more sanitizing, make root system call safer

pull/10/head
Raphaël Vinot 2013-02-17 02:16:55 +01:00
parent eb2f394ec1
commit 053c2a81e1
8 changed files with 136 additions and 157 deletions

View File

@ -0,0 +1,7 @@
#!/bin/bash
useradd -m kitten
echo "Cmnd_Alias GROOMER_CMDS = /home/kitten/kitten_mount_src, \
/home/kitten/kitten_mount_dst, /home/kitten/kitten_umount" >> /etc/sudoers
echo "kitten ALL=(ALL) NOPASSWD: GROOMER_CMDS" >> /etc/sudoers

View File

@ -1,21 +1,17 @@
DEV_SRC='/dev/sdf'
DEV_DST='/dev/sdg1'
HOME='/home/kitten'
DEV_SRC='/dev/sdb'
DEV_DST='/dev/sdc1'
# User allowed to do the following commands without password
USERNAME='kitten'
HOME="/home/${USERNAME}"
# commands
SUDO='/usr/bin/sudo'
ID='/usr/bin/id -u'
# root commands
MOUNT='/bin/mount'
UMOUNT='/bin/umount'
ID=`/usr/bin/id -u`
SYNC='/bin/sync'
SHUTDOWN='/sbin/shutdown'
# To put in /etc/sudoers
# Cmnd alias specification
#Cmnd_Alias GROOMER_CMDS = /bin/mount, /bin/umount, /bin/sync
#kitten ALL=(ALL) NOPASSWD: GROOMER_CMDS
# root commands.
# To avoid the risk that an attacker use -o remount on mount and other nasty
# commands, we use our own scripts to invoke mount and umount.
MOUNT_DST="${HOME}/kitten_mount_dst"
MOUNT_SRC="${HOME}/kitten_mount_src"
UMOUNT="${HOME}/kitten_umount"

View File

@ -3,15 +3,6 @@
set -e
set -x
# groom da kitteh!
SRC='/dev/sdb'
PARTITIONS=`ls '${SRC}' | grep '${SRC}[1-9][0-6]*'`
DST='/dev/sdc1'
GH=/opt/groomer/
JAVA=/usr/bin/java
pdfCopyDirty()
{
# copy all pdf's over to their relative same locations
@ -85,82 +76,3 @@ unpackZip()
fi
}
SRC=/src
DST=/dst
if [ ! -d $SRC ]; then
mkdir $SRC
fi
if [ ! -d $DST ]; then
mkdir $DST
fi
TEMP=/dst/temp
ZIPTEMP=/dst/ziptemp
FL=${DST}/filelist.txt
umount $DST 2> /dev/null
mount /dev/sdb1 $DST
if [ $? -ne 0 ]; then
# echo Could not mount target USB stick!
exit 1
else
echo Target USB device mounted at $DST
rm -rf $DST/FROM_PARTITION_*
# mount temp and make sure it's empty
mkdir -p $TEMP
mkdir -p $ZIPTEMP
rm -rf ${TEMP}/*
rm -rf ${ZIPTEMP}/*
echo Full file list from source USB > $FL
fi
COPYDIRTYPDF=0
PARTCOUNT=1
PARTITIONS=`ls /dev/sda* | grep '/dev/sda[1-9][0-6]*'`
for partition in $PARTITIONS
do
echo Processing partition: ${PARTCOUNT} $partition
umount $SRC 2> /dev/null
mount -r $partition $SRC
if [ $? -ne 0 ]; then
echo could not mount $partition at /$SRC
else
echo $partition mounted at $SRC
echo PARTITION $PARTCOUNT >> $FL
find $SRC/* -printf 'echo %p | sed s:$SRC:: >> $FL \n' | while read l; do eval $l; done
# create a director on sdb named PARTION_n
targetDir=${DST}/FROM_PARTITION_${PARTCOUNT}
echo copying to: $targetDir
mkdir -p $targetDir
if [ $COPYDIRTYPDF -eq 1 ]; then
pdfCopyDirty $SRC $targetDir
else
pdfCopyClean $SRC $targetDir
fi
# copy stuff
copySafeFiles $SRC $targetDir
convertCopyFiles $SRC $targetDir $TEMP
rm -rf ${TEMP}/*
# unpack and process archives
unpackZip $SRC $targetDir $TEMP
fi
let PARTCOUNT=$PARTCOUNT+1
done
#cleanup
rm -rf ${TEMP}*
rm -rf ${ZIPTEMP}*
sync
umount $SRC
umount $DST
/sbin/shutdown -h now

