LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 05-06-2006, 09:31 AM   #1
Cottsay
Member
 
Registered: Feb 2004
Location: Chaska, MN
Distribution: Fedora
Posts: 195

Rep: Reputation: 31
Question Anyone good with POSIX?


Alright, I'm trying to write a sudoers script that executes a file which writes a file like this

/usr/sbin/file "$(contents - can be anything)" "/path/to/writable/dir/$(a filepath)"

the problem is that if someone simply puts "/../" in the path, they can edit ANY file.

I just can't get sudoers to do what I want...
 
Old 05-08-2006, 02:40 AM   #2
satinet
Senior Member
 
Registered: Feb 2004
Location: England
Distribution: Slackware 14.2
Posts: 1,491

Rep: Reputation: 50
the problem isn't sudo but your script syntax. maybe you can give an example...
 
Old 05-08-2006, 03:50 AM   #3
Ygrex
Member
 
Registered: Nov 2004
Location: Russia (St.Petersburg)
Distribution: Debian
Posts: 666

Rep: Reputation: 68
Quote:
However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run without command
line arguments. A directory is a fully qualified pathname ending in a '/'. When you specify a directory in a Cmnd_List, the user will be able to run any file within that directory (but not in any subdirectories therein).
So you should not worry about any other directories.
 
Old 05-08-2006, 05:45 AM   #4
ioerror
Member
 
Registered: Sep 2005
Location: Old Blighty
Distribution: Slackware, NetBSD
Posts: 536

Rep: Reputation: 34
Quote:
the problem is that if someone simply puts "/../" in the path, they can edit ANY file.
Then simply have your script check the supplied filename and remove any ../ from it:

Code:
filename=${filename//..\/}
 
Old 05-08-2006, 04:11 PM   #5
Cottsay
Member
 
Registered: Feb 2004
Location: Chaska, MN
Distribution: Fedora
Posts: 195

Original Poster
Rep: Reputation: 31
Thats the idea, ioerror...tell me more. I originally thought I could use POSIX in the sudoers file to check that that pattern was not in the inputed command...but how is it that you're thinking of doing it...and I do apologize for not being very specific in my inquiry...

Thanks,

Scott
 
Old 05-08-2006, 05:57 PM   #6
ioerror
Member
 
Registered: Sep 2005
Location: Old Blighty
Distribution: Slackware, NetBSD
Posts: 536

Rep: Reputation: 34
You can't really put that sort of thing in the sudoers file as the syntax isn't really designed for it, it's intended to specify commands, rather than contain code itself.

Just out of curiosity, would it be possible to do what you want without using sudo? Perhaps group write permissions using a shared group?

If that sort of thing won't cut the mustard and you want to use sudo, then the code snippet I gave above is a simple addition to your script. Actually, the way I showed before won't catch someone trying to use ../, it will just delete it from the path, which perhaps isn't ideal. You'll probably want to print some sort of error message or perhaps even log the attempt. Thus, maybe something like this near the top of your script:

Code:
filename=$2
if [[ "${filename//..\/}" != "$filename" ]]; then
      print "You have specified an invalid path, do not use ../ in the pathname"
      # maybe log this
      exit 1
fi
So this removes any ../ and compares it to the original filename. If the're not equal, then obviously the filename contained at least one ../. (There may be an easier way to do that, but I'm not too familiar with bash syntax as I use zsh personally).

Is that the sort of thing you're after?

Last edited by ioerror; 05-08-2006 at 05:58 PM.
 
Old 08-09-2006, 10:20 PM   #7
Cottsay
Member
 
Registered: Feb 2004
Location: Chaska, MN
Distribution: Fedora
Posts: 195

Original Poster
Rep: Reputation: 31
Absolutely perfect. Thank you very much.
 
Old 08-10-2006, 04:57 AM   #8
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Quote:
which perhaps isn't ideal
Yeah the first is not ideal at all, eg if filename=/..././

Code:
echo ${filename//..\/}
/../
Caution with this kind of trick to be sure to match everything.
The second seems secure to me but I would maybe use /usr/bin/dirname
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
posix compatibility kirmet Programming 16 09-19-2005 11:54 AM
posix acl Ammad Linux - General 3 03-20-2005 05:35 PM
Good morning, Good evening, Good night. Cheeseboy LinuxQuestions.org Member Intro 2 11-04-2004 09:46 PM
Posix arunshivanandan General 1 05-19-2003 08:07 AM
Posix? justiceisblind Linux - Newbie 2 03-11-2002 08:04 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 08:22 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration