2

I'm running a ksh script on AIX 7.2.

In debug mode I want to redirect all the script does to a brkpt-file.
The script also makes logins to another application and therefore uses a password (let's say "pw123_")

 exec > $brkpt_file 2>&1
 set -xv
 dsmadmc -id=admin -pa=pw123_ q pr

Redirection works fine, but I want to replace the passwordstring with "***" so its never visible in the brkpt-file.

That works fine on commandline:

 echo "dsmadmc -id=admin -pa=pw123_ q pr" | sed "s/-pa=[[:graph:]]* /-pa=*** /g"
result
 dsmadmc -id=admin -pa=*** q pr

But as soon as I use this "sed" in combination with "exec":
a) the output is not redirected to file anymore but on the screen
b) the passwordstring is not replaced

 exec | sed 's/-pa.*=[[:graph:]]* /pa=*** /g' > $brkpt_file 2>&1
 set-xv
 dsmadmc -id=admin -pa=pw123_ q pr
result
 + dsmadmc -id=admin -pa=pw123_ q pr
 + ... other stuff of script

How I can I get all the script stuff in the brkpt AND hide the password?

Jeff Schaller
  • 67,283
  • 35
  • 116
  • 255
rudi
  • 23
  • 1
    If you can have the password hard-coded in your script, then why is it a problem to have it in the log file? You could try expect to enter the password. – pLumo Apr 13 '21 at 09:03
  • Hi pLumo Thank you for your hint, but the password is NOT hardcoded in my script, that's just for this example because it does not affect the answer to my question. During script execution it is read/decoded from a encrypted file. But then it is passed to the application (and the brkpt-file) in clear text. – rudi Apr 13 '21 at 10:15

1 Answers1

5

exec can't be used to pipe output directly into another program, it can only be used to redirect output to a file.

Fortunately, on unix, everything is or can be made to look like it's a file.

For ksh (and for POSIX compatibility), you need to create a named fifo and redirect the script's output to that.

#!/bin/ksh

fifo=./exec.fifo
log=./exec.ksh.log


delete the fifo if it already exists


[ -e "$fifo" ] && rm -f "$fifo"


mkfifo "$fifo"


now run the sed script in the background.  Its purpose is to modify


the input coming from the fifo before saving it to the log file


( sed -e 's/-pa=[^ ]* /-pa=*** /g' < "$fifo" > "$log" ) &


set up a function and trap to delete the fifo on exit.


cleanup () { rm -f "$fifo" ;}
trap cleanup EXIT


now do the exec


exec > "$fifo"


and finally do something that produces some output.


echo "dsmadmc -id=admin -pa=pw123_ q pr"

When you run the script, the output will be filtered through sed via the fifo and then redirected to the log file:

$ ./exec.ksh
$ cat exec.ksh.log 
dsmadmc -id=admin -pa=*** q pr

If you are using bash, however, it's a bit easier. You can use Process Substitution to provide a "file" to redirect the output to instead of a fifo (the fifo method still works if you prefer to write portable shell scripts).

For example:

#!/bin/bash

exec 1> >(sed 's/-pa=[^ ]* /-pa=*** /g' > ./exec.bash.log)


echo "dsmadmc -id=admin -pa=pw123_ q pr"

Again, the output will be modified by sed before being saved to the log file.

$ ./exec.bash
$ cat exec.bash.log 
dsmadmc -id=admin -pa=*** q pr
cas
  • 78,579
  • (Noting the [tag:AIX] tag, bash is unlikely to be installed by default) – Jeff Schaller Apr 13 '21 at 12:06
  • 1
    @JeffSchaller Yeah, i know. and the OP specified ksh. That's why i did the ksh version. this topic is likely to be of interest to bash users too, so I made the bash version as well. – cas Apr 13 '21 at 12:07
  • @cas: That's great, it works perfectly. Thank you very much for the solution and for explanation what exactly happens. I would never have found that. – rudi Apr 14 '21 at 04:16