From 97e20ef2448702a405f4b9f7d2688a39b2a89365 Mon Sep 17 00:00:00 2001 From: Florent Villard Date: Thu, 7 Dec 2006 13:18:00 +0000 Subject: be less restrictive for copying file into /root --- iurt_root_command | 123 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 63 insertions(+), 60 deletions(-) (limited to 'iurt_root_command') diff --git a/iurt_root_command b/iurt_root_command index cfc763e..361e01d 100755 --- a/iurt_root_command +++ b/iurt_root_command @@ -20,6 +20,7 @@ # # run commands which needs root privilege # +use lib '/usr/local/lib/perl'; use strict; my $program_name = 'iurt_root_command'; @@ -32,16 +33,16 @@ my $arg = @ARGV; my (@params, %run); $run{program_name} = $program_name; -my %authorized_modules = ( 'unionfs' => 1 ); +my %authorized_modules = ('unionfs' => 1); my $sudo = '/usr/bin/sudo'; -$run{todo} = [ ]; +$run{todo} = []; @params = ( # [ "one letter option", "long name option", "number of args (-X means ´at least X´)", "help text", "function to call", "log info"] # # no_rsync, config_help and copy_srpm kept for compatibility reasons # - [ "", "$program_name", 0, "[--verbose ] + [ "", $program_name, 0, "[--verbose ] [--modprobe ] [--mkdir [--parents] ... ]", "$program_name is a perl script to execute commands which need root privilege, it helps probram which needs occasional root privileges for some commands.", @@ -52,7 +53,7 @@ $run{todo} = [ ]; my ($tmp, @arg) = @_; $tmp->[0] ||= {}; push @$tmp, @arg; - 1 + 1; }, "Setting cp command arguments"], ["r", "recursive", 0, "", "Also copy directories and subdirectories", @@ -66,7 +67,7 @@ $run{todo} = [ ]; my ($tmp, @arg) = @_; $tmp->[0] ||= {}; push @$tmp, @arg; - 1 + 1; }, "Setting ln command arguments"], # ["r", "recursive", 0, "", # "Also create needed parents directories", @@ -80,7 +81,7 @@ $run{todo} = [ ]; my ($tmp, @arg) = @_; $tmp->[0] ||= {}; push @$tmp, @arg; - 1 + 1; }, "Setting auto mode arguments"], ["p", "parents", 0, "", "Also create needed parents directories", @@ -94,7 +95,7 @@ $run{todo} = [ ]; my ($tmp, @arg) = @_; $tmp->[0] ||= {}; push @$tmp, @arg; - 1 + 1; }, "Setting rm command arguments"], ["r", "recursive", 0, "", "Also create needed parents directories", @@ -107,95 +108,97 @@ $run{todo} = [ ]; \&initdb, "Initializing the rpm database" ], [ "v", "verbose", 1, "", "modprobe try to modprobe the given module if authorized.", - sub { $run{verbose} = @_->[0]; 1 }, "Setting verbose level" ], + sub { $run{verbose} = $_[0]; 1 }, "Setting verbose level" ], [ "", "modprobe", 1, "]", "modprobe try to modprobe the given module if authorized.", \&modprobe, "Modprobing" ], ); open(my $LOG, ">&STDERR"); -$run{LOG} = $LOG; +$run{LOG} = sub { print $LOG @_ }; -plog_init($program_name, $LOG, $run{verbose}); +#plog_init($program_name, $LOG, $run{verbose}); +plog_init($program_name, $LOG, 7, 1); my $todo = parseCommandLine($program_name, \@ARGV, \@params); @ARGV and usage($program_name, \@params, "@ARGV, too many arguments"); + my $ok = 1; foreach my $t (@$todo) { - plog(6, $t->[2]\n" if $run{verbose}); + plog('DEBUG', $t->[2]); my $ok2 = &{$t->[0]}(\%run, @{$t->[1]}); - $ok2 or print {$run{LOG}} "ERROR: $t->[2]\n"; + $ok2 or plog("ERROR: $t->[2]"); $ok &&= $ok2; } -print "$program_name: Success!\n" if $ok; +plog('DEBUG', "Success!") if $ok; exit !$ok; sub modprobe { - my ($run, $module) = @_; + my ($_run, $module) = @_; if (!$authorized_modules{$module}) { plog("ERROR: unauthorized module $module"); - return 0 + return 0; } open my $modules, '/proc/modules'; - my $ok; while (my $m = <$modules>) { if ($m =~ /unionfs/) { - return 1 + return 1; } } system($sudo, "/sbin/depmod", "-a"); - !system($sudo, "/sbin/modprobe", "-f", $module) + !system($sudo, "/sbin/modprobe", "-f", $module); } sub mkdir { - my ($run, $opt, @dir) = @_; + my ($_run, $opt, @dir) = @_; foreach my $path (@dir) { -d $path and next; - if ($path =~ m,/dev|/proc|/root|/var, && $path !