555 lines
18 KiB
Python
Executable file
555 lines
18 KiB
Python
Executable file
#!/usr/bin/env python
|
|
#
|
|
# Copyright 2007 sense.lab e.V.
|
|
#
|
|
# This file is part of the CryptoBox.
|
|
#
|
|
# The CryptoBox is free software; you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation; either version 2 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# The CryptoBox is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with the CryptoBox; if not, write to the Free Software
|
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
|
#
|
|
|
|
|
|
"""module for executing some programs or scripts that need root privileges
|
|
|
|
Syntax:
|
|
check
|
|
- return exitcode zero if basic checks succeeded
|
|
|
|
program PROGRAM_NAME [ARGS]
|
|
- call the program (must be defined in "allowedProgs" below)
|
|
|
|
event EVENT_SCRIPT [ARGS]
|
|
- call an event script
|
|
|
|
plugin PLUGIN_NAME [ARGS]
|
|
- call a root_action script of a plugin
|
|
|
|
|
|
Exitcodes:
|
|
0 - execution was ok
|
|
1 - the executed program or action returned a failure exitcode
|
|
100 - improper calling or misconfiguration
|
|
of CryptoBoxRootAction (wrong arguments, wrong uid)
|
|
101 - failed to execute the given program - maybe it does not exist?
|
|
|
|
For more detailed information take a look at the manpage:
|
|
"man CryptoBoxRootActions"
|
|
"""
|
|
|
|
__revision__ = "$Id"
|
|
|
|
import os
|
|
import sys
|
|
import subprocess
|
|
import pwd
|
|
import grp
|
|
import types
|
|
|
|
allowedProgs = {
|
|
"sfdisk": "/sbin/sfdisk",
|
|
"cryptsetup": "/sbin/cryptsetup",
|
|
"mount": "/bin/mount",
|
|
"umount": "/bin/umount",
|
|
"blkid": "/sbin/blkid",
|
|
"pvdisplay": "/sbin/pvdisplay",
|
|
}
|
|
|
|
## this line is necessary for running unittests or playing around with a local
|
|
## svn working copy - otherwise the security checks would be too strict
|
|
OVERRIDE_FILECHECK = False
|
|
|
|
DEV_TYPES = { "pipe":1, "char":2, "dir":4, "block":6, "file":8, "link":10, "socket":12}
|
|
EVENT_MARKER = '_event_scripts_'
|
|
## use this string as device name if you want to mount a ramdisk
|
|
MAGIC_TMPFS = "_tmpfs_"
|
|
|
|
|
|
def checkIfFileIsSafe(fname):
|
|
"""check if the file and its parents are only writeable for root"""
|
|
## the override setting may be turned off temporarily to allow unittests
|
|
if OVERRIDE_FILECHECK:
|
|
return True
|
|
## if the calling user id is 0 (root), then we do not have to check this,
|
|
## as root would be allowed to do this anyway
|
|
## this eases testing with a not-installed working copy in a uml environment
|
|
if getCallingUserInfo()[1] == 0:
|
|
return True
|
|
props = os.stat(fname)
|
|
## check if it is owned by non-root
|
|
if props.st_uid != 0: return False
|
|
## check group-write permission if gid is not zero
|
|
if (props.st_gid != 0) and (props.st_mode % 32 / 16 > 0): return False
|
|
## check if it is world-writeable
|
|
if props.st_mode % 4 / 2 > 0: return False
|
|
## are we at root-level (directory-wise)? If yes, then we are ok ...
|
|
if fname == os.path.sep: return True
|
|
## check if the parent directory is ok - recursively :)
|
|
return checkIfFileIsSafe(os.path.dirname(os.path.abspath(fname)))
|
|
|
|
|
|
def checkIfPluginIsValid(plugin):
|
|
import imp
|
|
try:
|
|
x = imp.load_source("cbox_plugin", plugin)
|
|
except (SyntaxError, IOError):
|
|
return False
|
|
try:
|
|
if getattr(x, "PLUGIN_TYPE") == "cryptobox":
|
|
return True
|
|
else:
|
|
return False
|
|
except AttributeError:
|
|
return False
|
|
|
|
|
|
def checkIfEventScriptIsValid(plugin):
|
|
event_dir = os.path.dirname(plugin)
|
|
if os.path.exists(os.path.join(event_dir, EVENT_MARKER)):
|
|
return True
|
|
else:
|
|
return False
|
|
|
|
|
|
def call_plugin(args):
|
|
"""check if the plugin may be called - and do it finally ..."""
|
|
plugin = os.path.abspath(args[0])
|
|
del args[0]
|
|
## check existence and if it is executable
|
|
if not os.access(plugin, os.X_OK):
|
|
raise Exception, "could not find executable plugin (%s)" % plugin
|
|
## check if the plugin (and its parents) are only writeable for root
|
|
## this can be overridden by OVERRIDE_FILECHECK
|
|
if not checkIfFileIsSafe(plugin):
|
|
raise Exception, "the plugin (%s) is not safe - check its " % plugin \
|
|
+ "(and its parents') permissions"
|
|
## check if the plugin is a python program, that is marked as a cryptobox plugin
|
|
if not checkIfPluginIsValid(plugin):
|
|
raise Exception, "the plugin (%s) is not a correctly marked python script" % plugin
|
|
args.insert(0, plugin)
|
|
proc = subprocess.Popen(
|
|
shell = False,
|
|
args = args)
|
|
proc.wait()
|
|
return proc.returncode == 0
|
|
|
|
|
|
def call_event(args):
|
|
"""check if the event script may be called - and do it finally ..."""
|
|
event = os.path.abspath(args[0])
|
|
del args[0]
|
|
## check existence and if it is executable
|
|
if not os.access(event, os.X_OK):
|
|
raise Exception, "could not find executable event script (%s)" % event
|
|
## check if the script is valid (the marker file must be in the same directory)
|
|
if not checkIfEventScriptIsValid(event):
|
|
raise Exception, "the event script (%s) does not reside in" % event \
|
|
+ "a directory with the marker file (%s) - this " % EVENT_MARKER \
|
|
+ "is not allowed due to abuse prevention"
|
|
## check if the event (and its parents) are only writeable for root
|
|
if not checkIfFileIsSafe(event):
|
|
raise Exception, "the event (%s) is not safe - check its " % event \
|
|
+ "(and its parents') permissions"
|
|
args.insert(0, event)
|
|
proc = subprocess.Popen(
|
|
shell = False,
|
|
args = args)
|
|
proc.wait()
|
|
return proc.returncode == 0
|
|
|
|
|
|
def isWriteable(path, force_dev_type=None):
|
|
"""check if the calling user (not root!) has write access to the device/file
|
|
|
|
the real (not the effective) user id is used for the check
|
|
additionally the permissions of the default groups of the real uid are checked
|
|
it is sufficient, if the device/dir is owned by us
|
|
this check works nicely together with "super", as it changes (by default) only
|
|
the effective uid (not the real uid)
|
|
"""
|
|
## first check, if the device/file exists
|
|
if not os.path.exists(path):
|
|
sys.stderr.write("%s does not exist!\n" % path)
|
|
return False
|
|
## check the type of the path - if necessary
|
|
if (not force_dev_type is None) and \
|
|
(force_dev_type != os.stat(path).st_mode % 65536 / 4096):
|
|
sys.stderr.write("%s does not have the numeric type '%d'!\n" \
|
|
% (path, force_dev_type))
|
|
return False
|
|
## retrieve the information for the real user id
|
|
(trustUserName, trustUID, groupsOfTrustUser) = getCallingUserInfo()
|
|
## are we called by the root user? this would be ok
|
|
if trustUID == 0:
|
|
return True
|
|
## is the path owned by us?
|
|
if os.stat(path)[4] == trustUID:
|
|
return True
|
|
## set the default groups of the caller for the check (restore them later)
|
|
savedGroups = os.getgroups()
|
|
os.setgroups(groupsOfTrustUser)
|
|
## check permissions
|
|
result = os.access(path, os.W_OK) and os.access(path, os.R_OK)
|
|
## reset the groups of this process
|
|
os.setgroups(savedGroups)
|
|
return result
|
|
|
|
|
|
def run_cryptsetup(args):
|
|
"""execute cryptsetup as root
|
|
|
|
@args: list of arguments - they will be treated accordingly to the first element
|
|
of this list (the action)"""
|
|
if not args: raise "WrongArguments", "no action for cryptsetup supplied"
|
|
if type(args) != types.ListType:
|
|
raise "WrongArguments", "invalid arguments supplied: %s" % (args, )
|
|
try:
|
|
action = args[0]
|
|
del args[0]
|
|
device = None
|
|
cmd_args = []
|
|
if action == "luksFormat":
|
|
device = args[0]; del args[0]
|
|
cmd_args.append(action)
|
|
cmd_args.append(device)
|
|
elif action == "luksUUID":
|
|
device = args[0]; del args[0]
|
|
cmd_args.append(action)
|
|
cmd_args.append(device)
|
|
elif action == "luksOpen":
|
|
if len(args) < 2: raise "WrongArguments", "missing arguments"
|
|
device = args[0]; del args[0]
|
|
destination = args[0]; del args[0]
|
|
cmd_args.append(action)
|
|
cmd_args.append(device)
|
|
cmd_args.append(destination)
|
|
elif action == "luksClose":
|
|
if len(args) < 1: raise "WrongArguments", "missing arguments"
|
|
destination = args[0]; del args[0]
