Make linuxnns and linuxvrf use of 'ip' more-secure. #1481

perfsonar · Nov 7, 2024 · 51c2296 · 51c2296
1 parent 4fc12ee
commit 51c2296
Show file tree

Hide file tree

Showing 10 changed files with 123 additions and 100 deletions.
diff --git a/pscheduler-context-linuxnns/linuxnns/Makefile b/pscheduler-context-linuxnns/linuxnns/Makefile
@@ -9,7 +9,8 @@ NAME=null
 FILES=\
 	enumerate \
 	data-is-valid \
-	change
+	change \
+	change-secure
 
 
 install: $(FILES)

diff --git a/pscheduler-context-linuxnns/linuxnns/change b/pscheduler-context-linuxnns/linuxnns/change
@@ -3,50 +3,5 @@
 # Change the context and do the next thing.
 #
 
-# Data-is-valid should cause non-Linux use of this plugin to be
-# rejected, but an extra check doesn't hurt.
-if [ "$(uname -s)" != "Linux" ]
-then
-    echo "The linuxnns context is not supported on this platform." 1>&2
-    exit 1
-fi
-
-
-TMPBASE=${TMPDIR:-/tmp}/$WHOAMI.$$
-cleanup()
-{
-    if [ "$TMPBASE" ]
-    then
-        rm -rf $TMPBASE*
-    fi
-}
-trap cleanup EXIT
-
-
-INPUT="${TMPBASE}.input"
-cat > "${INPUT}"
-
-
-OLD_USER=$(id -nu)
-
-
-NAMESPACE=$(jq -r '.data.namespace' "${INPUT}")
-if [ -z "${NAMESPACE}" ]
-then
-    echo "Input is missing namespace." 1>&2
-    exit 1
-fi
-
-
-EXEC=$(jq -r '.exec' "${INPUT}") 
-if [ ! -x "${EXEC}" ]
-then
-    echo "Cannot execute '${EXEC}'." 1>&2
-    exit 1
-fi
-
-
-# This becomes root to change the namespace and then becomes the prior
-# user to exec whatever comes next.
-
-exec sudo /sbin/ip netns exec "${NAMESPACE}" sudo -u "${OLD_USER}" "${EXEC}"
+WHEREAMI=$(cd $(dirname "$0") && pwd)
+exec sudo "${WHEREAMI}/$(basename "$0")-secure"
diff --git a/pscheduler-context-linuxnns/linuxnns/change-secure b/pscheduler-context-linuxnns/linuxnns/change-secure
@@ -0,0 +1,57 @@
+#!/bin/sh -e
+#
+# Change the context and do the next thing - Secure Part
+#
+# This must be executed by sudo(8).
+#
+
+# Data-is-valid should cause non-Linux use of this plugin to be
+# rejected, but an extra check doesn't hurt.
+if [ "$(uname -s)" != "Linux" ]
+then
+    echo "The linuxnns context is not supported on this platform." 1>&2
+    exit 1
+fi
+
+if ! [ -n "$SUDO_USER" ]
+then
+    echo "No SUDO_USER provided." 1>&2
+    exit 1
+fi
+
+
+TMPBASE=${TMPDIR:-/tmp}/$WHOAMI.$$
+cleanup()
+{
+    if [ "$TMPBASE" ]
+    then
+        rm -rf $TMPBASE*
+    fi
+}
+trap cleanup EXIT
+
+
+INPUT="${TMPBASE}.input"
+cat > "${INPUT}"
+
+
+NAMESPACE=$(jq -r '.data.namespace' "${INPUT}")
+if [ -z "${NAMESPACE}" ]
+then
+    echo "Input is missing namespace." 1>&2
+    exit 1
+fi
+
+
+EXEC=$(jq -r '.exec' "${INPUT}") 
+if [ ! -x "${EXEC}" ]
+then
+    echo "Cannot execute '${EXEC}'." 1>&2
+    exit 1
+fi
+
+
+# Change the namespace and then becomes the prior user to exec
+# whatever comes next.
+
+ip netns exec "${NAMESPACE}" sudo -u "${SUDO_USER}" "${EXEC}"
diff --git a/pscheduler-context-linuxnns/linuxnns/unibuild-packaging/deb/sudoers b/pscheduler-context-linuxnns/linuxnns/unibuild-packaging/deb/sudoers
@@ -1,6 +1,6 @@
 #
 # pscheduler-context-linuxnns
 #
-Cmnd_Alias PSCHEDULER_CONTEXT_LINUXNNS=/sbin/ip netns exec *
+Cmnd_Alias PSCHEDULER_CONTEXT_LINUXNNS=/usr/lib/pscheduler/libexec/classes/context/linuxnns/change-secure
 pscheduler ALL = (root) NOPASSWD: PSCHEDULER_CONTEXT_LINUXNNS
 Defaults!PSCHEDULER_CONTEXT_LINUXNNS !requiretty
diff --git a/pscheduler-context-linuxnns/linuxnns/unibuild-packaging/rpm/pscheduler-context-linuxnns.spec b/pscheduler-context-linuxnns/linuxnns/unibuild-packaging/rpm/pscheduler-context-linuxnns.spec
@@ -57,7 +57,7 @@ cat > $RPM_BUILD_ROOT/%{_pscheduler_sudoersdir}/%{name} <<'EOF'
 #
 # %{name}
 #
-Cmnd_Alias PSCHEDULER_CONTEXT_LINUXNNS=/sbin/ip netns exec *
+Cmnd_Alias PSCHEDULER_CONTEXT_LINUXNNS=%{dest}/change-secure
 %{_pscheduler_user} ALL = (root) NOPASSWD: PSCHEDULER_CONTEXT_LINUXNNS
 Defaults!PSCHEDULER_CONTEXT_LINUXNNS !requiretty
 EOF

diff --git a/pscheduler-context-linuxvrf/linuxvrf/Makefile b/pscheduler-context-linuxvrf/linuxvrf/Makefile
@@ -7,7 +7,8 @@
 FILES=\
 	enumerate \
 	data-is-valid \
-	change
+	change \
+	change-secure
 
 
 install: $(FILES)

diff --git a/pscheduler-context-linuxvrf/linuxvrf/change b/pscheduler-context-linuxvrf/linuxvrf/change
@@ -3,50 +3,5 @@
 # Change the context and do the next thing.
 #
 
