there is a nicer way to disable security checks
This commit is contained in:
parent
1f24166835
commit
6359da105a
2 changed files with 23 additions and 6 deletions
|
@ -48,8 +48,9 @@ allowedProgs = {
|
||||||
"blkid": "/sbin/blkid",
|
"blkid": "/sbin/blkid",
|
||||||
}
|
}
|
||||||
|
|
||||||
## this line is necessary to run unittests - otherwise these tests are too strict
|
## this line is necessary for running unittests or playing around with a local
|
||||||
# TODO: check this before every release!
|
## svn working copy - otherwise the security checks would be too strict
|
||||||
|
# TODO: check this value before every release!
|
||||||
OVERRIDE_FILECHECK = False
|
OVERRIDE_FILECHECK = False
|
||||||
|
|
||||||
DEV_TYPES = { "pipe":1, "char":2, "dir":4, "block":6, "file":8, "link":10, "socket":12}
|
DEV_TYPES = { "pipe":1, "char":2, "dir":4, "block":6, "file":8, "link":10, "socket":12}
|
||||||
|
@ -112,10 +113,9 @@ def call_plugin(args):
|
||||||
if not os.access(plugin, os.X_OK):
|
if not os.access(plugin, os.X_OK):
|
||||||
raise Exception, "could not find executable plugin (%s)" % plugin
|
raise Exception, "could not find executable plugin (%s)" % plugin
|
||||||
## check if the plugin (and its parents) are only writeable for root
|
## check if the plugin (and its parents) are only writeable for root
|
||||||
## TODO: this doesn't work with cbx svn versions running by local user
|
## this can be overridden by OVERRIDE_FILECHECK
|
||||||
## shouldn't we diable this while developing plugins?
|
if not checkIfFileIsSafe(plugin):
|
||||||
#if not checkIfFileIsSafe(plugin):
|
raise Exception, "the plugin (%s) is not safe - check its (and its parents') permissions" % plugin
|
||||||
#raise Exception, "the plugin (%s) is not safe - check its (and its parents') permissions" % plugin
|
|
||||||
## check if the plugin is a python program, that is marked as a cryptobox plugin
|
## check if the plugin is a python program, that is marked as a cryptobox plugin
|
||||||
if not checkIfPluginIsValid(plugin):
|
if not checkIfPluginIsValid(plugin):
|
||||||
raise Exception, "the plugin (%s) is not a correctly marked python script" % plugin
|
raise Exception, "the plugin (%s) is not a correctly marked python script" % plugin
|
||||||
|
|
|
@ -12,6 +12,16 @@
|
||||||
BIN_DIR=$(dirname "$0")
|
BIN_DIR=$(dirname "$0")
|
||||||
BIN_DIR=$(cd "$BIN_DIR"; pwd)
|
BIN_DIR=$(cd "$BIN_DIR"; pwd)
|
||||||
|
|
||||||
|
function disable_filecheck()
|
||||||
|
{
|
||||||
|
sed -i "s/^OVERRIDE_FILECHECK = .*$/OVERRIDE_FILECHECK = True/" "$BIN_DIR/CryptoBoxRootActions"
|
||||||
|
}
|
||||||
|
|
||||||
|
function enable_filecheck()
|
||||||
|
{
|
||||||
|
sed -i "s/^OVERRIDE_FILECHECK = .*$/OVERRIDE_FILECHECK = False/" "$BIN_DIR/CryptoBoxRootActions"
|
||||||
|
}
|
||||||
|
|
||||||
## add the local python directory to the search path
|
## add the local python directory to the search path
|
||||||
export PYTHONPATH="$BIN_DIR/../src"
|
export PYTHONPATH="$BIN_DIR/../src"
|
||||||
## disable ssl detection
|
## disable ssl detection
|
||||||
|
@ -31,6 +41,13 @@ mkdir -p "$BIN_DIR/../ttt/settings"
|
||||||
|
|
||||||
cd "$BIN_DIR"
|
cd "$BIN_DIR"
|
||||||
|
|
||||||
|
|
||||||
|
# disable strict security checks of CryptoBoxRootActions
|
||||||
|
disable_filecheck
|
||||||
|
|
||||||
## run the webserver
|
## run the webserver
|
||||||
"$BIN_DIR/CryptoBoxWebserver" --config="$CONFIG_FILE" --pidfile=/tmp/cryptoboxwebserver.pid --logfile=/tmp/cryptoboxwebserver.log --port=8080 --datadir="$BIN_DIR/../www-data" "$@"
|
"$BIN_DIR/CryptoBoxWebserver" --config="$CONFIG_FILE" --pidfile=/tmp/cryptoboxwebserver.pid --logfile=/tmp/cryptoboxwebserver.log --port=8080 --datadir="$BIN_DIR/../www-data" "$@"
|
||||||
|
|
||||||
|
# enable strict security checks of CryptoBoxRootActions again
|
||||||
|
enable_filecheck
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue