>
> On Fri, Sep 05, 2008 at 10:11:52PM +0800, Coe, Colin C. (Unix
> Engineer) wrote:
> >
> > I'd like for spacewalk (and RHN Satellite) to enable the
> admin to click a button and have the pre/post script syntax
> checked. I realise this is unlikely to work for all scripted
> languages but it will work for bash, sh, csh, ksh and perl.
> >
> > >From a security perspective, running '<shell> -n' or 'perl
> -c' definately does not run the script, just syntax checks it
> so it should be reasonably safe. I figured it would be
> better have the check hardcoded similar to:
> > switch (interpretor) {
> > case "/bin/bash": check_switch = "-n"; break;
> > case "/bin/tcsh": check_switch = "-n"; break;
> > case "/bin/sh": check_switch = "-n"; break;
> > case "/bin/ksh": check_switch = "-n"; break;
> > case "/usr/bin/perl": check_switch = "-c"; break;
> > }
> > rather than having this in a (potentially external) DB
> where access to the DB may be sub optimal. The intent is to
> restrict the check to only those interpretors specifically
> listed. Also, hard coding the fully qualified paths adds to
> the security by not letting people use malicious programs as
> this would run on the spacewalk server. All the shells could
> probably be done on a single line with a regex but ...
> >
> > I figure there are two ways to do this:
> > 1) pipe the pre/post script to the interpretor with the
> appropriate switch and just check the return code; or
> > 2) write the pre/post script to a temporary file and then
> run the interpretor with the appropriate switch checking the
> return code.
> >
> > I tested the first method and it seemed to work OK with
> ksh, bash and perl, and should work OK with most
> interpretors. I realise that the case of 'perl -c' will fail
> if there are required modules that aren't present but I
> figure that this is a best effort type thing.
> >
> > I'm not keen on the second idea.
> >
> > So, first up, does cobbler/koan already give us this? If
> not, are there objections to this being done?
> >
> > Comments, criticisms welcome.
>
> I do not think "reasonably safe" is good enough. The kickstart admin
> might not be the same person as the Spacewalk admin, and that might
> not be the same person as the root on the Spacewalk server.
>
> For example for perl, the only thing you need to do is to wrap your
> script with BEGIN to escape the -c:
>
> $ perl -c -e 'BEGIN { print "I will eat your disk\n"; }'
> I will eat your disk
> -e syntax OK
> $
>
> Moreover, you'd run that check on the Spacewalk server, and it might
> not have the packages your post script use's installed at all, so it
> would fail even if upon the actual invocation on the system it would
> not.
>
> As for the others -- the -n option for bash is not documented in its
> man page at all, so I wonder if it doesn't have some way of escaping
> the "check" mode as well.
>
> I'm not in favor of this feature unless it can be added in a way that
> would pose no security risks at all.
>
> --
> Jan Pazdziora
> Satellite Engineering, Red Hat
>
Hi Jan
Thanks for the feedback. My reaction was 'ouch!' when I saw the BEGIN
block in your perl example. In bash '-n' is a 'set' option.
-n Read commands but do not execute them. This may be used to
check a shell script for syntax errors. This is ignored by interactive
shells.
I'll shelve this until I can find a way to do it safely.
Thanks again!
CC
NOTICE: This email and any attachments are confidential.
They may contain legally privileged information or
copyright material. You must not read, copy, use or
disclose them without authorisation. If you are not an
intended recipient, please contact us at once by return
email and then delete both messages and all attachments.
_______________________________________________
Spacewalk-devel mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/spacewalk-devel
