that .sh file need to be executed.

Any input will be highly appreciated :slight_smile:

Hello All,

I have written below action script in-order to execute the .sh file but everytime I am getting action status as download failed.

prefetch a4e4c530e722d79efcb55593dce669724e0d83aa sha1:a4e4c530e722d79efcb55593dce669724e0d83aa size:2548 http://Root Server:52311/Uploads/a4e4c530e722d79efcb55593dce669724e0d83aa/Manish.bfswd
extract a4e4c530e722d79efcb55593dce669724e0d83aa
wait mkdir /tmp/mypam
copy "__Download/Mypam" "/tmp/mypam/Mypam"
wait chmod 444 /tmp/mypam/Mypam
wait chmod 755 /tmp/mypam/Mypam
run /tmp/mypam/Mypam/mypam_mypamrec_build.sh

Any help will be highly appreciated.

I would think, you could write a separate fixlet that just goes to the directory and fetches the files through “wget” or something. And then the run the actual script as a separate fixlet.

Thanks,
Abhijit

I have got little success in executing action script but now last line is getting failed.

Completed prefetch a4e4c530e722d79efcb55593dce669724e0d83aa sha1:a4e4c530e722d79efcb55593dce669724e0d83aa size:2548 http://RootServer4e4c530e722d79efcb55593dce669724e0d83aa/Manish.bfswd 
Completed extract a4e4c530e722d79efcb55593dce669724e0d83aa 
Completed wait mkdir /tmp/mypam 
Completed move "__Download/Mypam" "/tmp/mypam/Mypam" 
Completed wait chmod 444 /tmp/mypam/Mypam 
Completed wait chmod 755 /tmp/mypam/Mypam 
Failed wait /tmp/mypam/Mypam/mypam_mypamrec_build.sh

Any input on this will be helpful.

This is not the method I would recommend for running a script, though it should actually work if all the parts are working correctly. The missing piece is you can’t just use wait whatever.sh that is the part where you are having trouble. You instead need to do wait ./path/whatever.sh or something like wait sh -c path/whatever.sh

How complicated is the .sh file? How many lines?

The way I would recommend doing this is using the CREATE FILE command to actually create the script inline without a download, mark it as executable, then run it.

delete __createfile

createfile until END_OF_FILE
#!/bin/sh
put_the_script_contents_here_and_escape_these:{}_ifAny
END_OF_FILE

delete _script.sh
copy __createfile _script.sh

wait chmod u+x _script.sh
wait sh -c _script.sh

// This option might not always work: wait ./_script.sh

You could place the SSH files in the same way using the CREATE FILE command or you could download them.

One advantage of not using downloads is that the client doesn’t have to wait for other action’s downloads to finish before it can run this, though it also isn’t a good idea to have a CREATE FILE that is very very large.


Using wget or curl for this isn’t a good idea because then the script isn’t being downloaded through the relay infrastructure, which can have issues, plus then the script contents aren’t being signed and validated by the console user, which means you could be running arbitrary code if not done properly. This method should be avoided if possible.

1 Like

Be aware that it may not be possible to mark it executable so the wait /bin/sh -c <script file? would be preferred.

Often the /var and /tmp directories are hardened to not allow executables.

1 Like

Good point. I wonder if I have hit that limitation before without realizing it.

I seem to be using both wait sh -c _script.sh and wait ./_script.sh lately. For some reason I haven’t been using the path to sh like this: wait /bin/sh -c _script.sh

It just occurred to me that if you have the SSH keys in an unencrypted download and those keys allow this script to do something on the network, then anything that could get that download could do the same or more.

You probably want to be using a secure parameter for the SSH private key. It isn’t a good idea to use it in a download like this since anyone who can get at the download can then get the private key.

.sh file contains more then 15 lines but I have used
wait sh -c “Full path of file” and it is helping me to execute the .sh file in HP-UX box and
wait bash “Full path of file” and it is helping me to execute the .sh file in Linux and Aix boxes. Below is the action script which I am using

extract 98cd6a911e2d2dbfebafad5245a83035b046bdfb
wait mkdir /tmp/BigFix1
move "__Download/Mypam" "/tmp/BigFix1/Mypam"
wait chmod 755 /tmp/BigFix1/Mypam
wait chmod 700 -R /tmp/BigFix1/Mypam/.ssh
wait chmod 755 -x /tmp/BigFix1/Mypam/mypam_mypamrec_build.sh
if {name of operating system as lowercase contains "hp-ux"}
wait /bin/sh -c /tmp/BigFix1/Mypam/mypam_mypamrec_build.sh
elseif {(name of operating system as lowercase contains "aix") or (name of operating system as lowercase contains "linux")}
wait bash /tmp/BigFix1/Mypam/mypam_mypamrec_build.sh

Thanks everyone for the prompt response on this issue :slight_smile:

1 Like

So this is working now?

Yes now it’s working.