be less restrictive for copying file into /root

author: Florent Villard <warly@mandriva.com> 2006-12-07 13:18:00 +0000
committer: Florent Villard <warly@mandriva.com> 2006-12-07 13:18:00 +0000
commit: 97e20ef2448702a405f4b9f7d2688a39b2a89365 (patch)
tree: 3006a7db0988bec7336323821e6aff52332936c4 /iurt_root_command
parent: f5e04b904298119c0272ac75f9132e9a0dafd761 (diff)
download: iurt-97e20ef2448702a405f4b9f7d2688a39b2a89365.tar
iurt-97e20ef2448702a405f4b9f7d2688a39b2a89365.tar.gz
iurt-97e20ef2448702a405f4b9f7d2688a39b2a89365.tar.bz2
iurt-97e20ef2448702a405f4b9f7d2688a39b2a89365.tar.xz
iurt-97e20ef2448702a405f4b9f7d2688a39b2a89365.zip
1 files changed, 63 insertions, 60 deletions
diff --git a/iurt_root_command b/iurt_root_command
index cfc763e..361e01d 100755
--- a/iurt_root_command
+++ b/iurt_root_command
@@ -20,6 +20,7 @@
 #
 # run commands which needs root privilege
 #
+use lib '/usr/local/lib/perl';
 
 use strict;
 my $program_name = 'iurt_root_command';
@@ -32,16 +33,16 @@ my $arg = @ARGV;
 my (@params, %run);
 $run{program_name} = $program_name;
 
-my %authorized_modules = ( 'unionfs' => 1 );
+my %authorized_modules = ('unionfs' => 1);
 my $sudo = '/usr/bin/sudo';
 
-$run{todo} = [ ];
+$run{todo} = [];
 @params = ( 
     #    [ "one letter option", "long name option", "number of args (-X means ´at least X´)", "help text", "function to call", "log info"]
     #
     # no_rsync, config_help and copy_srpm kept for compatibility reasons
     #
-    [ "", "$program_name", 0, "[--verbose <level>] 
+    [ "", $program_name, 0, "[--verbose <level>] 
 		    [--modprobe <module>] 
 		    [--mkdir [--parents] <dir1> <dir2> ... <dirn>]", 
     "$program_name is a perl script to execute commands which need root privilege, it helps probram which needs occasional root privileges for some commands.", 
@@ -52,7 +53,7 @@ $run{todo} = [ ];
             my ($tmp, @arg) = @_; 
             $tmp->[0] ||= {}; 
             push @$tmp, @arg; 
-            1 
+            1;
         }, "Setting cp command arguments"], 
         ["r", "recursive", 0, "",  
         "Also copy directories and subdirectories",  
@@ -66,7 +67,7 @@ $run{todo} = [ ];
             my ($tmp, @arg) = @_; 
             $tmp->[0] ||= {}; 
             push @$tmp, @arg; 
-            1 
+            1;
         }, "Setting ln command arguments"], 
 #        ["r", "recursive", 0, "",  
 #        "Also create needed parents directories",  
@@ -80,7 +81,7 @@ $run{todo} = [ ];
             my ($tmp, @arg) = @_; 
             $tmp->[0] ||= {}; 
             push @$tmp, @arg; 
-            1 
+            1;
         }, "Setting auto mode arguments"], 
         ["p", "parents", 0, "",  
         "Also create needed parents directories",  
@@ -94,7 +95,7 @@ $run{todo} = [ ];
             my ($tmp, @arg) = @_; 
             $tmp->[0] ||= {}; 
             push @$tmp, @arg; 
-            1 
+            1;
         }, "Setting rm command arguments"], 
         ["r", "recursive", 0, "",  
         "Also create needed parents directories",  
@@ -107,95 +108,97 @@ $run{todo} = [ ];
     \&initdb, "Initializing the rpm database" ],
     [ "v", "verbose", 1, "<verbose level>", 
     "modprobe try to modprobe the given module if authorized.", 
-    sub { $run{verbose} = @_->[0]; 1 }, "Setting verbose level" ],
+    sub { $run{verbose} = $_[0]; 1 }, "Setting verbose level" ],
     [ "", "modprobe", 1, "<module>]", 
     "modprobe try to modprobe the given module if authorized.", 
     \&modprobe, "Modprobing" ],
 );
 
 open(my $LOG, ">&STDERR");
-$run{LOG} = $LOG;
+$run{LOG} = sub { print $LOG @_ };
 
