DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[server] bug fix to honor CMD_EXEC_USER and CMD_SUDO_EXEC_USER vars

Browse Source
This commit is contained in:
Michael Rash 2015-12-08 19:01:53 -08:00
parent 4f81dd7747
commit 95383149cb
3 changed files with 82 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
server/access.c
View File

@ -85,7 +85,7 @@ add_acc_string(char **var, const char *val, FILE *file_ptr,
/* Add an access user entry
*/
static void
add_acc_user(char **user_var, uid_t *uid_var, struct passwd *upw,
add_acc_user(char **user_var, uid_t *uid_var, struct passwd **upw,
const char *val, const char *var_name, FILE *file_ptr,
fko_srv_options_t *opts)
{
@ -94,9 +94,9 @@ add_acc_user(char **user_var, uid_t *uid_var, struct passwd *upw,
add_acc_string(user_var, val, file_ptr, opts);
errno = 0;
upw = pw = getpwnam(val);
*upw = pw = getpwnam(val);
if(upw == NULL || pw == NULL)
if(*upw == NULL || pw == NULL)
{
log_msg(LOG_ERR, "[*] Unable to determine UID for %s: %s.",
var_name, errno ? strerror(errno) : "Not a user on this system");
@ -1276,7 +1276,7 @@ acc_data_is_valid(fko_srv_options_t *opts,
{
log_msg(LOG_INFO,
"Setting gid to group associated with CMD_SUDO_EXEC_USER '%s' in stanza source: '%s'",
acc->cmd_exec_user,
acc->cmd_sudo_exec_user,
acc->source
);
acc->cmd_sudo_exec_gid = sudo_user_pw->pw_gid;
@ -1604,7 +1604,7 @@ parse_access_file(fko_srv_options_t *opts)
}
else if(CONF_VAR_IS(var, "CMD_SUDO_EXEC_USER"))
add_acc_user(&(curr_acc->cmd_sudo_exec_user),
&(curr_acc->cmd_sudo_exec_uid), sudo_user_pw,
&(curr_acc->cmd_sudo_exec_uid), &sudo_user_pw,
val, "CMD_SUDO_EXEC_USER", file_ptr, opts);
else if(CONF_VAR_IS(var, "CMD_SUDO_EXEC_GROUP"))
add_acc_group(&(curr_acc->cmd_sudo_exec_group),
@ -1612,7 +1612,7 @@ parse_access_file(fko_srv_options_t *opts)
"CMD_SUDO_EXEC_GROUP", file_ptr, opts);
else if(CONF_VAR_IS(var, "CMD_EXEC_USER"))
add_acc_user(&(curr_acc->cmd_exec_user),
&(curr_acc->cmd_exec_uid), user_pw,
&(curr_acc->cmd_exec_uid), &user_pw,
val, "CMD_EXEC_USER", file_ptr, opts);
else if(CONF_VAR_IS(var, "CMD_EXEC_GROUP"))
add_acc_group(&(curr_acc->cmd_exec_group),

30
test/test-fwknop.pl
View File

@ -941,6 +941,8 @@ my %test_keys = (
'cmd_cycle_close_file' => $OPTIONAL,
'cmd_exec_file_owner' => $OPTIONAL,
'cmd_exec_file_not_created' => $OPTIONAL,
'user_group_mismatch' => $OPTIONAL,
'sudo_user_group_mismatch' => $OPTIONAL,
'rm_rule_mid_cycle' => $OPTIONAL,
'server_receive_re' => $OPTIONAL,
'no_exit_intf_down' => $OPTIONAL,
@ -2294,15 +2296,30 @@ sub server_conf_files() {
my $rv = 1;
if ($test_hr->{'digest_cache_file'}) {
&write_server_conf_file($test_hr->{'digest_cache_file'}, $rewrite_digest_file);
&write_server_conf_file($test_hr->{'digest_cache_file'},
$rewrite_digest_file);
}
if ($test_hr->{'server_access_file'}) {
&write_server_conf_file($test_hr->{'server_access_file'}, $rewrite_access_conf);
if ($test_hr->{'sudo_user_group_mismatch'} eq $YES) {
push @{$test_hr->{'server_access_file'}},
"CMD_SUDO_EXEC_USER $username";
push @{$test_hr->{'server_access_file'}},
"CMD_SUDO_EXEC_GROUP root";
}
if ($test_hr->{'user_group_mismatch'} eq $YES) {
push @{$test_hr->{'server_access_file'}},
"CMD_EXEC_USER $username";
push @{$test_hr->{'server_access_file'}},
"CMD_EXEC_GROUP root";
}
&write_server_conf_file($test_hr->{'server_access_file'},
$rewrite_access_conf);
}
if ($test_hr->{'server_conf_file'}) {
&write_server_conf_file($test_hr->{'server_conf_file'}, $rewrite_fwknopd_conf);
&write_server_conf_file($test_hr->{'server_conf_file'},
$rewrite_fwknopd_conf);
}
$rv = 0 unless &run_cmd($test_hr->{'fwknopd_cmdline'},
@ -3202,10 +3219,10 @@ sub perl_fko_module_user() {
return 0;
}
my $username = $fko_obj->username();
my $fko_username = $fko_obj->username();
if ($username) {
&write_test_file("[+] got username(): $username\n",
if ($fko_username) {
&write_test_file("[+] got username(): $fko_username\n",
$curr_test_file);
} else {
&write_test_file("[-] could not get username()\n",
@ -7276,6 +7293,7 @@ sub init() {
}
push @tests_to_exclude, qr/sudo/ unless $sudo_conf_testing;
push @tests_to_exclude, qr/user.*\sparity/ unless $username;
### see if the 'nobody' user is on the system
unless (getpwnam('nobody')) {

52
test/tests/basic_operations.pl
View File

@ -465,6 +465,40 @@
'exec_err' => $YES,
'cmdline' => "$fwknopdCmd $default_server_conf_args --sudo-exe /etc/hosts"
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'user/group parity',
'function' => \&server_conf_files,
'fwknopd_cmdline' => "$server_rewrite_conf_files --exit-parse-config",
'exec_err' => $YES,
'user_group_mismatch' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/Setting gid/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'sudo user/group parity',
'function' => \&server_conf_files,
'fwknopd_cmdline' => "$server_rewrite_conf_files --exit-parse-config",
'exec_err' => $YES,
'sudo_user_group_mismatch' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/Setting gid/],
},
{
'category' => 'basic operations',
@ -2350,6 +2384,23 @@
'ENABLE_PCAP_PROMISC Y'
],
},
{
'category' => 'basic operations',
'subcategory' => 'server',
'detail' => 'invalid ACCESS_EXPIRE_EPOCH',
'function' => \&server_conf_files,
'fwknopd_cmdline' => "$server_rewrite_conf_files --exit-parse-config",
'exec_err' => $YES,
'server_access_file' => [
'SOURCE any',
'KEY testtest',
'ACCESS_EXPIRE_EPOCH 999999999999999999999999999999999999'
],
'server_conf_file' => [
'### comment'
],
'positive_output_matches' => [qr/invalid epoch seconds value/],
},
### test syslog config
{
@ -2971,6 +3022,7 @@
],
'positive_output_matches' => [qr/not\sin\sthe\srange/],
},
{
'category' => 'basic operations',
'subcategory' => 'server',