Mini Shell

Direktori : /usr/share/cagefs/
Upload File :
Current File : //usr/share/cagefs/check_params.py

#!/opt/cloudlinux/venv/bin/python3 -bb
# -*- coding: utf-8 -*-

# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2019 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT
from __future__ import print_function
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
import json
import os
import sys
import syslog
from typing import List
from future import standard_library
from future.utils import native_str
standard_library.install_aliases()
from builtins import *

CONFIGS_DIR = '/etc/cagefs/filters'
LOG_AUTHPRIV = 10<<3

def dmesg(debug, msg, *args):
    if debug:
        print(msg % args)


def load_config(command_path):
    """
    Load JSON config by command name
    """
    try:
        name = os.path.basename(command_path)
        f = open(os.path.join(CONFIGS_DIR, "%s.json" % name), "r")
        full_config = json.load(f)
        f.close()
    except Exception:
        return None

    if len(full_config) == 1 and ("allow" in full_config or
                                  "deny" in full_config or
                                  "restrict_path" in full_config):
        # get full config if only `allow` or `deny` or `restrict_path` key present in it
        return full_config

    # find config for command path or get default
    return full_config.get(command_path, full_config.get("default", None))


def is_long_option(arg): # type: (str) -> bool
    """
    Return True if arg is a long option name, not a parameter of an option
    Long options start with a *double* dash.

    :param arg: option or parameter
    :type arg: string
    """
    return arg.startswith('--')

def is_short_option(arg): # type: (str) -> bool
    """
    Return True if arg is a short option name, not a parameter of an option
    Short options start with a *single* dash.

    :param arg: option or parameter
    :type arg: string
    """
    return arg.startswith('-') and not is_long_option(arg)

def is_same_option_type(arg1, arg2): # type: (str, str) -> bool
    """
    Return True if both arguments were options of the same type, either long or short.
    """
    same_short = is_short_option(arg1) and is_short_option(arg2)
    same_long = is_long_option(arg1) and is_long_option(arg2)
    return same_long or same_short

def is_flag_present(arg, flag, strict):
    # type: (str, str, bool) -> bool
    """
    Look for the flag inside the provided commandline argument.
    The search algorithm depends on the `strict` parameter.

    With strict processing:
    * short options are treated as possible clusters, and finding a match anywhere
    inside the argument string means that the flag is present.
    * long options are split on `=` to discard their values, then compared in entirety.

    Without it, the flag is simply compared to the start of the argument string.

    :param arg: Argument string to look inside of.
    :param flag: Flag to look for.
    :param strict: Strict processing switch.
    :raises RuntimeError: When the arg and the flag are both of the same
    option type, but arg somehow is neither a long nor a short option.
    :return: True if flag was found, False otherwise.
    """
    if strict:
        if not is_same_option_type(arg, flag):
            return False

        if is_long_option(arg):
            # To cover the case of the long arg having a value attached, we split on '='.
            # "--arg=10" -> ["--arg", "10"]
            return arg.split("=")[0] == flag
        elif is_short_option(arg):
            # This method of searching may potentially run into problems, for example:
            # "-p" in "-vf/etc/passwd" -> True
            # However, such cases are false positives that will *block* execution, not permit it
            # where it shouldn't be permitted.
            # They just mean that the user has to edit the arguments to separate them.
            return flag[1:] in arg
        else:
            # `not is_same_option_type` above should cover non-matching cases,
            # so we shouldn't reach this code. But just in case:
            raise ValueError("Argument and flag option types match, but arg is not an option")
    else:
        return arg.startswith(flag)


def has_denied_params(args, deny_list, strict_flag=False):
    # type: (List[str], List[str], bool) -> bool
    """
    Check if there are any forbidden options present in the arguments.

    :param args: The argument list to check, without the program name.
    :param deny_list: The list of forbidden options.
    :param strict_flag: Strict processing, see `is_flag_present`.
    :return: True if any forbidden flags are present, False otherwise.
    """
    for arg in args:
        # -- means that any following args are positional, not options.
        # Therefore, no reason to process them as flags.
        if arg == "--":
            return False

        for opt in deny_list:
            if is_flag_present(arg, opt, strict_flag):
                return True
    return False

def strict_extra_params(arg, allow_list):
    # type: (str, List[str]) -> bool
    """
    Strict variant of checking for non-allowed parameters.

    :param arg: Argument to check.
    :param allow_list: List of allowed options.
    :return: True if any non-allowed options are present, False otherwise.
    """
    # Split the short option cluster into separate values, then search the allow_list.
    # Like above, this'll run into the issue of false positives in cases of
    # short arguments with attached values, but it's pretty much nessesary
    # to allow for passing arbitrary arguments.
    if is_short_option(arg):
        # Short options inside filter files are listed with a dash.
        # Therefore, we append a dash for comparsion.
        arg_no_dash = arg[1:]
        opts_not_allowed = ("-"+opt not in allow_list for opt in arg_no_dash)
        if any(opts_not_allowed):
            return True

    # Long options are split on "=" to discard argument values.
    if is_long_option(arg):
        long_name = arg.split("=")[0]
        if long_name not in allow_list:
            return True
    return False


def has_extra_params(args, allow_list, strict_flag=False):
    # type: (List[str], List[str], bool) -> bool
    """
    Check if all used args are allowed for the program.

