there is a nicer way to disable security checks

This commit is contained in:
lars 2007-01-30 02:07:09 +00:00
parent 1f24166835
commit 6359da105a
2 changed files with 23 additions and 6 deletions

View file

@ -48,8 +48,9 @@ allowedProgs = {
"blkid": "/sbin/blkid", "blkid": "/sbin/blkid",
} }
## this line is necessary to run unittests - otherwise these tests are too strict ## this line is necessary for running unittests or playing around with a local
# TODO: check this before every release! ## svn working copy - otherwise the security checks would be too strict
# TODO: check this value before every release!
OVERRIDE_FILECHECK = False OVERRIDE_FILECHECK = False
DEV_TYPES = { "pipe":1, "char":2, "dir":4, "block":6, "file":8, "link":10, "socket":12} DEV_TYPES = { "pipe":1, "char":2, "dir":4, "block":6, "file":8, "link":10, "socket":12}
@ -112,10 +113,9 @@ def call_plugin(args):
if not os.access(plugin, os.X_OK): if not os.access(plugin, os.X_OK):
raise Exception, "could not find executable plugin (%s)" % plugin raise Exception, "could not find executable plugin (%s)" % plugin
## check if the plugin (and its parents) are only writeable for root ## check if the plugin (and its parents) are only writeable for root
## TODO: this doesn't work with cbx svn versions running by local user ## this can be overridden by OVERRIDE_FILECHECK
## shouldn't we diable this while developing plugins? if not checkIfFileIsSafe(plugin):
#if not checkIfFileIsSafe(plugin): raise Exception, "the plugin (%s) is not safe - check its (and its parents') permissions" % plugin
#raise Exception, "the plugin (%s) is not safe - check its (and its parents') permissions" % plugin
## check if the plugin is a python program, that is marked as a cryptobox plugin ## check if the plugin is a python program, that is marked as a cryptobox plugin
if not checkIfPluginIsValid(plugin): if not checkIfPluginIsValid(plugin):
raise Exception, "the plugin (%s) is not a correctly marked python script" % plugin raise Exception, "the plugin (%s) is not a correctly marked python script" % plugin

View file

@ -12,6 +12,16 @@
BIN_DIR=$(dirname "$0") BIN_DIR=$(dirname "$0")
BIN_DIR=$(cd "$BIN_DIR"; pwd) BIN_DIR=$(cd "$BIN_DIR"; pwd)
function disable_filecheck()
{
sed -i "s/^OVERRIDE_FILECHECK = .*$/OVERRIDE_FILECHECK = True/" "$BIN_DIR/CryptoBoxRootActions"
}
function enable_filecheck()
{
sed -i "s/^OVERRIDE_FILECHECK = .*$/OVERRIDE_FILECHECK = False/" "$BIN_DIR/CryptoBoxRootActions"
}
## add the local python directory to the search path ## add the local python directory to the search path
export PYTHONPATH="$BIN_DIR/../src" export PYTHONPATH="$BIN_DIR/../src"
## disable ssl detection ## disable ssl detection
@ -31,6 +41,13 @@ mkdir -p "$BIN_DIR/../ttt/settings"
cd "$BIN_DIR" cd "$BIN_DIR"
# disable strict security checks of CryptoBoxRootActions
disable_filecheck
## run the webserver ## run the webserver
"$BIN_DIR/CryptoBoxWebserver" --config="$CONFIG_FILE" --pidfile=/tmp/cryptoboxwebserver.pid --logfile=/tmp/cryptoboxwebserver.log --port=8080 --datadir="$BIN_DIR/../www-data" "$@" "$BIN_DIR/CryptoBoxWebserver" --config="$CONFIG_FILE" --pidfile=/tmp/cryptoboxwebserver.pid --logfile=/tmp/cryptoboxwebserver.log --port=8080 --datadir="$BIN_DIR/../www-data" "$@"
# enable strict security checks of CryptoBoxRootActions again
enable_filecheck