View File

@ -4,28 +4,33 @@ set -e
set -x
source ./constraint.sh
if ! [ "${ID}" -ge "1000" ]; then
echo "This script cannot run as root."
exit
fi
SRC=${HOME}/src
DST=${HOME}/dst
TEMP=${DST}/temp
ZIPTEMP=${DST}/ziptemp
LOGS=${DST}/logs
SRC="${HOME}/src"
DST="${HOME}/dst"
TEMP="${DST}/temp"
ZIPTEMP="${DST}/ziptemp"
LOGS="${DST}/logs"
clean(){
echo Cleaning.
${SUDO} ${SYNC}
${SYNC}
# Cleanup source
${SUDO} ${UMOUNT} $SRC || true
rm -rf $SRC
${SUDO} ${UMOUNT} ${SRC} || true
rm -rf ${SRC}
# Cleanup destination
rm -rf ${TEMP}
rm -rf ${ZIPTEMP}
${SUDO} ${UMOUNT} $DST || true
rm -rf $DST
${SUDO} ${UMOUNT} ${DST} || true
rm -rf ${DST}
exit
}
@ -34,51 +39,51 @@ trap clean EXIT TERM INT
# De we have a source device
if [ ! -b ${DEV_SRC} ]; then
echo 'Source device ('${DEV_SRC}') does not exists.'
echo "Source device (${DEV_SRC}) does not exists."
exit
fi
# Find the partition names on the source device
DEV_PARTITIONS=`ls ${DEV_SRC}* | grep ${DEV_SRC}'[1-9][0-6]*' || true`
DEV_PARTITIONS=`ls "${DEV_SRC}"* | grep "${DEV_SRC}[1-9][0-6]*" || true`
if [ -z ${DEV_PARTITIONS} ]; then
echo ${DEV_SRC} 'does not have any partitions.'
echo "${DEV_SRC} does not have any partitions."
exit
fi
# Do we have a destination device
if [ ! -b ${DEV_DST} ]; then
echo 'Destination device ('${DEV_DST}') does not exists.'
echo "Destination device (${DEV_DST}) does not exists."
exit
fi
# Prepare mount points
if [ ! -d $SRC ]; then
mkdir $SRC
if [ ! -d ${SRC} ]; then
mkdir ${SRC}
fi
if [ ! -d $DST ]; then
mkdir $DST
if [ ! -d ${DST} ]; then
mkdir ${DST}
fi
# mount and prepare destination device
if ${MOUNT}|grep $DST; then
${SUDO} ${UMOUNT} $DST || true
if ${MOUNT}|grep ${DST}; then
${SUDO} ${UMOUNT} ${DST} || true
fi
# uid= only works on a vfat FS. What should wedo if we get an ext* FS ?
${SUDO} ${MOUNT} -t vfat -o user,noexec,nosuid,nodev,rw,uid=`${ID}` ${DEV_DST} ${DST}
if [ $? -ne 0 ]; then
echo Unable to ${MOUNT} ${DEV_DST} on ${DST}
${SUDO} ${MOUNT_DST} ${ID} ${DEV_DST} ${DST}
if [ ${?} -ne 0 ]; then
echo "Unable to mount ${DEV_DST} on ${DST}"
exit
else
echo 'Target USB device ('${DEV_DST}') mounted at '${DST}
rm -rf ${DST}/FROM_PARTITION_*
echo "Target USB device (${DEV_DST}) mounted at ${DST}"
rm -rf "${DST}/FROM_PARTITION_"*
# mount temp and make sure it's empty
mkdir -p ${TEMP}
mkdir -p ${ZIPTEMP}
mkdir -p ${LOGS}
# prepare temp dirs and make sure it's empty
mkdir -p "${TEMP}"
mkdir -p "${ZIPTEMP}"
mkdir -p "${LOGS}"
rm -rf ${TEMP}/*
rm -rf ${ZIPTEMP}/*
rm -rf ${LOGS}/*
rm -rf "${TEMP}/"*
rm -rf "${ZIPTEMP}/"*
rm -rf "${LOGS}/"*
fi
# Groom da kitteh!
@ -88,41 +93,41 @@ PARTCOUNT=1
for partition in ${DEV_PARTITIONS}
do
# Processing a partition
echo Processing partition: ${partition}
if ${MOUNT}|grep $SRC; then
${SUDO} ${UMOUNT} $SRC
echo "Processing partition: ${partition}"
if ${MOUNT}|grep ${SRC}; then
${SUDO} ${UMOUNT} ${SRC}
fi
${SUDO} ${MOUNT} -o noexec,nosuid,nodev -r $partition $SRC
if [ $? -ne 0 ]; then
echo Unable to ${MOUNT} ${partition} on $SRC
${SUDO} ${MOUNT_SRC} ${partition} ${SRC}
if [ ${?} -ne 0 ]; then
echo "Unable to mount ${partition} on ${SRC}"
else
echo $partition mounted at $SRC
echo "${partition} mounted at ${SRC}"
# Print the filenames on the current partition in a logfile
find ${SRC} -fls ${LOGS}/${PARTCOUNT}
find "${SRC}" -fls "${LOGS}/${PARTCOUNT}"
# create a directory on $DST named PARTION_$PARTCOUNT
target_dir=${DST}/FROM_PARTITION_${PARTCOUNT}
echo copying to: $target_dir
mkdir -p $target_dir
# create a directory on ${DST} named PARTION_$PARTCOUNT
target_dir="${DST}/FROM_PARTITION_${PARTCOUNT}"
echo "copying to: ${target_dir}"
mkdir -p "${target_dir}"
#if [ $COPYDIRTYPDF -eq 1 ]; then
# pdfCopyDirty $SRC $targetDir
# pdfCopyDirty ${SRC} $targetDir
#else
# pdfCopyClean $SRC $targetDir
# pdfCopyClean ${SRC} $targetDir
#fi
# copy stuff
#copySafeFiles $SRC $targetDir
#convertCopyFiles $SRC $targetDir $TEMP
#copySafeFiles ${SRC} $targetDir
#convertCopyFiles ${SRC} $targetDir $TEMP
#rm -rf ${TEMP}/*
# unpack and process archives
#unpackZip $SRC $targetDir $TEMP
#unpackZip ${SRC} $targetDir $TEMP
fi
let PARTCOUNT=$PARTCOUNT+1
let PARTCOUNT=${PARTCOUNT}+1
done
# The cleanup is automatically done in the finction clean called when
# The cleanup is automatically done in the function clean called when
# the program quits

