Startsida Utforska Hjälp
Logga in
RISCI_ATOM
/
sqm-scripts
spegling av https://github.com/tohojo/sqm-scripts.git
1
0
Fork 0
Filer Ärenden 0 Wiki
Bläddra i källkod

Add some safety checks on the state directory

This will hopefully mitigate any safety issues from executing files stored
in there. See discussion in #95.

Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Toke Høiland-Jørgensen 4 år sedan
förälder
ac86f3d920
incheckning
39fadfafdd
4 ändrade filer med 31 tillägg och 3 borttagningar
Delad Vy Visa Diff Statistik
  1. 26 0
      src/functions.sh
  2. 1 0
      src/run-openwrt.sh
  3. 2 2
      src/start-sqm
  4. 2 1
      src/stop-sqm

+ 26 - 0
src/functions.sh
Visa fil 

@@ -214,6 +214,32 @@ write_state_file() {
 
     done > $filename
 
 }
 
 
+check_state_dir() {
 
+    local PERM
 
+    local OWNER
 
+
 
+    if [ -z "${SQM_STATE_DIR}" ]; then
 
+        sqm_error '$SQM_STATE_DIR is unset - check your config!'
 
+        exit 1
 
+    fi
 
+    [ -d "${SQM_STATE_DIR}" ] || ( umask 077; mkdir -p "$SQM_STATE_DIR" ) || exit 1
 
+
 
+    if [ ! -w "${SQM_STATE_DIR}" ] || [ ! -x "${SQM_STATE_DIR}" ]; then
 
+        sqm_error "Cannot write to state dir '$SQM_STATE_DIR'"
 
+        exit 1
 
+    fi
 
+    PERM="0$(stat -L -c '%a' "${SQM_STATE_DIR}")"
 
+    if [ "$((PERM & 0002))" -ne 0 ]; then
 
+        sqm_error "State dir '$SQM_STATE_DIR' is world writable; this is unsafe, please fix"
 
+        exit 1
 
+    fi
 
+    OWNER="$(stat -L -c '%u' "${SQM_STATE_DIR}")"
 
+    if [ "$OWNER" -ne "$(id -u)" ]; then
 
+        sqm_error "State dir '$SQM_STATE_DIR' is owned by a different user; this is unsafe, please fix"
 
+        exit 1
 
+    fi
 
+}
 
+
 
 
 # find the ifb device associated with a specific interface, return nothing of no
 
 # ifb is associated with IF

+ 1 - 0
src/run-openwrt.sh
Visa fil 

@@ -14,6 +14,7 @@
 
 ACTION="${1:-start}"
 
 RUN_IFACE="$2"
 
 
+check_state_dir
 
 [ -d "${SQM_QDISC_STATE_DIR}" ] || ${SQM_LIB_DIR}/update-available-qdiscs
 
 
 stop_statefile() {

+ 2 - 2
src/start-sqm
Visa fil 

@@ -14,14 +14,14 @@
 
 . ${SQM_LIB_DIR}/defaults.sh
 
 STATE_FILE="${SQM_STATE_DIR}/${IFACE}.state"
 
 
+check_state_dir
 
+
 
 if [ -z "${SCRIPT}" ] ; then
 
     sqm_error "SCRIPT value is not defined in /etc/sqm/${IFACE}.iface.conf"
 
     sqm_error "Please check your configuration and try again."
 
     exit 1
 
 fi
 
 
-[ -d "${SQM_STATE_DIR}" ] || mkdir -p "${SQM_STATE_DIR}"
 
-
 
 if [ -f "${STATE_FILE}" ]; then
 
     sqm_error "SQM already activated on ${IFACE}."
 
     exit 1

+ 2 - 1
src/stop-sqm
Visa fil 

@@ -14,8 +14,9 @@
 
 . ${SQM_LIB_DIR}/functions.sh
 
 . ${SQM_LIB_DIR}/defaults.sh
 
 
+check_state_dir
 
 if [ ! -f "${SQM_STATE_DIR}/${IFACE}.state" ] ; then
 
-    sqm_error "State file does not exists; SQM was not running on interface ${IFACE}"
 
+    sqm_error "State file does not exist; SQM was not running on interface ${IFACE}"
 
     exit 1
 
 fi
 
 STATE_FILE="${SQM_STATE_DIR}/${IFACE}.state"