~ /chroot|unionfs/) { - plog("ERROR: $path creation forbidden"); + if ($path =~ m,/dev|/proc|/var, && $path !~ /chroot|unionfs/) { + plog('FAIL', "ERROR: $path creation forbidden"); } if ($opt->{parents}) { - mkdir_p $path + mkdir_p $path; } else { - mkdir $path + mkdir $path; } } - 1 + 1; } sub initdb { - my ($run, $chroot) = @_; + my ($_run, $chroot) = @_; if (-d $chroot && $chroot !~ /chroot|unionfs/) { - plog($program_name: rpm --initdb not authorized in $chroot"); - return 0 + plog('FAIL', "rpm --initdb not authorized in $chroot"); + return 0; } - !system("rpm", "--initdb", "--root", "$chroot") + !system('rpm', '--initdb', '--root', $chroot); } sub rm { - my ($run, $opt, @files) = @_; + my ($_run, $opt, @files) = @_; my $ok = 1; my $done; - my $unauthorized = "^(/etc|/root|/dev|/var|/lib|/usr)"; + my $unauthorized = "^(/etc|/dev|/var|/lib|/usr)"; + foreach my $f (@files) { if (-d $f) { if (!$opt->{recursive}) { - plog("can't remove directories without the -r option"); - $ok = 0 + plog('WARN', "can't remove directories without the -r option"); + $ok = 0; } else { if ($f =~ m,$unauthorized,) { - plog("removal of $f forbidden"); - $ok = 0 + plog('FAIL', "removal of $f forbidden"); + $ok = 0; } else { system($sudo, 'rm', '-rf', $f); - plog(1, "removing $f"); - $done = 1 + plog('DEBUG', "removing $f"); + $done = 1; } } } else { if ($f =~ m,/$unauthorized,) { plog("removal of $f forbidden"); - $ok = 0 + $ok = 0; } else { # CM: The original regexp was /\*?/, which doesn't seem to be # what we want. Check if we can always glob instead of @@ -204,77 +207,77 @@ sub rm { if ($f =~ /[*?]/) { foreach my $file (glob $f) { if ($f =~ m,$unauthorized,) { - plog("removal of $f forbidden"); - $ok = 0 + plog('FAIL', "removal of $f forbidden"); + $ok = 0; } else { unlink $file; $done = 1; - plog(1, "removing $file"); + plog('DEBUG', "removing $file"); } } } else { unlink $f; $done = 1; - plog(1, "removing $f"); + plog('DEBUG', "removing $f"); } } } } - if (!$done) { plog("nothing deleted"); } - $ok + if (!$done) { plog('DEBUG', "nothing deleted") } + $ok; } sub cp { - my ($run, $opt, @files) = @_; + my ($_run, $opt, @files) = @_; my $ok = 1; my $done; my $dest = pop @files; - my $unauthorized = "^(/etc|/root|/dev|/var|/lib|/usr)"; + my $unauthorized = "^(/etc|/dev|/var|/lib|/usr)"; if ($dest =~ /$unauthorized/ || $dest eq '/') { - plog("copying to $dest forbidden"); - return + plog('FAIL', "copying to $dest forbidden"); + return; } foreach my $f (@files) { if (-d $f) { if (!$opt->{recursive}) { - plog("can't copy directories without the -r option"); - $ok = 0 + plog('WARN', "can't copy directories without the -r option"); + $ok = 0; } else { system($sudo, 'cp', '-raf', $f); - plog(1, "copying $f -> $dest"); - $done = 1 + plog('DEBUG', "copying $f -> $dest"); + $done = 1; } } else { if ($f =~ /\*?/) { foreach my $file (glob $f) { if (copy $file, $dest) { $done = 1; - plog(1, "copying $file -> $dest"); + plog('DEBUG', "copying $file -> $dest"); } else { $ok = 0; - plog(1, "copying $file to $dest failed ($!)"); + plog('FAIL', "copying $file to $dest failed ($!)"); } } } else { if (copy $f, $dest) { $done = 1; - plog(1, "copying $f -> $dest"); + plog('DEBUG', "copying $f -> $dest"); } else { $ok = 0; - plog(1, "copying $f to $dest failed ($!)"); + plog('FAIL', "copying $f to $dest failed ($!)"); } } } } - if (!$done) { plog("nothing copied"); } - $ok + if (!$done) { plog('DEBUG', "nothing copied") } + $ok; } sub ln { - my ($run, $opt, $file1, $file2) = @_; - my $unauthorized = "^(/etc|/root|/dev|/var|/lib|/usr)"; + my ($_run, $_opt, $file1, $file2) = @_; + my $unauthorized = "^(/etc|/dev|/var|/lib|/usr)"; if ($file2 =~ /$unauthorized/ || $file2 eq '/') { - plog("linking to $file2 forbidden"); + plog('FAIL', "linking to $file2 forbidden"); return; } link $file1, $file2; -- cgit v1.2.1