-plog_init($program_name, $LOG, $run{verbose});
+#plog_init($program_name, $LOG, $run{verbose});
+plog_init($program_name, $LOG, 7, 1);
 
 my $todo = parseCommandLine($program_name, \@ARGV, \@params);
 @ARGV and usage($program_name, \@params, "@ARGV, too many arguments");
+
 my $ok = 1;
 foreach my $t (@$todo)  {
-    plog(6, $t->[2]\n" if $run{verbose});
+    plog('DEBUG', $t->[2]);
     my $ok2 = &{$t->[0]}(\%run, @{$t->[1]});
-    $ok2 or print {$run{LOG}} "ERROR: $t->[2]\n";
+    $ok2 or plog("ERROR: $t->[2]");
     $ok &&= $ok2;
 }
-print "$program_name: Success!\n" if $ok;
+plog('DEBUG', "Success!") if $ok;
 exit !$ok;
 
 sub modprobe {
-    my ($run, $module) = @_;
+    my ($_run, $module) = @_;
     if (!$authorized_modules{$module}) {
 	plog("ERROR: unauthorized module $module");
-	return 0
+	return 0;
     }
     open my $modules, '/proc/modules';
-    my $ok;
     while (my $m = <$modules>) {
 	if ($m =~ /unionfs/) {
-	    return 1
+	    return 1;
 	}
     }
     system($sudo, "/sbin/depmod", "-a");
-    !system($sudo, "/sbin/modprobe", "-f", $module)
+    !system($sudo, "/sbin/modprobe", "-f", $module);
 }
 
 sub mkdir {
-    my ($run, $opt, @dir) = @_;
+    my ($_run, $opt, @dir) = @_;
     foreach my $path (@dir) {
 	-d $path and next;
-	if ($path =~ m,/dev|/proc|/root|/var, && $path !~ /chroot|unionfs/) {
-	    plog("ERROR: $path creation forbidden");
+	if ($path =~ m,/dev|/proc|/var, && $path !~ /chroot|unionfs/) {
+	    plog('FAIL', "ERROR: $path creation forbidden");
 	}
 	if ($opt->{parents}) {
-	    mkdir_p $path
+	    mkdir_p $path;
 	} else {
-	    mkdir $path
+	    mkdir $path;
 	}
     }
-    1
+    1;
 }
 
 sub initdb {
-    my ($run, $chroot) = @_;
+    my ($_run, $chroot) = @_;
     if (-d $chroot && $chroot !~ /chroot|unionfs/) {
-	plog($program_name: rpm --initdb not authorized in $chroot");
-	return 0
+	plog('FAIL', "rpm --initdb not authorized in $chroot");
+	return 0;
     }
-    !system("rpm", "--initdb", "--root", "$chroot")
+    !system('rpm', '--initdb', '--root', $chroot);
 }
 
 sub rm {
-    my ($run, $opt, @files) = @_;
+    my ($_run, $opt, @files) = @_;
     my $ok = 1;
     my $done;
-    my $unauthorized = "^(/etc|/root|/dev|/var|/lib|/usr)";
+    my $unauthorized = "^(/etc|/dev|/var|/lib|/usr)";
+
     foreach my $f (@files) {
 	if (-d $f) {
 	    if (!$opt->{recursive}) {
-		plog("can't remove directories without the -r option");
-		$ok = 0
+		plog('WARN', "can't remove directories without the -r option");
+		$ok = 0;
 	    } else {
 		if ($f =~ m,$unauthorized,) {
-		    plog("removal of $f forbidden");
-		    $ok = 0
+		    plog('FAIL', "removal of $f forbidden");
+		    $ok = 0;
 		} else {
 		    system($sudo, 'rm', '-rf', $f);
-		    plog(1, "removing $f");
-		    $done = 1
+		    plog('DEBUG', "removing $f");
+		    $done = 1;
 		}
 	    }
 	} else {
 	    if ($f =~ m,/$unauthorized,) {
 		plog("removal of $f forbidden");
-		$ok = 0
+		$ok = 0;
 	    } else {
 		# CM: The original regexp was /\*?/, which doesn't seem to be
 		#     what we want. Check if we can always glob instead of
@@ -204,77 +207,77 @@ sub rm {
 		if ($f =~ /[*?]/) {
 		    foreach my $file (glob $f) {
 			if ($f =~ m,$unauthorized,) {
-			    plog("removal of $f forbidden");
-			    $ok = 0
+			    plog('FAIL', "removal of $f forbidden");
+			    $ok = 0;
 			} else {
 			    unlink $file;
 			    $done = 1;
-			    plog(1, "removing $file");
+			    plog('DEBUG', "removing $file");
 			}
 		    }
 		} else {
 		    unlink $f;
 		    $done = 1;
-		    plog(1, "removing $f");
+		    plog('DEBUG', "removing $f");
 		}
 	    }
 	}
     }
-    if (!$done) { plog("nothing deleted"); }
-    $ok
+    if (!$done) { plog('DEBUG', "nothing deleted") }
+    $ok;
 }
 
