Update of setuid cleanup code.
This commit is contained in:
parent
bb84794a27
commit
9097dd8738
|
@ -11,17 +11,24 @@ import os, sys, re, pwd, getopt, stat
|
||||||
CONFIG_FILE = '/etc/csc/accounts.cf'
|
CONFIG_FILE = '/etc/csc/accounts.cf'
|
||||||
|
|
||||||
safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG'
|
safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG'
|
||||||
'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGE', 'LC_MONETARY',
|
'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGES', 'LC_MONETARY',
|
||||||
'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK',
|
'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK',
|
||||||
'SSH_CLIENT']
|
'SSH_CLIENT']
|
||||||
|
|
||||||
for key in os.environ.keys():
|
for key in os.environ.keys():
|
||||||
if not key in safe_environment:
|
if key not in safe_environment:
|
||||||
del os.environ[key]
|
del os.environ[key]
|
||||||
|
|
||||||
os.environ['PATH'] = '/usr/sbin:/sbin:/usr/bin:/bin'
|
os.environ['PATH'] = '/usr/sbin:/sbin:/usr/bin:/bin'
|
||||||
os.umask(0)
|
os.umask(0)
|
||||||
|
|
||||||
|
try:
|
||||||
|
os.setreuid(0, 0)
|
||||||
|
os.setregid(0, 0)
|
||||||
|
except OSError:
|
||||||
|
print "You must be root to use this command."
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
for pathent in sys.path[:]:
|
for pathent in sys.path[:]:
|
||||||
if not pathent.find('/usr') == 0:
|
if not pathent.find('/usr') == 0:
|
||||||
sys.path.remove(pathent)
|
sys.path.remove(pathent)
|
||||||
|
|
22
bin/ceo
22
bin/ceo
|
@ -3,20 +3,28 @@
|
||||||
import os, sys
|
import os, sys
|
||||||
|
|
||||||
safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG'
|
safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG'
|
||||||
'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGE', 'LC_MONETARY',
|
'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGES', 'LC_MONETARY',
|
||||||
'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK',
|
'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK',
|
||||||
'SSH_CLIENT']
|
'SSH_CLIENT']
|
||||||
|
|
||||||
for key in os.environ.keys():
|
for key in os.environ.keys():
|
||||||
if key not in safe_environment:
|
if key not in safe_environment:
|
||||||
del os.environ[key]
|
del os.environ[key]
|
||||||
|
|
||||||
os.environ['PATH'] = '/bin:/usr/bin'
|
os.environ['PATH'] = '/usr/sbin:/usr/bin:/sbin:/bin'
|
||||||
|
|
||||||
for dir in sys.path[:]:
|
for pathent in sys.path[:]:
|
||||||
if not dir.find('/usr') == 0:
|
if not pathent.find('/usr') == 0:
|
||||||
while dir in sys.path:
|
sys.path.remove(pathent)
|
||||||
sys.path.remove(dir)
|
|
||||||
|
euid = os.geteuid()
|
||||||
|
egid = os.getegid()
|
||||||
|
try:
|
||||||
|
os.setreuid(euid, euid)
|
||||||
|
os.setregid(egid, egid)
|
||||||
|
except OSError, e:
|
||||||
|
print str(e)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
import csc.apps.legacy.main
|
import csc.apps.legacy.main
|
||||||
csc.apps.legacy.main.run()
|
csc.apps.legacy.main.run()
|
||||||
|
|
20
bin/ceoquery
20
bin/ceoquery
|
@ -5,7 +5,7 @@ ceoquery - a script to lookup member and account information
|
||||||
import os, sys
|
import os, sys
|
||||||
|
|
||||||
safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG'
|
safe_environment = ['LOGNAME', 'USERNAME', 'USER', 'HOME', 'TERM', 'LANG'
|
||||||
'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGE', 'LC_MONETARY',
|
'LC_ALL', 'LC_COLLATE', 'LC_CTYPE', 'LC_MESSAGES', 'LC_MONETARY',
|
||||||
'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK',
|
'LC_NUMERIC', 'LC_TIME', 'UID', 'GID', 'SSH_CONNECTION', 'SSH_AUTH_SOCK',
|
||||||
'SSH_CLIENT']
|
'SSH_CLIENT']
|
||||||
|
|
||||||
|
@ -13,12 +13,20 @@ for key in os.environ.keys():
|
||||||
if key not in safe_environment:
|
if key not in safe_environment:
|
||||||
del os.environ[key]
|
del os.environ[key]
|
||||||
|
|
||||||
os.environ['PATH'] = '/bin:/usr/bin'
|
os.environ['PATH'] = '/usr/sbin:/usr/bin:/sbin:/bin'
|
||||||
|
|
||||||
for dir in sys.path[:]:
|
for pathent in sys.path[:]:
|
||||||
if not dir.find('/usr') == 0:
|
if not pathent.find('/usr') == 0:
|
||||||
while dir in sys.path:
|
sys.path.remove(pathent)
|
||||||
sys.path.remove(dir)
|
|
||||||
|
euid = os.geteuid()
|
||||||
|
egid = os.getegid()
|
||||||
|
try:
|
||||||
|
os.setreuid(euid, euid)
|
||||||
|
os.setregid(egid, egid)
|
||||||
|
except OSError, e:
|
||||||
|
print str(e)
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
from csc.adm import members, terms
|
from csc.adm import members, terms
|
||||||
|
|
||||||
|
|
|
@ -159,10 +159,10 @@ main(int argc, char **argv)
|
||||||
exit(1);
|
exit(1);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (setregid(egid, egid) < 0)
|
//if (setregid(egid, egid) < 0)
|
||||||
perror("setregid");
|
// perror("setregid");
|
||||||
if (setreuid(euid, euid) < 0)
|
//if (setreuid(euid, euid) < 0)
|
||||||
perror("setreuid");
|
// perror("setreuid");
|
||||||
|
|
||||||
clean_environ();
|
clean_environ();
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue