[evolvis-commits] r7330: Adding this script to the repository. =?UTF-8?Q?=E2=86=B5=20=E2=86=B5=20Concept=20is=20si?==?UTF-8?Q?mple?=: using system permissions on directories i =?UTF-8?Q?s=20not=E2=86=B5=20enough?=, since it gives write access on plenty of directories to the↵?==?UTF-8?Q? www-data user . ↵ ↵ Using a root =?UTF-8?Q?setuid=20script=20works?=, but then we have to make sure only↵ aut =?UTF-8?Q?horised=20invocations=20c?==?UTF-8?Q?an=20happen?=. Again, the permissions syst =?UTF-8?Q?em=20is=E2=86=B5=20not=20enough?=. Only pages in the Sourceforge website sh =?UTF-8?Q?ould=20be=20allowed=E2=86=B5=20to?==?UTF-8?Q?=20run=20it?=. =?UTF-8?Q?=E2=86=B5=20=E2=86=B5=20The=20trick?=: we check on the existence and validity of information only↵ =?UTF-8?Q?available=20to=20the=20appr?==?UTF-8?Q?opriate=20PHP=20scripts?=. Namely,=?UTF-8?Q?=20the=20database=E2=86=B5=20pass?==?UTF-8?Q?word?=. It 's stored in a root:root 600 file, it' s only exported to↵ a select subset of t =?UTF-8?Q?he=20web=20pages=20via=20a=20Se?==?UTF-8?Q?tEnv=20directive?=, =?UTF-8?Q?=20so=20it=20should=E2=86=B5=20be=20s?==?UTF-8?Q?ecure?=. =?UTF-8?Q?=E2=86=B5=20=E2=86=B5=20Of=20course?=, I could be wrong. In that case, please correct me. ↵ ↵ This is a Perl script using all kinds of taintedness ch =?UTF-8?Q?ecks=20as=20per=E2=86=B5=20?='perldoc perlsec'. ↵

mirabilos at evolvis.org mirabilos at evolvis.org
Thu Feb 24 15:38:46 CET 2011


Author: mirabilos
Date: 2011-02-24 15:38:46 +0100 (Thu, 24 Feb 2011)
New Revision: 7330

Added:
   trunk/gforge_base/evolvisforge-5.1/gforge/deb-specific/fileforge.pl
Log:
Adding this script to the repository.

Concept is simple: using system permissions on directories is not
enough, since it gives write access on plenty of directories to the
www-data user.

Using a root setuid script works, but then we have to make sure only
authorised invocations can happen.  Again, the permissions system is
not enough.  Only pages in the Sourceforge website should be allowed
to run it.

The trick: we check on the existence and validity of information only
available to the appropriate PHP scripts.  Namely, the database
password.  It's stored in a root:root 600 file, it's only exported to
a select subset of the web pages via a SetEnv directive, so it should
be secure.

Of course, I could be wrong.  In that case, please correct me.

This is a Perl script using all kinds of taintedness checks as per
'perldoc perlsec'.


Added: trunk/gforge_base/evolvisforge-5.1/gforge/deb-specific/fileforge.pl
===================================================================
--- trunk/gforge_base/evolvisforge-5.1/gforge/deb-specific/fileforge.pl	                        (rev 0)
+++ trunk/gforge_base/evolvisforge-5.1/gforge/deb-specific/fileforge.pl	2011-02-24 14:38:46 UTC (rev 7330)
@@ -0,0 +1,89 @@
+#! /usr/bin/perl -T
+
+use strict ;
+use vars qw/ $file $user $group $dirty_file $dirty_user $dirty_group
+    $src_file $dest_dir $retval / ;
+use subs qw/ &wash_string / ;
+no locale ;
+
+if ($#ARGV != 2) {
+    die "Usage: fileforge.pl file user group" ;
+}
+
+# Clean up our environment
+delete @ENV{qw(IFS CDPATH ENV BASH_ENV PATH)};
+
+# Check access to secret
+require ("/etc/sourceforge/local.pl") ;
+unless ($sys_dbpasswd == $ENV{'sys_dbpassword'}) {
+    die "You are not authorized to run this script" ;
+}
+
+# "Parse" command-line options
+$dirty_file = $ARGV [0] ;
+$dirty_user = $ARGV [1] ;
+$dirty_group = $ARGV [2] ;
+
+# Check and untaint $user and $file here
+$file = &wash_string ($dirty_file, "file") ;
+$user = &wash_string ($dirty_user, "user") ;
+
+# Compute source file name
+$src_file = "/var/lib/sourceforge/chroot/home/users/" ;
+$src_file .= $user ;
+$src_file .= "/incoming/" ;
+$src_file .= $file ;
+
+# Check and untaint $group here
+$group = &wash_string ($dirty_group, "group") ;
+
+# Compute destination file name
+$dest_dir = "/var/lib/sourceforge/download/" ;
+$dest_dir .= $group ;
+$dest_dir .= "/" ;
+
+unless ( -d $dest_dir ) {
+    die "Destination directory '$dest_dir' does not exist" ;
+}
+
+# print "Moving '$src_file' to '$dest_dir'.\n" ;
+
+$retval = system "/bin/echo /bin/mv $src_file $dest_dir" ;
+if ($retval == -1) {
+    die "Could not execute /bin/mv: $!" ;
+}
+if ($retval != 0) {
+    die "Error moving file" ;
+}
+
+exit 0 ;
+
+sub wash_string {
+    my $string = shift ;
+    my $name = shift ;
+
+    # Empty strings are not allowed
+    if (length $string == 0) {
+	die "Forbidden empty $name '$string'" ;
+    }
+    
+    # Only allowed characters are alphanumerical . + _ -
+    if ($string =~ m,[^\w.+_-],) {
+	die "Forbidden characters in $name '$string'" ;
+    }
+
+    # No .. sequence is allowed
+    if ($string =~ m,\.\.,) {
+	die "Forbidden '..' sequence in $name 'string'" ;
+    }
+    
+    my $clean = '' ;
+ 
+    if ($string =~ /^([\w.+_-]+)$/) {
+	$clean = $1 ;
+    } else {
+	die "Unexpected error while untainting $name '$string'" ;
+    }
+
+    return $clean ;
+}



More information about the evolvis-commits mailing list