Can this be fixed or is lib micro box the limitation?
See jows commit for the current apex of permission strings:
https://git.openwrt.org/?p=project/rpcd.git;a=commitdiff;h=aaa08366e6384d9933a405d1218b03c1b167f9e5
In https://github.com/openwrt/luci/pull/6907 I encountered a permissions
problem. The command to permit is:
/usr/bin/find -L /dev -maxdepth 3 -type c -name lp[0-9]
That is, the find command needs a regex of lp[0-9], to find only the
following:
lp0
lp1
...
lp9
The find man page says:
-name pattern
True if the last component of the pathname being examined
matches pattern. Special shell pattern matching characters (“[”, “]”,
“*”, and “?”) may be used as part of pattern. These characters may be
matched explicitly by escaping them with a backslash (“\”).
The acl.d file expects a filter in the
/root/usr/share/rpcd/acl.d/luci-*.json JSON, but it does not understand
the literal command:
"/usr/bin/find -L /dev -maxdepth 3 -type c -name lp[0-9]": ["exec"]
causes 403. It anticipates lp0, lp1, ... in the command.
"/usr/bin/find -L /dev -maxdepth 3 -type c -name lp\[0-9\]": ["exec"]
Causes also 403 but the page does not even load. My JSON parser dislikes
this also.
So the workaround is to use the glob: *
/usr/bin/find -L /dev -maxdepth 3 -type c -name lp*
where the author of the above commit says:
"(do not use glob *, as) This will prevent unwanted parameter injection."
¯\_(ツ)_/¯
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