|
|
# maybe add a check for the mapped device's permissions?
|
|
# dmsetup deps self.device
|
|
cmd_args.append(action)
|
|
cmd_args.append(destination)
|
|
elif action == "luksAddKey":
|
|
device = args[0]; del args[0]
|
|
cmd_args.append(action)
|
|
cmd_args.append(device)
|
|
elif action == "luksDelKey":
|
|
if len(args) < 2: raise "WrongArguments", "missing arguments"
|
|
device = args[0]; del args[0]
|
|
slot = args[0]; del args[0]
|
|
cmd_args.append(action)
|
|
cmd_args.append(device)
|
|
cmd_args.append(slot)
|
|
elif action == "isLuks":
|
|
device = args[0]; del args[0]
|
|
cmd_args.append(action)
|
|
cmd_args.append(device)
|
|
else: raise "WrongArguments", "invalid action supplied: %s" % (action, )
|
|
# check if a device was defined - and check it
|
|
if (not device is None) and (not isWriteable(device, DEV_TYPES["block"])):
|
|
raise "WrongArguments", "%s is not a writeable block device" % (device, )
|
|
cs_args = [allowedProgs["cryptsetup"]]
|
|
cs_args.extend(args)
|
|
cs_args.extend(cmd_args)
|
|
except (TypeError, IndexError):
|
|
raise "WrongArguments", "invalid arguments supplied: %s" % (args, )
|
|
# execute cryptsetup with the given parameters
|
|
proc = subprocess.Popen(
|
|
shell = False,
|
|
args = cs_args)
|
|
proc.wait()
|
|
## chown the devmapper block device to the cryptobox user
|
|
calling_user = getCallingUserInfo()
|
|
if (proc.returncode == 0) and (action == "luksOpen"):
|
|
os.chown(os.path.join(os.path.sep, "dev", "mapper", destination),
|
|
calling_user[1], calling_user[2][0])
|
|
return proc.returncode == 0
|
|
|
|
|
|
def getFSType(device):
|
|
"""get the filesystem type of a device"""
|
|
proc = subprocess.Popen(
|
|
shell = False,
|
|
stdout = subprocess.PIPE,
|
|
args = [ allowedProgs["blkid"],
|
|
"-s", "TYPE",
|
|
"-o", "value",
|
|
"-c", os.devnull,
|
|
"-w", os.devnull,
|
|
device])
|
|
(stdout, stderr) = proc.communicate()
|
|
if proc.returncode != 0:
|
|
return None
|
|
return stdout.strip()
|
|
|
|
|
|
def run_mount(args):
|
|
"""execute mount
|
|
"""
|
|
if not args: raise "WrongArguments", "no destination for mount supplied"
|
|
if type(args) != types.ListType:
|
|
raise "WrongArguments", "invalid arguments supplied: %s" % (args, )
|
|
try:
|
|
device = args[0]
|
|
del args[0]
|
|
destination = args[0]
|
|
del args[0]