View File

@ -3,11 +3,26 @@
set -e
set -x
USERNAME='kitten'
source ./constraint.sh
if [ ${ID} -ne 0 ]; then
echo "This script has to be run as root."
exit
fi
clean(){
echo Done, cleaning.
# Only if running on a rPi
# mount -o remount,rw /
${SYNC}
# shutdown -h now
}
trap clean EXIT TERM INT
# Remount the root filesystem in RO mode
# mount -o remount,ro /
su ${USERNAME} -c ./groomer.sh
echo 'Done.'
# Only if running on a rPi
# shutdown -h now

View File

@ -0,0 +1,20 @@
#!/bin/bash
set -e
set -x
if [ $# -eq 3 ]; then
if ! [ "${1}" -ge "1000" ] ; then
# avoid the risk of passing other options to mount, and enforce uid >= 1000
echo "$1 is not a valid uid (>= 1000)"
exit 1
fi
# uid= only works on a vfat FS. What should we do if we get an ext* FS ?
# the main problem is that we need the rw rights on the dest key.
# It is not possible to ensure it on a non-vfat USB key.
mount -t vfat -o user,noexec,nosuid,nodev,rw,uid="${1}" "${2}" "${3}"
exit 0
else
echo 'Invalid number of arguments.'
exit 1
fi

View File

@ -0,0 +1,12 @@
#!/bin/bash
set -e
set -x
if [ $# -eq 2 ]; then
mount -o noexec,nosuid,nodev,ro "${1}" "${2}"
exit 0
else
echo 'Invalid number of arguments.'
exit 1
fi

View File

@ -0,0 +1,12 @@
#!/bin/bash
set -e
set -x
if [ $# -eq 1 ]; then
umount $1
exit 0
else
echo "Invalid number of arguments."
exit 1
fi