diff options
author | Arne Babenhauserheide <arne_bab@web.de> | 2021-12-30 02:08:54 +0100 |
---|---|---|
committer | Arne Babenhauserheide <arne_bab@web.de> | 2021-12-30 02:28:59 +0100 |
commit | 1b1538c77ffd7ce89709b8cdded0de314f34cbad (patch) | |
tree | 831aedf3bb06a67003c38d5d12dcee261f33b3cb | |
parent | 500fe6e0cb1fe3b239dd0be83cd57c73d8c8c9aa (diff) |
utils/queryauth.sh utils/queryauth-setup.sh: add checkperms helperscheckperm-deferred-authorization
- setup FIFOs for USER and GROUP if not existing
- only check for translators if file exists
- create the group if needed
-rw-r--r-- | utils/Makefile | 7 | ||||
-rw-r--r-- | utils/queryauth-setup.sh | 89 | ||||
-rw-r--r-- | utils/queryauth.sh | 83 |
3 files changed, 176 insertions, 3 deletions
diff --git a/utils/Makefile b/utils/Makefile index 0cefd27b..7e991603 100644 --- a/utils/Makefile +++ b/utils/Makefile @@ -20,13 +20,14 @@ makemode := utilities targets = shd ps settrans showtrans syncfs fsysopts \ storeinfo login w uptime ids loginpr sush vmstat portinfo \ - devprobe vminfo addauth rmauth unsu setauth ftpcp ftpdir storecat \ + devprobe vminfo addauth rmauth queryauth queryauth-setup \ + unsu setauth ftpcp ftpdir storecat \ storeread msgport rpctrace mount gcore fakeauth fakeroot remap \ umount nullauth rpcscan vmallocate -special-targets = loginpr sush uptime fakeroot remap +special-targets = loginpr sush uptime fakeroot remap queryauth queryauth-setup SRCS = shd.c ps.c settrans.c syncfs.c showtrans.c addauth.c rmauth.c \ - fsysopts.c storeinfo.c login.c loginpr.sh sush.sh w.c \ + queryauth.sh queryauth-setup.sh fsysopts.c storeinfo.c login.c loginpr.sh sush.sh w.c \ uptime.sh psout.c ids.c vmstat.c portinfo.c devprobe.c vminfo.c \ parse.c frobauth.c frobauth-mod.c setauth.c pids.c nonsugid.c \ unsu.c ftpcp.c ftpdir.c storeread.c storecat.c msgport.c \ diff --git a/utils/queryauth-setup.sh b/utils/queryauth-setup.sh new file mode 100644 index 00000000..d796553f --- /dev/null +++ b/utils/queryauth-setup.sh @@ -0,0 +1,89 @@ +#!/bin/bash +# Setup checkperms translator and authorization query program. +# +# Copyright (C) 2002, 2013 Free Software Foundation, Inc. +# +# This file is part of the GNU Hurd. +# +# The GNU Hurd is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, or (at +# your option) any later version. +# +# The GNU Hurd is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# + +USAGE="Usage: $0 [OPTION...] FILE GROUP [PROGRAM]" +DOC="Setup checkperms translator on FILE for the current user, guarded by GROUP, using the authorization query PROGRAM (queryauth if not given)" + +while :; do + case "$1" in + --help|"-?") + echo "$USAGE" + echo "$DOC" + echo "" + echo " -?, --help Give this help list" + echo " --usage Give a short usage message" + echo " -V, --version Print program version" + exit 0;; + --usage) + echo "Usage: $0 [-V?] [--help] [--usage] [--version] FILE GROUP [PROGRAM]" + exit 0;; + --version|-V) + echo "STANDARD_HURD_VERSION_queryauth-setup_"; exit 0;; + --) + shift + break;; + -*) + echo 1>&2 "$0: unrecognized option \`$1'" + echo 1>&2 "Try \`$0 --help' or \`$0 --usage' for more information"; + exit 1;; + *) + break;; + esac +done + +if [ $# -lt 1 ]; then + echo missing FILE + if [ $# -lt 2 ]; then + echo missing GROUP + fi + echo $USAGE + exit 1 +fi + +USER=$(whoami) +FILE=$1 +GROUP=$2 +PROGRAM=$3 +if [ -z $PROGRAM ]; then + PROGRAM=queryauth +fi + +# do not replace an exitsing translator +if [ -e $FILE ] && showtrans $FILE | grep -q checkperms; then + echo there is already a passive checkperms translator running on $FILE. + echo Remove it with + echo settrans -g $FILE + echo if you want to replace it. Existing translator: + echo -n " " + showtrans $FILE + exit 1 +fi + +# create the controlling group if needed +groupadd $GROUP 2>/dev/null + +# setup the translator +settrans -cg $FILE /hurd/checkperms --groupname=$GROUP + +echo Setting up interactive authorization granting program via "'$PROGRAM $GROUP'" + +$PROGRAM $GROUP diff --git a/utils/queryauth.sh b/utils/queryauth.sh new file mode 100644 index 00000000..069ab517 --- /dev/null +++ b/utils/queryauth.sh @@ -0,0 +1,83 @@ +#!/bin/bash +# Query whether to grant authorization when a process accesses a file guarded by the checkperms translator. +# +# Copyright (C) 2002, 2013 Free Software Foundation, Inc. +# +# This file is part of the GNU Hurd. +# +# The GNU Hurd is free software; you can redistribute it and/or +# modify it under the terms of the GNU General Public License as +# published by the Free Software Foundation; either version 2, or (at +# your option) any later version. +# +# The GNU Hurd is distributed in the hope that it will be useful, but +# WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +# General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program; if not, write to the Free Software +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# + +USAGE="Usage: $0 [OPTION...] GROUP" +DOC="Query whether to grant authorization when a process accesses a file guarded by the checkperms translator for the GROUP." + +while :; do + case "$1" in + --help|"-?") + echo "$USAGE" + echo "$DOC" + echo "" + echo " -?, --help Give this help list" + echo " --usage Give a short usage message" + echo " -V, --version Print program version" + exit 0;; + --usage) + echo "Usage: $0 [-V?] [--help] [--usage] [--version]" + exit 0;; + --version|-V) + echo "STANDARD_HURD_VERSION_queryauth_"; exit 0;; + --) + shift + break;; + -*) + echo 1>&2 "$0: unrecognized option \`$1'" + echo 1>&2 "Try \`$0 --help' or \`$0 --usage' for more information"; + exit 1;; + *) + break;; + esac +done + +if [ $# -eq 0 ]; then + echo missing GROUP + echo $USAGE + exit 1 +fi + +USER=$(whoami) +GROUP=$1 + +# create the controlling FIFOs, if needed +if [ ! -e /run/$USER/request-permission/$GROUP ]; then + mkdir -p /run/$USER/request-permission 2>/dev/null + mkfifo /run/$USER/request-permission/$GROUP +fi +if [ ! -e /run/$USER/grant-permission/$GROUP ]; then + mkdir -p /run/$USER/grant-permission 2>/dev/null + mkfifo /run/$USER/grant-permission/$GROUP +fi + +while true; do + PID="$(cat /run/$USER/request-permission/$GROUP)" + echo Process "'"$PID"'" tries to access file guarded by the checkperms translator, but is not in the required group "'"$GROUP"'". + ps-hurd -p $PID -aeux + if [[ "$(read -e -p 'Grant permission and add group "'$GROUP'" for 5 minutes? [y/N]> '; echo $REPLY)" == [Yy]* ]]; then + addauth -p $PID -g $GROUP + echo 0 > /run/$USER/grant-permission/$GROUP + (sleep 300 && rmauth -p $PID -g $GROUP 2>/dev/null) & + else + echo 1 > /run/$USER/grant-permission/$GROUP + fi +done |