|
|
## shall we mount a ramdisk?
|
|
is_tmpfs = (device == MAGIC_TMPFS)
|
|
# check permissions for the device
|
|
if (not is_tmpfs) and (not isWriteable(device, DEV_TYPES["block"])):
|
|
raise "WrongArguments", "%s is not a writeable block device" % (device, )
|
|
## check permissions for the mountpoint
|
|
if not isWriteable(destination, DEV_TYPES["dir"]):
|
|
raise "WrongArguments", "the mountpoint (%s) is not writeable" \
|
|
% (destination, )
|
|
# check for additional (not allowed) arguments
|
|
if len(args) != 0:
|
|
raise "WrongArguments", "too many arguments for 'mount': %s" % (args, )
|
|
except TypeError:
|
|
raise "WrongArguments", "invalid arguments supplied: %s" % (args, )
|
|
# execute mount with the given parameters
|
|
# first overwrite the real uid, as 'mount' wants this to be zero (root)
|
|
savedUID = os.getuid()
|
|
os.setuid(os.geteuid())
|
|
## we have to change the permissions of the mounted directory - otherwise it will
|
|
## not be writeable for the cryptobox user
|
|
## for 'vfat' we have to do this during mount
|
|
## for ext2/3 we have to do it afterward
|
|
## first: get the user/group of the target
|
|
(trustUserName, trustUID, groupsOfTrustUser) = getUserInfo(savedUID)
|
|
trustGID = groupsOfTrustUser[0]
|
|
if is_tmpfs:
|
|
fsType = "tmpfs"
|
|
else:
|
|
fsType = getFSType(device)
|
|
## define arguments
|
|
if fsType == "vfat":
|
|
## add the "uid/gid" arguments to the mount call
|
|
mount_args = [ allowedProgs["mount"],
|
|
"-o", "uid=%d,gid=%d,umask=0000" % (trustUID, trustGID),
|
|
device,
|
|
destination ]
|
|
## use fuse (ntfs-3g) for ntfs
|
|
elif fsType == "ntfs":
|
|
mount_args = [ allowedProgs["mount"],
|
|
"-t", "ntfs-3g",
|
|
device,
|
|
destination ]
|
|
elif is_tmpfs:
|
|
mount_args = [ allowedProgs["mount"],
|
|
"-t", "tmpfs",
|
|
"cryptobox-tmpfs", destination ]
|
|
else:
|
|
## all other filesystem types will be handled after mount
|
|
mount_args = [ allowedProgs["mount"], device, destination ]
|
|
# execute mount
|
|
proc = subprocess.Popen(
|
|
shell = False,
|
|
args = mount_args)
|
|
proc.wait()
|
|
## return in case of an error
|
|
if proc.returncode != 0:
|
|
return False
|
|
## for vfat: we are done
|
|
if fsType == "vfat": return True
|
|
## for all other filesystem types: chown the mount directory
|
|
try:
|
|
os.chown(destination, trustUID, groupsOfTrustUser[0])
|
|
except OSError, errMsg:
|
|
sys.stderr.write("could not chown the mount destination (%s) " % destination \
|
|
+ "to the specified user (%d/%d): " % (trustUID, groupsOfTrustUser[0]) \
|
|
+ "%s/n" % str(errMsg))
|
|
sys.stderr.write("UID: %d\n" % (os.geteuid(),))
|
|
return False
|
|
## BEWARE: it would be nice, if we could restore the previous uid (not euid) but
|
|
## this would also override the euid (see 'man 2 setuid') - any ideas?
|
|
return True
|
|
|
|
|
|
def run_umount(args):
|
|
"""execute mount
|
|
"""
|
|
if not args: raise "WrongArguments", "no mountpoint for umount supplied"
|
|
if type(args) != types.ListType:
|
|
raise "WrongArguments", "invalid arguments supplied"
|
|
try:
|
|
destination = args[0]
|
|
del args[0]
|
|
# check permissions for the destination
|
|
if not isWriteable(os.path.dirname(destination), DEV_TYPES["dir"]):
|
|
raise "WrongArguments", "the parent of the mountpoint " \
|
|
+ "(%s) is not writeable" % (destination, )
|
|
if len(args) != 0: raise "WrongArguments", "umount does not allow arguments"
|
|
except TypeError:
|
|
raise "WrongArguments", "invalid arguments supplied"
|
|
# execute umount with the given parameters
|
|
# first overwrite the real uid, as 'umount' wants this to be zero (root)
|
|
savedUID = os.getuid()
|
|
os.setuid(os.geteuid())
|
|
# execute umount (with the parameter '-l' - lazy umount)
|
|
proc = subprocess.Popen(
|
|
shell = False,
|
|
args = [allowedProgs["umount"], "-l", destination])
|
|
proc.wait()
|
|
# restore previous real uid
|
|
os.setuid(savedUID)
|
|
return proc.returncode == 0
|
|
|
|
|
|
def run_pvdisplay(args):
|
|
"""execute pvdisplay to check for physical LVM devices
|
|
"""
|
|
if len(args) > 0:
|
|
raise "WrongArguments", "no arguments may be supplied for 'pvdisplay'"
|
|
## call pvdisplay with the parameter "--colon"
|
|
proc = subprocess.Popen(
|
|
shell = False,
|
|
args = [ allowedProgs["pvdisplay"], "--colon" ])
|
|
proc.wait()
|
|
return proc.returncode == 0
|
|
|
|
|
|
def getCallingUserInfo():
|
|
"""return information about the user that was calling this program via "super"
|
|
|
|
@user: (uid or name)
|
|
@return: tuple of (name, uid, (groups))
|
|
"""