 sub cp {
-    my ($run, $opt, @files) = @_;
+    my ($_run, $opt, @files) = @_;
     my $ok = 1;
     my $done;
     my $dest = pop @files;
-    my $unauthorized = "^(/etc|/root|/dev|/var|/lib|/usr)";
+    my $unauthorized = "^(/etc|/dev|/var|/lib|/usr)";
     if ($dest =~ /$unauthorized/ || $dest eq '/') {
-	plog("copying to $dest forbidden");
-	return
+	plog('FAIL', "copying to $dest forbidden");
+	return;
     }	
     foreach my $f (@files) {
 	if (-d $f) {
 	    if (!$opt->{recursive}) {
-		plog("can't copy directories without the -r option");
-		$ok = 0
+		plog('WARN', "can't copy directories without the -r option");
+		$ok = 0;
 	    } else {
 		system($sudo, 'cp', '-raf', $f);
-		plog(1, "copying $f -> $dest");
-		$done = 1
+		plog('DEBUG', "copying $f -> $dest");
+		$done = 1;
 	    }
 	} else {
 	    if ($f =~ /\*?/) {
 		foreach my $file (glob $f) {
 		    if (copy $file, $dest) {
 			$done = 1;
-			plog(1, "copying $file -> $dest");
+			plog('DEBUG', "copying $file -> $dest");
 		    } else {
 			$ok = 0;
-			plog(1, "copying $file to $dest failed ($!)");
+			plog('FAIL', "copying $file to $dest failed ($!)");
 		    }
 		}
 	    } else {
 		if (copy $f, $dest) {
 		    $done = 1;
-		    plog(1, "copying $f -> $dest");
+		    plog('DEBUG', "copying $f -> $dest");
 		} else {
 		    $ok = 0;
-		    plog(1, "copying $f to $dest failed ($!)");
+		    plog('FAIL', "copying $f to $dest failed ($!)");
 		}
 	    }
 	}
     }
-    if (!$done) { plog("nothing copied"); }
-    $ok
+    if (!$done) { plog('DEBUG', "nothing copied") }
+    $ok;
 }
 
 sub ln {
-    my ($run, $opt, $file1, $file2) = @_;
-    my $unauthorized = "^(/etc|/root|/dev|/var|/lib|/usr)";
+    my ($_run, $_opt, $file1, $file2) = @_;
+    my $unauthorized = "^(/etc|/dev|/var|/lib|/usr)";
     if ($file2 =~ /$unauthorized/ || $file2 eq '/') {
-	plog("linking to $file2 forbidden");
+	plog('FAIL', "linking to $file2 forbidden");
 	return;
     }	
     link $file1, $file2;
author	Florent Villard <warly@mandriva.com>	2006-12-07 13:18:00 +0000
committer	Florent Villard <warly@mandriva.com>	2006-12-07 13:18:00 +0000
commit	97e20ef2448702a405f4b9f7d2688a39b2a89365 (patch)
tree	3006a7db0988bec7336323821e6aff52332936c4 /iurt_root_command
parent	f5e04b904298119c0272ac75f9132e9a0dafd761 (diff)
download	iurt-97e20ef2448702a405f4b9f7d2688a39b2a89365.tar iurt-97e20ef2448702a405f4b9f7d2688a39b2a89365.tar.gz iurt-97e20ef2448702a405f4b9f7d2688a39b2a89365.tar.bz2 iurt-97e20ef2448702a405f4b9f7d2688a39b2a89365.tar.xz iurt-97e20ef2448702a405f4b9f7d2688a39b2a89365.zip