Mini Shell
Direktori : /usr/share/cagefs/ |
|
Current File : //usr/share/cagefs/check_params.py |
#!/opt/cloudlinux/venv/bin/python3 -bb
# -*- coding: utf-8 -*-
# Copyright © Cloud Linux GmbH & Cloud Linux Software, Inc 2010-2019 All Rights Reserved
#
# Licensed under CLOUD LINUX LICENSE AGREEMENT
# http://cloudlinux.com/docs/LICENSE.TXT
from __future__ import print_function
from __future__ import absolute_import
from __future__ import division
from __future__ import unicode_literals
import json
import os
import sys
import syslog
from typing import List
from future import standard_library
from future.utils import native_str
standard_library.install_aliases()
from builtins import *
CONFIGS_DIR = '/etc/cagefs/filters'
LOG_AUTHPRIV = 10<<3
def dmesg(debug, msg, *args):
if debug:
print(msg % args)
def load_config(command_path):
"""
Load JSON config by command name
"""
try:
name = os.path.basename(command_path)
f = open(os.path.join(CONFIGS_DIR, "%s.json" % name), "r")
full_config = json.load(f)
f.close()
except Exception:
return None
if len(full_config) == 1 and ("allow" in full_config or
"deny" in full_config or
"restrict_path" in full_config):
# get full config if only `allow` or `deny` or `restrict_path` key present in it
return full_config
# find config for command path or get default
return full_config.get(command_path, full_config.get("default", None))
def is_long_option(arg): # type: (str) -> bool
"""
Return True if arg is a long option name, not a parameter of an option
Long options start with a *double* dash.
:param arg: option or parameter
:type arg: string
"""
return arg.startswith('--')
def is_short_option(arg): # type: (str) -> bool
"""
Return True if arg is a short option name, not a parameter of an option
Short options start with a *single* dash.
:param arg: option or parameter
:type arg: string
"""
return arg.startswith('-') and not is_long_option(arg)
def is_same_option_type(arg1, arg2): # type: (str, str) -> bool
"""
Return True if both arguments were options of the same type, either long or short.
"""
same_short = is_short_option(arg1) and is_short_option(arg2)
same_long = is_long_option(arg1) and is_long_option(arg2)
return same_long or same_short
def is_flag_present(arg, flag, strict):
# type: (str, str, bool) -> bool
"""
Look for the flag inside the provided commandline argument.
The search algorithm depends on the `strict` parameter.
With strict processing:
* short options are treated as possible clusters, and finding a match anywhere
inside the argument string means that the flag is present.
* long options are split on `=` to discard their values, then compared in entirety.
Without it, the flag is simply compared to the start of the argument string.
:param arg: Argument string to look inside of.
:param flag: Flag to look for.
:param strict: Strict processing switch.
:raises RuntimeError: When the arg and the flag are both of the same
option type, but arg somehow is neither a long nor a short option.
:return: True if flag was found, False otherwise.
"""
if strict:
if not is_same_option_type(arg, flag):
return False
if is_long_option(arg):
# To cover the case of the long arg having a value attached, we split on '='.
# "--arg=10" -> ["--arg", "10"]
return arg.split("=")[0] == flag
elif is_short_option(arg):
# This method of searching may potentially run into problems, for example:
# "-p" in "-vf/etc/passwd" -> True
# However, such cases are false positives that will *block* execution, not permit it
# where it shouldn't be permitted.
# They just mean that the user has to edit the arguments to separate them.
return flag[1:] in arg
else:
# `not is_same_option_type` above should cover non-matching cases,
# so we shouldn't reach this code. But just in case:
raise ValueError("Argument and flag option types match, but arg is not an option")
else:
return arg.startswith(flag)
def has_denied_params(args, deny_list, strict_flag=False):
# type: (List[str], List[str], bool) -> bool
"""
Check if there are any forbidden options present in the arguments.
:param args: The argument list to check, without the program name.
:param deny_list: The list of forbidden options.
:param strict_flag: Strict processing, see `is_flag_present`.
:return: True if any forbidden flags are present, False otherwise.
"""
for arg in args:
# -- means that any following args are positional, not options.
# Therefore, no reason to process them as flags.
if arg == "--":
return False
for opt in deny_list:
if is_flag_present(arg, opt, strict_flag):
return True
return False
def strict_extra_params(arg, allow_list):
# type: (str, List[str]) -> bool
"""
Strict variant of checking for non-allowed parameters.
:param arg: Argument to check.
:param allow_list: List of allowed options.
:return: True if any non-allowed options are present, False otherwise.