    :param args: The program's argv, without the program name.
    :param allow_list: A list of allowed arguments. Dashes in front of names are present.
    :param strict_flag: Strict processing flag, operates similarly to `is_flag_present`.
    :return: Returns True if there are any arguments not in the allowed list, False otherwise.
    """
    for arg in args:
        if strict_flag:
            if arg == "--":
                return False
            elif strict_extra_params(arg, allow_list):
                return True
        else:
            if (is_short_option(arg) or is_long_option(arg)) and (arg not in allow_list):
                return True
    return False


def to_log(message, *args):
    """
    Wrapper for syslog or other logging system
    """
    syslog.openlog(native_str("cagefs.check_params"))
    syslog.syslog(LOG_AUTHPRIV | syslog.LOG_PID, message % args)
    syslog.closelog()


def addslash(path):
    if path == '':
        return '/'
    if (path[-1] != '/'):
        return '%s/' % (path,)
    return path


def expanduser(path, user, home_dir):
    home_dir = addslash(os.path.realpath(home_dir))
    userpath = '~'+user
    if path == '~' or path.startswith('~/'):
        return os.path.realpath(path.replace('~', home_dir))
    if path == userpath or path.startswith(userpath+'/'):
        return os.path.realpath(path.replace(userpath, home_dir))
    return os.path.realpath(path)


def check_path(user, homedir, command_path, args, restrict_path_list, debug = False):
    """
    Return True when args contain paths that refer outside of user's home directory
    :param args: parameters (options) from command line
    :type args: list of strings
    :param restrict_path_list: names of parameters (options) that should use paths inside user's home directory only
    :type restrict_path_list: list of strings
    """
    home_dir = addslash(os.path.realpath(homedir))
    for i, arg in enumerate(args):
        if arg in restrict_path_list:
            try:
                # path is specified in the next argument
                path = args[i+1]
            except IndexError:
                continue
            path = expanduser(path, user, home_dir)
            path = addslash(path)
            if not path.startswith(home_dir):
                dmesg(debug, "Attempt to call program %s with %s %s parameters", command_path, args[i], args[i+1])
                to_log("Attempt to call program %s with %s %s parameters", command_path, args[i], args[i+1])
                return True
        else:
            for opt in restrict_path_list:
                if arg.startswith(opt):
                    # path is specified in the current argument
                    path = arg[len(opt):]
                    path = expanduser(path, user, home_dir)
                    path = addslash(path)
                    if not path.startswith(home_dir):
                        dmesg(debug, "Attempt to call program %s with %s parameter", command_path, args[i])
                        to_log("Attempt to call program %s with %s parameter", command_path, args[i])
                        return True
    return False



def main(user, homedir, params, debug = False):
    """
    Program main function
    :params - list of strings that specify command and its parameters, such as ['/path/command', '-a', 'arg', '-C', '/path/to/config']
    """

    if len(params) == 0:
        dmesg(debug, 'No parameters specified')
        return 1

    # permit execution of any command when called without parameters
    if len(params) < 2:
        dmesg(debug, 'Command has no parameters. Allow execution of command %s', params[0])
        return 0

    command_path = params[0]
    args = params[1:]
    config = load_config(command_path)
    dmesg(debug, 'config: %s', str(config))

    if not config:
        dmesg(debug, 'Config not found. Allow execution of command %s', command_path)
        return 0

    allow_list = config.get("allow", None)
    deny_list = config.get("deny", None)
    restrict_path_list = config.get("restrict_path", None)
    strict_flag = config.get("strict_options", False)

    if not (allow_list or deny_list or restrict_path_list):
        dmesg(debug, 'empty config - allow user to run the command')
        return 0

    if allow_list and deny_list:
        dmesg(debug, 'invalid config - both allow and deny lists are specified. allow user to run the command')
        return 0

    if deny_list and has_denied_params(args, deny_list, strict_flag):
        dmesg(debug, "Attempt to call program %s with denied parameters", command_path)
        to_log("Attempt to call program %s with denied parameters", command_path)
        return 2

    if allow_list and has_extra_params(args, allow_list, strict_flag):
        dmesg(debug, "Attempt to call program %s with extra parameters", command_path)
        to_log("Attempt to call program %s with extra parameters", command_path)
        return 2

    if restrict_path_list and check_path(user, homedir, command_path, args, restrict_path_list, debug):
        return 2

    dmesg(debug, 'Execution allowed')
    return 0


if __name__ == "__main__":
    sys.exit(main(sys.argv[1], sys.argv[2], sys.argv[3:]))

Zerion Mini Shell 1.0