there is a nicer way to disable security checks
This commit is contained in:
parent
1f24166835
commit
6359da105a
2 changed files with 23 additions and 6 deletions
|
|
@ -48,8 +48,9 @@ allowedProgs = {
|
|||
"blkid": "/sbin/blkid",
|
||||
}
|
||||
|
||||
## this line is necessary to run unittests - otherwise these tests are too strict
|
||||
# TODO: check this before every release!
|
||||
## this line is necessary for running unittests or playing around with a local
|
||||
## svn working copy - otherwise the security checks would be too strict
|
||||
# TODO: check this value before every release!
|
||||
OVERRIDE_FILECHECK = False
|
||||
|
||||
DEV_TYPES = { "pipe":1, "char":2, "dir":4, "block":6, "file":8, "link":10, "socket":12}
|
||||
|
|
@ -112,10 +113,9 @@ def call_plugin(args):
|
|||
if not os.access(plugin, os.X_OK):
|
||||
raise Exception, "could not find executable plugin (%s)" % plugin
|
||||
## check if the plugin (and its parents) are only writeable for root
|
||||
## TODO: this doesn't work with cbx svn versions running by local user
|
||||
## shouldn't we diable this while developing plugins?
|
||||
#if not checkIfFileIsSafe(plugin):
|
||||
#raise Exception, "the plugin (%s) is not safe - check its (and its parents') permissions" % plugin
|
||||
## this can be overridden by OVERRIDE_FILECHECK
|
||||
if not checkIfFileIsSafe(plugin):
|
||||
raise Exception, "the plugin (%s) is not safe - check its (and its parents') permissions" % plugin
|
||||
## check if the plugin is a python program, that is marked as a cryptobox plugin
|
||||
if not checkIfPluginIsValid(plugin):
|
||||
raise Exception, "the plugin (%s) is not a correctly marked python script" % plugin
|
||||
|
|
|
|||
|
|
@ -12,6 +12,16 @@
|
|||
BIN_DIR=$(dirname "$0")
|
||||
BIN_DIR=$(cd "$BIN_DIR"; pwd)
|
||||
|
||||
function disable_filecheck()
|
||||
{
|
||||
sed -i "s/^OVERRIDE_FILECHECK = .*$/OVERRIDE_FILECHECK = True/" "$BIN_DIR/CryptoBoxRootActions"
|
||||
}
|
||||
|
||||
function enable_filecheck()
|
||||
{
|
||||
sed -i "s/^OVERRIDE_FILECHECK = .*$/OVERRIDE_FILECHECK = False/" "$BIN_DIR/CryptoBoxRootActions"
|
||||
}
|
||||
|
||||
## add the local python directory to the search path
|
||||
export PYTHONPATH="$BIN_DIR/../src"
|
||||
## disable ssl detection
|
||||
|
|
@ -31,6 +41,13 @@ mkdir -p "$BIN_DIR/../ttt/settings"
|
|||
|
||||
cd "$BIN_DIR"
|
||||
|
||||
|
||||
# disable strict security checks of CryptoBoxRootActions
|
||||
disable_filecheck
|
||||
|
||||
## run the webserver
|
||||
"$BIN_DIR/CryptoBoxWebserver" --config="$CONFIG_FILE" --pidfile=/tmp/cryptoboxwebserver.pid --logfile=/tmp/cryptoboxwebserver.log --port=8080 --datadir="$BIN_DIR/../www-data" "$@"
|
||||
|
||||
# enable strict security checks of CryptoBoxRootActions again
|
||||
enable_filecheck
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue