LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Anyone good with POSIX? (https://www.linuxquestions.org/questions/linux-software-2/anyone-good-with-posix-442197/)

Cottsay 05-06-2006 09:31 AM
Anyone good with POSIX?
 
Alright, I'm trying to write a sudoers script that executes a file which writes a file like this

/usr/sbin/file "$(contents - can be anything)" "/path/to/writable/dir/$(a filepath)"

the problem is that if someone simply puts "/../" in the path, they can edit ANY file.

I just can't get sudoers to do what I want...

satinet 05-08-2006 02:40 AM
the problem isn't sudo but your script syntax. maybe you can give an example...

Ygrex 05-08-2006 03:50 AM
Quote:
However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run without command
line arguments. A directory is a fully qualified pathname ending in a '/'. When you specify a directory in a Cmnd_List, the user will be able to run any file within that directory (but not in any subdirectories therein).
So you should not worry about any other directories.

ioerror 05-08-2006 05:45 AM
Quote:
the problem is that if someone simply puts "/../" in the path, they can edit ANY file.
Then simply have your script check the supplied filename and remove any ../ from it:

Code:
filename=${filename//..\/}

Cottsay 05-08-2006 04:11 PM
Thats the idea, ioerror...tell me more. I originally thought I could use POSIX in the sudoers file to check that that pattern was not in the inputed command...but how is it that you're thinking of doing it...and I do apologize for not being very specific in my inquiry...

Thanks,

Scott

ioerror 05-08-2006 05:57 PM
You can't really put that sort of thing in the sudoers file as the syntax isn't really designed for it, it's intended to specify commands, rather than contain code itself.

Just out of curiosity, would it be possible to do what you want without using sudo? Perhaps group write permissions using a shared group?

If that sort of thing won't cut the mustard and you want to use sudo, then the code snippet I gave above is a simple addition to your script. Actually, the way I showed before won't catch someone trying to use ../, it will just delete it from the path, which perhaps isn't ideal. You'll probably want to print some sort of error message or perhaps even log the attempt. Thus, maybe something like this near the top of your script:

Code:
filename=$2
if [[ "${filename//..\/}" != "$filename" ]]; then
      print "You have specified an invalid path, do not use ../ in the pathname"
      # maybe log this
      exit 1
fi
So this removes any ../ and compares it to the original filename. If the're not equal, then obviously the filename contained at least one ../. (There may be an easier way to do that, but I'm not too familiar with bash syntax as I use zsh personally).

Is that the sort of thing you're after?

Cottsay 08-09-2006 10:20 PM
Absolutely perfect. Thank you very much.

nx5000 08-10-2006 04:57 AM
Quote:
which perhaps isn't ideal
Yeah the first is not ideal at all, eg if filename=/..././

Code:
echo ${filename//..\/}
/../
Caution with this kind of trick to be sure to match everything.
The second seems secure to me but I would maybe use /usr/bin/dirname


All times are GMT -5. The time now is 10:52 PM.