Do not allow setting environment variables if there is a session as
there is no access control for environment variables and allowing
arbitrary data into the environment is unsafe. Do not leak arguments
through unchecked if the size of the buffer for access checking the
whole command line is exceeded. Adjust the maximum number of allowed
arguments so it matches the actual implementation.
Signed-off-by: Erik Karlsson <erik.karlsson@genexis.eu>
Drop the historically inherited "luci-rpc-" prefix and replace it with a
more appropriate "rpcd-plugin-" string.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When the initial exec permission check on the executable path fails,
concatenate the command line with spaces and use the resulting string
as lookup path for a second exec permission check.
This allows for exec acls similar to this example:
"file": {
"/usr/bin/program --flag --option=1 arg *": [ "exec" ]
}
The example above would allow executing `/usr/bin/program` with the
arguments `--flag`, `--option=1` and `arg` in exactly this order,
followed by any number of optional arguments as denoted by the
asterisk.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Some sysfs or proc files contain more than 128 byte of data, e.g. the
/proc/filesystems or /proc/mounts files.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Refactor rpc_check_path() and wrap it with a macro to allow passing
different policies and permission names.
This allows using the function for non-read operations and simplifies
the message parsing code there.
Also change the stat and list methods to require "list" instead of
"read" permissions which is useful to allow browing the filesystem
without allowing read access to all files.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce ACL checks to verify that the requested path may be read, written
or executed. This allows to restrict ubus file commands to specific paths.
To setup the required ACLs, the following ubus command may be used
on the command line:
ubus call session grant '{
"ubus_rpc_session": "d41d8cd98f00b204e9800998ecf8427e",
"scope": "file",
"objects": [
[ "/etc", "read" ],
[ "/etc/*", "write" ],
[ "/sbin/sysupgrade", "exec" ]
]
}'
The "read", "list", "stat" and "md5" procedures require "read" permissions,
the "write" procedure requires "write" permission and the "exec" procedure
requires "exec" permissions.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This prevents broken pipe errors in executed child processes that
attempt to access stdin.
Suggested-by: Vytautas Virvičius <vy.virvicius@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Store the realloc result in a separate pointer so that we can free
the original on allocation failure
- Use an explicit uint8_t for the argument vector length instead of
"char" which might be signed or unsigned, depending on the arch
- Bail out with an invalid argument error if the argument vector
exceeds 255 items
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Since the plugin is not linked, but dlopen()'d with RTLD_LOCAL, we cannot
access global rpcd variables but need to access them via the common ops
structure symbol.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Solve this compile warning:
file.c:300:16: error: comparison of unsigned expression < 0 is always false [-Werror,-Wtautological-compare]
if (data_len < 0)
Signed-off-by: Luka Perkov <luka@openwrt.org>
The ubus calls for file read, list and stat do not use data parameter, so lets
remove them to avoid confusion.
Signed-off-by: Luka Perkov <luka@openwrt.org>
Function rpc_plugin_register_library() is modifying the struct's contents in
list_add() call. That said, the rpc_plugin struct should not be defined as
const. This caused segmentation fault when built on up-to-date Arch Linux.
Signed-off-by: Luka Perkov <luka@openwrt.org>
