On Fri, Sep 05, 2008 at 10:11:52PM +0800, Coe, Colin C. (Unix Engineer) wrote:
>
> I'd like for spacewalk (and RHN Satellite) to enable the admin to click a
> button and have the pre/post script syntax checked. I realise this is
> unlikely to work for all scripted languages but it will work for bash, sh,
> csh, ksh and perl.
>
> >From a security perspective, running '<shell> -n' or 'perl -c' definately
> >does not run the script, just syntax checks it so it should be reasonably
> >safe. I figured it would be better have the check hardcoded similar to:
> switch (interpretor) {
> case "/bin/bash": check_switch = "-n"; break;
> case "/bin/tcsh": check_switch = "-n"; break;
> case "/bin/sh": check_switch = "-n"; break;
> case "/bin/ksh": check_switch = "-n"; break;
> case "/usr/bin/perl": check_switch = "-c"; break;
> }
> rather than having this in a (potentially external) DB where access to the DB
> may be sub optimal. The intent is to restrict the check to only those
> interpretors specifically listed. Also, hard coding the fully qualified
> paths adds to the security by not letting people use malicious programs as
> this would run on the spacewalk server. All the shells could probably be
> done on a single line with a regex but ...
>
> I figure there are two ways to do this:
> 1) pipe the pre/post script to the interpretor with the appropriate switch
> and just check the return code; or
> 2) write the pre/post script to a temporary file and then run the interpretor
> with the appropriate switch checking the return code.
>
> I tested the first method and it seemed to work OK with ksh, bash and perl,
> and should work OK with most interpretors. I realise that the case of 'perl
> -c' will fail if there are required modules that aren't present but I figure
> that this is a best effort type thing.
>
> I'm not keen on the second idea.
>
> So, first up, does cobbler/koan already give us this? If not, are there
> objections to this being done?
>
> Comments, criticisms welcome.
I do not think "reasonably safe" is good enough. The kickstart admin
might not be the same person as the Spacewalk admin, and that might
not be the same person as the root on the Spacewalk server.
For example for perl, the only thing you need to do is to wrap your
script with BEGIN to escape the -c:
$ perl -c -e 'BEGIN { print "I will eat your disk\n"; }'
I will eat your disk
-e syntax OK
$
Moreover, you'd run that check on the Spacewalk server, and it might
not have the packages your post script use's installed at all, so it
would fail even if upon the actual invocation on the system it would
not.
As for the others -- the -n option for bash is not documented in its
man page at all, so I wonder if it doesn't have some way of escaping
the "check" mode as well.
I'm not in favor of this feature unless it can be added in a way that
would pose no security risks at all.
--
Jan Pazdziora
Satellite Engineering, Red Hat
_______________________________________________
Spacewalk-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-devel
