|Page 1||Page 2|
|In Other News||Tips of the Trade|
- Leading the list of published patches this week is a pair of potential denial of service vulnerabilities in openssl. Patches came in from Debian, Mandrake,
EnGarde Secure Linux, and SuSE.
- Debian also patched a privilege escalation bug in Samba.
Tips of the Trade
If you’ve ever needed to automate an application that requires some sort of user input (like telnet or ftp), you know exactly how difficult it is to do so. Shell scripts don’t quite cut it, which is where Expect comes in handy.
Expect is based on the Tcl programming language, which is perhaps less well-known now than it was a few years ago, when many introductory guides to assorted “freenixes” included a bit of information about Tcl, and its X Window counterpart Tk, as a way to get users started creating Unix GUIs. Regardless of Tcl’s current popularity, Expect can still handle many of the tasks that need user input that you don’t care to provide on your own. This includes fairly mundane things like generating a password and assigning it to a given user, or changing a password across multiple hosts on which you might have accounts. Its most common use is probably automating password entry (which makes it a bit of a menace unless users are well familiar with Unix permissions and know how to keep prying eyes from simply reading all of their Expect scripts).
Although it does help to know Tcl, Expect has a pretty simple-to-understand syntax. Here, for example, is a script that automates logging in to a bulletin board system:
#!/usr/bin/expect -f spawn telnet somehost.somewhere.com expect "User: " send "joeblowr" expect "Password:" send "mypasswordr" expect "Are you on an ANSI color terminal? (Y/N) ->" send "y" interact
Line 2 uses “spawn” to launch the telnet program, the “expect” commands on lines three, five, and seven all tell Expect to await specific prompts. Lines four and six send output (followed by r, which is the same as tapping the return key). The last line, “interact,” simply tells Expect to hand over control to the program session until it’s exited.
Autoexpect, which is part of the Expect package, acts as something of a macro recorder: It watches an interactive session and composes a working Expect script from what it observes. So even if the idea of learning yet another language makes you twitch, you might be able to get away without learning too much to take advantage of this powerful tool.