Beware of shell substitution

Someone was having trouble installing some software where they had to specify a password on the command line. The password happened to be something like big$$dog[1] and they were doing something like:

install -password big$$dog

It seemed OK, but when they went into the admin utility the password didn’t work. Anyone familiar with Unix shells should see the problem right away:

$ echo big$$dog
big9975dog

In bash, ‘$$’ evaluates to the current process ID, which gets substituted before the command is run. Enclosing the password in single quotes would fix the problem.

[1] Actual password & command name changed due to their proprietary nature.

Comments are closed.