|
|
## are we called via 'super'?
|
|
if ("SUPERCMD" in os.environ) and ("ORIG_USER" in os.environ):
|
|
## return the user that was calling super
|
|
return getUserInfo(os.environ["ORIG_USER"])
|
|
else:
|
|
## return the current user
|
|
return getUserInfo(os.getuid())
|
|
|
|
|
|
def getUserInfo(user):
|
|
"""return information about the specified user
|
|
|
|
@user: (uid or name)
|
|
@return: tuple of (name, uid, (groups))
|
|
"""
|
|
if (user is None) or (user == ""):
|
|
raise "KeyError", "no user supplied"
|
|
## if a KeyError is raised again in the following lines, then the supplied
|
|
## user was invalid
|
|
if type(user) is int:
|
|
# 'user' is a uid
|
|
userinfo = pwd.getpwuid(user)
|
|
elif type(user) is str:
|
|
# 'user' is a name
|
|
userinfo = pwd.getpwnam(user)
|
|
u_groups = [one_group.gr_gid
|
|
for one_group in grp.getgrall()
|
|
if userinfo.pw_name in one_group.gr_mem]
|
|
if not userinfo.pw_gid in u_groups:
|
|
## put in front of the list
|
|
u_groups.insert(0,userinfo.pw_gid)
|
|
return (userinfo.pw_name, userinfo.pw_uid, u_groups)
|
|
|
|
|
|
# **************** main **********************
|
|
|
|
# prevent import
|
|
if __name__ == "__main__":
|
|
|
|
## do we have root privileges (effective uid is zero)?
|
|
if os.geteuid() != 0:
|
|
sys.stderr.write("the effective uid is not zero - you should use " \
|
|
+ "'super' to call this script (%s)" % sys.argv[0])
|
|
sys.exit(100)
|
|
|
|
## remove program name
|
|
args = sys.argv[1:]
|
|
|
|
# do not allow to use root permissions (real uid may not be zero)
|
|
#if os.getuid() == 0:
|
|
# sys.stderr.write("the uid of the caller is zero (root) - this is not allowed\n")
|
|
# sys.exit(100)
|
|
|
|
## check if there were arguments
|
|
if (len(args) == 0):
|
|
sys.stderr.write("No arguments supplied\n")
|
|
sys.exit(100)
|
|
|
|
## did the user call the "check" action?
|
|
if (len(args) == 1) and (args[0].lower() == "check"):
|
|
# exit silently
|
|
sys.exit(0)
|
|
|
|
## all of the following actions require at least two arguments
|
|
if len(args) < 2:
|
|
sys.stderr.write("No program/plugin/event specified for execution\n")
|
|
sys.exit(100)
|
|
|
|
## call a plugin root_action script
|
|
if args[0].lower() == "plugin":
|
|
del args[0]
|
|
try:
|
|
isOK = call_plugin(args)
|
|
except Exception, errMsg:
|
|
sys.stderr.write("Execution of plugin '%s' failed: %s\n" \
|
|
% (args[0], errMsg))
|
|
sys.exit(100)
|
|
if isOK:
|
|
sys.exit(0)
|
|
else:
|
|
sys.exit(1)
|
|
|
|
## call an event script
|
|
if args[0].lower() == "event":
|
|
del args[0]
|
|
try:
|
|
isOK = call_event(args)
|
|
except Exception, errMsg:
|
|
sys.stderr.write("Execution of event '%s' failed: %s\n" \
|
|
% (args[0], errMsg))
|
|
sys.exit(100)
|
|
if isOK:
|
|
sys.exit(0)
|
|
else:
|
|
sys.exit(1)
|
|
|
|
## call one of the allowed programs
|
|
if args[0].lower() == "program":
|
|
del args[0]
|
|
|
|
progRequest = args[0]
|
|
del args[0]
|
|
|
|
if not progRequest in allowedProgs.keys():
|
|
sys.stderr.write("Invalid program requested: %s\n" % progRequest)
|
|
sys.exit(100)
|
|
|
|
if progRequest == "cryptsetup": runner = run_cryptsetup
|
|
elif progRequest == "mount": runner = run_mount
|
|
elif progRequest == "umount": runner = run_umount
|
|
elif progRequest == "pvdisplay": runner = run_pvdisplay
|
|
else:
|
|
sys.stderr.write("The interface for this program (%s) is " \
|
|
+ "not yet implemented!\n" % progRequest)
|
|
sys.exit(100)
|
|
try:
|
|
if runner(args):
|
|
sys.exit(0)
|
|
else:
|
|
sys.exit(1)
|
|
except OSError, errstr:
|
|
sys.stderr.write("Execution failed: %s\n" % errstr)
|
|
sys.exit(101)
|
|
except "WrongArguments", errstr:
|
|
sys.stderr.write("Invalid arguments: %s\n" % errstr)
|
|
sys.exit(100)
|