-# Data-is-valid should cause non-Linux use of this plugin to be
-# rejected, but an extra check doesn't hurt.
-if [ "$(uname -s)" != "Linux" ]
-then
-    echo "The linuxvrf context is not supported on this platform." 1>&2
-    exit 1
-fi
-
-
-TMPBASE=${TMPDIR:-/tmp}/$WHOAMI.$$
-cleanup()
-{
-    if [ "$TMPBASE" ]
-    then
-        rm -rf $TMPBASE*
-    fi
-}
-trap cleanup EXIT
-
-
-INPUT="${TMPBASE}.input"
-cat > "${INPUT}"
-
-
-OLD_USER=$(id -nu)
-
-
-VRF=$(jq -r '.data.vrf' "${INPUT}")
-if [ -z "${VRF}" ]
-then
-    echo "Input is missing VRF name." 1>&2
-    exit 1
-fi
-
-
-EXEC=$(jq -r '.exec' "${INPUT}") 
-if [ ! -x "${EXEC}" ]
-then
-    echo "Cannot execute '${EXEC}'." 1>&2
-    exit 1
-fi
-
-
-# This becomes root to change the VRFand then becomes the prior
-# user to exec whatever comes next.
-
-exec sudo /sbin/ip vrf exec "${VRF}" sudo -u "${OLD_USER}" "${EXEC}"
+WHEREAMI=$(cd $(dirname "$0") && pwd)
+exec sudo "${WHEREAMI}/$(basename "$0")-secure"
diff --git a/pscheduler-context-linuxvrf/linuxvrf/change-secure b/pscheduler-context-linuxvrf/linuxvrf/change-secure
@@ -0,0 +1,54 @@
+#!/bin/sh -e
+#
+# Change the context and do the next thing - Secure Part
+#
+# This must be executed by sudo(8).
+#
+
+# Data-is-valid should cause non-Linux use of this plugin to be
+# rejected, but an extra check doesn't hurt.
+if [ "$(uname -s)" != "Linux" ]
+then
+    echo "The linuxvrf context is not supported on this platform." 1>&2
+    exit 1
+fi
+
+
+TMPBASE=${TMPDIR:-/tmp}/$WHOAMI.$$
+cleanup()
+{
+    if [ "$TMPBASE" ]
+    then
+        rm -rf $TMPBASE*
+    fi
+}
+trap cleanup EXIT
+
+
+INPUT="${TMPBASE}.input"
+cat > "${INPUT}"
+
+
+OLD_USER=$(id -nu)
+
+
+VRF=$(jq -r '.data.vrf' "${INPUT}")
+if [ -z "${VRF}" ]
+then
+    echo "Input is missing VRF name." 1>&2
+    exit 1
+fi
+
+
+EXEC=$(jq -r '.exec' "${INPUT}") 
+if [ ! -x "${EXEC}" ]
+then
+    echo "Cannot execute '${EXEC}'." 1>&2
+    exit 1
+fi
+
+
+# This becomes root to change the VRFand then becomes the prior
+# user to exec whatever comes next.
+
+exec sudo /sbin/ip vrf exec "${VRF}" sudo -u "${OLD_USER}" "${EXEC}"
diff --git a/pscheduler-context-linuxvrf/linuxvrf/unibuild-packaging/deb/sudoers b/pscheduler-context-linuxvrf/linuxvrf/unibuild-packaging/deb/sudoers
@@ -1,6 +1,6 @@
 #
 # pscheduler-context-linuxvrf
 #
-Cmnd_Alias PSCHEDULER_CONTEXT_LINUXVRF=/sbin/ip vrf exec *
+Cmnd_Alias PSCHEDULER_CONTEXT_LINUXVRF=/usr/lib/pscheduler/libexec/classes/context/linuxvrf/change-secure
 pscheduler ALL = (root) NOPASSWD: PSCHEDULER_CONTEXT_LINUXVRF
 Defaults!PSCHEDULER_CONTEXT_LINUXVRF !requiretty
diff --git a/pscheduler-context-linuxvrf/linuxvrf/unibuild-packaging/rpm/pscheduler-context-linuxvrf.spec b/pscheduler-context-linuxvrf/linuxvrf/unibuild-packaging/rpm/pscheduler-context-linuxvrf.spec
@@ -58,7 +58,7 @@ cat > $RPM_BUILD_ROOT/%{_pscheduler_sudoersdir}/%{name} <<'EOF'
 #
 # %{name}
 #
-Cmnd_Alias PSCHEDULER_CONTEXT_LINUXVRF=/sbin/ip vrf exec *
+Cmnd_Alias PSCHEDULER_CONTEXT_LINUXVRF=%{dest}/change-secure
 %{_pscheduler_user} ALL = (root) NOPASSWD: PSCHEDULER_CONTEXT_LINUXVRF
 Defaults!PSCHEDULER_CONTEXT_LINUXVRF !requiretty
 EOF