The special characters '!' and '*' in /etc/shadow are
used to disable password login for a specific account.
The character 'x' has no special meaning, but should not
be interpreted as an empty password.
However, rpcd did treat these special characters like no
password was set, which allows access even though the account
is disabled.
By removing the additional checks for these characters, the
encrypted password string is passed to crypt, which returns NULL
if the salt has an invalid format and therefore access is denied.
Fixes: FS#2634
Signed-off-by: Fabian Bläse <fabian@blaese.de>
When the initial exec permission check on the executable path fails,
concatenate the command line with spaces and use the resulting string
as lookup path for a second exec permission check.
This allows for exec acls similar to this example:
"file": {
"/usr/bin/program --flag --option=1 arg *": [ "exec" ]
}
The example above would allow executing `/usr/bin/program` with the
arguments `--flag`, `--option=1` and `arg` in exactly this order,
followed by any number of optional arguments as denoted by the
asterisk.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When parsing the JSON output of exec plugins, store integer values exceeding
32bit value limits as 64bit integer blob values.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Prevent a theoretical leak of the args memory when the executable path
cannot be found.
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
[fix whitespace, commit description]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
A previous commit changed the allocation method for the call context to
include the method name string memory directly, so we must not treat the
method member separately anymore.
Fixes: 37aa919 ("plugin: fix leaking invoked method name for exec plugins")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
In some cases, e.g. when subsequently setting multiple empty option
values, uci_set() might free the section pointer of the given reused
uci_ptr structure without zeroing it, leading to a use-after-free on
processing subsequent options.
Avoid this issue by clearing the lookup pointer flags in order to
prevent uci_set() from incorrectly branching into a uci_delete()
operation leading to the freeing of the section member.
Ref: http://lists.infradead.org/pipermail/openwrt-devel/2019-October/019592.html
Reported-by: Daniel Danzberger <daniel@dd-wrt.com>
Suggested-by: Yousong Zhou <yszhou4tech@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The invoked method name was separately duplicated from the call_context
structure. The structure itself is eventually freed by rpc_exec_reply()
but the method string it points to is lost after that.
Use calloc_a() instead to allocate the string copy buffer together with
the context structure, to ensure that all involved memory is freed.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Some sysfs or proc files contain more than 128 byte of data, e.g. the
/proc/filesystems or /proc/mounts files.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Refactor rpc_check_path() and wrap it with a macro to allow passing
different policies and permission names.
This allows using the function for non-read operations and simplifies
the message parsing code there.
Also change the stat and list methods to require "list" instead of
"read" permissions which is useful to allow browing the filesystem
without allowing read access to all files.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Move the timespec declaration to the function header, as mentioned in
commit "rpcd: Switch to nanosleep".
Fixes: 604db20 ("rpcd: Switch to nanosleep")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
usleep has been deprecated by POSIX.1-2001 and removed in POSIX.1-2008.
Fixes compilation when libc does not include usleep (optional with
uClibc-ng).
nanosleep also has the advantage of being more accurate.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
[move timespec definition to the top of the function]
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Introduce ACL checks to verify that the requested path may be read, written
or executed. This allows to restrict ubus file commands to specific paths.
To setup the required ACLs, the following ubus command may be used
on the command line:
ubus call session grant '{
"ubus_rpc_session": "d41d8cd98f00b204e9800998ecf8427e",
"scope": "file",
"objects": [
[ "/etc", "read" ],
[ "/etc/*", "write" ],
[ "/sbin/sysupgrade", "exec" ]
]
}'
The "read", "list", "stat" and "md5" procedures require "read" permissions,
the "write" procedure requires "write" permission and the "exec" procedure
requires "exec" permissions.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The crypt() function may return NULL with errno ENOSYS when an attempt
was made to crypt the plaintext password using a salt requesting an
unsupported cipher.
Avoid triggering segmentation faults in the subsequent strcmp() operation
by checking for a non-NULL hash value.
Fixes: FS#2291
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This prevents broken pipe errors in executed child processes that
attempt to access stdin.
Suggested-by: Vytautas Virvičius <vy.virvicius@gmail.com>
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Store the realloc result in a separate pointer so that we can free
the original on allocation failure
- Use an explicit uint8_t for the argument vector length instead of
"char" which might be signed or unsigned, depending on the arch
- Bail out with an invalid argument error if the argument vector
exceeds 255 items
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Since the plugin is not linked, but dlopen()'d with RTLD_LOCAL, we cannot
access global rpcd variables but need to access them via the common ops
structure symbol.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This is required for plugins that need access to the configured execution
timeout. The global variable cannot be used as-is since we dlopen() with
RTLD_LOCAL.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Increase the maximum possible execution time to 120 seconds and add a new
command line flag `-t` which allows overwriting the default value.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Return UBUS_STATUS_NOT_FOUND if no object could be resolved for delete
- Return UBUS_STATUS_INVALID_ARGUMENT for invalid section names or types
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Return UBUS_STATUS_NOT_FOUND if no section could be resolved for set
- Return UBUS_STATUS_INVALID_ARGUMENT if unserializable values are found
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
- Return UBUS_STATUS_INVALID_ARGUMENT for invalid section or option names
- Return UBUS_STATUS_NOT_FOUND if a section name could not be resolved
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The invoked libuci functions do not reliably check their arguments, causing
malformed section and option names to end up in the delta file, letting the
uci cli and other components to segfault when processung such invalid
entries.
In order to prevent that, manually test received values before passing them
on to libuci.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
The rpc_uci_replace_savedir() function did not take into account that libuci
uci_set_savedir() does an additional implicit uci_strdup() of the directory
path string when appending a new delta directory item.
Due to this oversight, only the struct uci_element items got freed, but not
the duplicated path string, leading to leaking memory when invoking the uci
api with session id argument.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
This prevents timing out ubus call when the child invokes further detached
childs inheriting stdio descriptors.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
When reordering, the section indexes must be 0-based while the current
implementation incorrectly numbers starting with 1.
Fix this by start numbering ther sections with index 0.
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
