event script directory check implemented
fix logging in CryptoBoxWebserver (introducing another problem)
This commit is contained in:
parent
1fa160250b
commit
8511ff9845
|
@ -28,6 +28,7 @@ allowedProgs = {
|
||||||
|
|
||||||
|
|
||||||
DEV_TYPES = { "pipe":1, "char":2, "dir":4, "block":6, "file":8, "link":10, "socket":12}
|
DEV_TYPES = { "pipe":1, "char":2, "dir":4, "block":6, "file":8, "link":10, "socket":12}
|
||||||
|
EVENT_MARKER = '_event_marker_'
|
||||||
|
|
||||||
|
|
||||||
def checkIfFileIsSafe(fname):
|
def checkIfFileIsSafe(fname):
|
||||||
|
@ -62,6 +63,14 @@ def checkIfPluginIsValid(plugin):
|
||||||
return False
|
return False
|
||||||
|
|
||||||
|
|
||||||
|
def checkIfEventScriptIsValid(plugin):
|
||||||
|
event_dir = os.path.dirname(plugin)
|
||||||
|
if os.path.exists(os.path.join(event_dir,EVENT_MARKER)):
|
||||||
|
return True
|
||||||
|
else:
|
||||||
|
return False
|
||||||
|
|
||||||
|
|
||||||
def call_plugin(args):
|
def call_plugin(args):
|
||||||
"""check if the plugin may be called - and do it finally ..."""
|
"""check if the plugin may be called - and do it finally ..."""
|
||||||
plugin = os.path.abspath(args[0])
|
plugin = os.path.abspath(args[0])
|
||||||
|
@ -83,17 +92,20 @@ def call_plugin(args):
|
||||||
return proc.returncode == 0
|
return proc.returncode == 0
|
||||||
|
|
||||||
|
|
||||||
def call_hook(args):
|
def call_event(args):
|
||||||
"""check if the hook script may be called - and do it finally ..."""
|
"""check if the event script may be called - and do it finally ..."""
|
||||||
hook = os.path.abspath(args[0])
|
event = os.path.abspath(args[0])
|
||||||
del args[0]
|
del args[0]
|
||||||
## check existence and if it is executable
|
## check existence and if it is executable
|
||||||
if not os.access(hook, os.X_OK):
|
if not os.access(event, os.X_OK):
|
||||||
raise Exception, "could not find executable hook script (%s)" % hook
|
raise Exception, "could not find executable event script (%s)" % event
|
||||||
## check if the hook (and its parents) are only writeable for root
|
## check if the script is valid (the marker file must be in the same directory)
|
||||||
if not checkIfFileIsSafe(hook):
|
if not checkIfEventScriptIsValid(plugin):
|
||||||
raise Exception, "the hook (%s) is not safe - check its (and its parents') permissions" % hook
|
raise Exception, "the event script (%s) does not reside in a directory with the marker file (%s) - this is not allowed due to abuse prevention" % (plugin,EVENT_MARKER)
|
||||||
args.insert(0,hook)
|
## check if the event (and its parents) are only writeable for root
|
||||||
|
if not checkIfFileIsSafe(event):
|
||||||
|
raise Exception, "the event (%s) is not safe - check its (and its parents') permissions" % event
|
||||||
|
args.insert(0,event)
|
||||||
proc = subprocess.Popen(
|
proc = subprocess.Popen(
|
||||||
shell = False,
|
shell = False,
|
||||||
args = args)
|
args = args)
|
||||||
|
@ -374,12 +386,12 @@ if __name__ == "__main__":
|
||||||
else:
|
else:
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
if args[0].lower() == "hook":
|
if args[0].lower() == "event":
|
||||||
del args[0]
|
del args[0]
|
||||||
try:
|
try:
|
||||||
isOK = call_hook(args)
|
isOK = call_event(args)
|
||||||
except Exception, errMsg:
|
except Exception, errMsg:
|
||||||
sys.stderr.write("Execution of hook script failed: %s\n" % errMsg)
|
sys.stderr.write("Execution of event script failed: %s\n" % errMsg)
|
||||||
sys.exit(100)
|
sys.exit(100)
|
||||||
if isOK:
|
if isOK:
|
||||||
sys.exit(0)
|
sys.exit(0)
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
#!/usr/bin/python2.4
|
#!/usr/bin/env python2.4
|
||||||
#
|
#
|
||||||
# The daemon script to run the CryptoBox webserver.
|
# The daemon script to run the CryptoBox webserver.
|
||||||
#
|
#
|
||||||
|
@ -158,14 +158,16 @@ def parseOptions():
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
## process arguments
|
## process arguments
|
||||||
options = parseOptions()
|
options = parseOptions()
|
||||||
## initialize the webserver class (before forking to get some error messages)
|
|
||||||
cbw = CryptoBoxWebserver(options)
|
|
||||||
## run the webserver as a daemon process
|
## run the webserver as a daemon process
|
||||||
if options.background: fork_to_background()
|
if options.background: fork_to_background()
|
||||||
## write pid file
|
|
||||||
write_pid_file(options.pidfile)
|
|
||||||
## close open files to allow background execution
|
## close open files to allow background execution
|
||||||
if options.background: close_open_files()
|
if options.background: close_open_files()
|
||||||
|
## write pid file
|
||||||
|
write_pid_file(options.pidfile)
|
||||||
|
## TODO: if we close the open files _after_ initialization, then we also close
|
||||||
|
## the log out - we have to figure something out here ...
|
||||||
|
## initialize the webserver class (before forking to get some error messages)
|
||||||
|
cbw = CryptoBoxWebserver(options)
|
||||||
## start the webserver
|
## start the webserver
|
||||||
try:
|
try:
|
||||||
cbw.start()
|
cbw.start()
|
||||||
|
|
Loading…
Reference in New Issue