"""
# Split the short option cluster into separate values, then search the allow_list.
# Like above, this'll run into the issue of false positives in cases of
# short arguments with attached values, but it's pretty much nessesary
# to allow for passing arbitrary arguments.
if is_short_option(arg):
# Short options inside filter files are listed with a dash.
# Therefore, we append a dash for comparsion.
arg_no_dash = arg[1:]
opts_not_allowed = ("-"+opt not in allow_list for opt in arg_no_dash)
if any(opts_not_allowed):
return True
# Long options are split on "=" to discard argument values.
if is_long_option(arg):
long_name = arg.split("=")[0]
if long_name not in allow_list:
return True
return False
def has_extra_params(args, allow_list, strict_flag=False):
# type: (List[str], List[str], bool) -> bool
"""
Check if all used args are allowed for the program.
:param args: The program's argv, without the program name.
:param allow_list: A list of allowed arguments. Dashes in front of names are present.
:param strict_flag: Strict processing flag, operates similarly to `is_flag_present`.
:return: Returns True if there are any arguments not in the allowed list, False otherwise.
"""
for arg in args:
if strict_flag:
if arg == "--":
return False
elif strict_extra_params(arg, allow_list):
return True
else:
if (is_short_option(arg) or is_long_option(arg)) and (arg not in allow_list):
return True
return False
def to_log(message, *args):
"""
Wrapper for syslog or other logging system
"""
syslog.openlog(native_str("cagefs.check_params"))
syslog.syslog(LOG_AUTHPRIV | syslog.LOG_PID, message % args)
syslog.closelog()
def addslash(path):
if path == '':
return '/'
if (path[-1] != '/'):
return '%s/' % (path,)
return path
def expanduser(path, user, home_dir):
home_dir = addslash(os.path.realpath(home_dir))
userpath = '~'+user
if path == '~' or path.startswith('~/'):
return os.path.realpath(path.replace('~', home_dir))
if path == userpath or path.startswith(userpath+'/'):
return os.path.realpath(path.replace(userpath, home_dir))
return os.path.realpath(path)
def check_path(user, homedir, command_path, args, restrict_path_list, debug = False):
"""
Return True when args contain paths that refer outside of user's home directory
:param args: parameters (options) from command line
:type args: list of strings
:param restrict_path_list: names of parameters (options) that should use paths inside user's home directory only
:type restrict_path_list: list of strings
"""
home_dir = addslash(os.path.realpath(homedir))
for i, arg in enumerate(args):
if arg in restrict_path_list:
try:
# path is specified in the next argument
path = args[i+1]
except IndexError:
continue
path = expanduser(path, user, home_dir)
path = addslash(path)
if not path.startswith(home_dir):
dmesg(debug, "Attempt to call program %s with %s %s parameters", command_path, args[i], args[i+1])
to_log("Attempt to call program %s with %s %s parameters", command_path, args[i], args[i+1])
return True
else:
for opt in restrict_path_list:
if arg.startswith(opt):
# path is specified in the current argument
path = arg[len(opt):]
path = expanduser(path, user, home_dir)
path = addslash(path)
if not path.startswith(home_dir):
dmesg(debug, "Attempt to call program %s with %s parameter", command_path, args[i])
to_log("Attempt to call program %s with %s parameter", command_path, args[i])
return True
return False
def main(user, homedir, params, debug = False):
"""
Program main function
:params - list of strings that specify command and its parameters, such as ['/path/command', '-a', 'arg', '-C', '/path/to/config']
"""
if len(params) == 0:
dmesg(debug, 'No parameters specified')
return 1
# permit execution of any command when called without parameters
if len(params) < 2:
dmesg(debug, 'Command has no parameters. Allow execution of command %s', params[0])
return 0
command_path = params[0]
args = params[1:]
config = load_config(command_path)
dmesg(debug, 'config: %s', str(config))
if not config:
dmesg(debug, 'Config not found. Allow execution of command %s', command_path)
return 0
allow_list = config.get("allow", None)
deny_list = config.get("deny", None)
restrict_path_list = config.get("restrict_path", None)
strict_flag = config.get("strict_options", False)
if not (allow_list or deny_list or restrict_path_list):
dmesg(debug, 'empty config - allow user to run the command')
return 0
if allow_list and deny_list:
dmesg(debug, 'invalid config - both allow and deny lists are specified. allow user to run the command')
return 0
if deny_list and has_denied_params(args, deny_list, strict_flag):
dmesg(debug, "Attempt to call program %s with denied parameters", command_path)
to_log("Attempt to call program %s with denied parameters", command_path)
return 2
if allow_list and has_extra_params(args, allow_list, strict_flag):
dmesg(debug, "Attempt to call program %s with extra parameters", command_path)
to_log("Attempt to call program %s with extra parameters", command_path)
return 2
if restrict_path_list and check_path(user, homedir, command_path, args, restrict_path_list, debug):
return 2
dmesg(debug, 'Execution allowed')
return 0
if __name__ == "__main__":
sys.exit(main(sys.argv[1], sys.argv[2], sys.argv[3:]))
Zerion Mini Shell 1.0