Skip to content

Use final matching rule when determining if a command is permitted #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use final matching rule when determining if a command is permitted #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 37 additions & 75 deletions src/lib.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,14 +159,14 @@ pub mod command {
pub mod config {
use std::collections::HashMap;

#[derive(Clone, Debug)]
#[derive(Clone, Debug, PartialEq, Eq)]
pub enum RuleAction {
Permit,
Deny,
PermitWithPassword,
PermitWithoutPassword,
}
#[derive(Clone, Debug)]
pub struct RuleOpts {
pub nopass: bool,
pub nolog: bool,
pub persist: bool,
pub keepenv: bool,
Expand All @@ -188,70 +188,45 @@ pub mod config {
pub args: Option<Vec<String>>,
}

#[derive(Clone, Debug)]
pub struct Rules {
pub allowed: Vec<Rule>,
pub denied: Vec<Rule>,
}

impl Rules {
pub fn r#match<'a>(&self,
impl Rule {
pub fn matches(&self,
user: &str,
groups: &'a [impl AsRef<str>],
groups: &[impl AsRef<str>],
cmd: &str,
args: &'a [impl AsRef<str>],
args: &[impl AsRef<str>],
target: &str,
) -> Option<RuleOpts> {
let match_rules = |rules: &[Rule]| -> Option<RuleOpts> {
let mut matched: Option<&Rule> = None;
for rule in rules {
match &rule.identity {
RuleIdentity::User(rule_user) => if rule_user != user {
continue;
},
RuleIdentity::Group(group) => if !groups.iter().any(|x| x.as_ref() == group) {
continue;
},
}
if let Some(rule_cmd) = &rule.command {
if rule_cmd != cmd {
continue;
}
}
if let Some(rule_args) = &rule.args {
if rule_args.iter().zip(args).all(|(x, y)| x == y.as_ref()) {
continue;
}
}
if let Some(rule_target) = &rule.target {
if rule_target != target {
continue;
}
}
matched = Some(rule);
) -> bool {
match &self.identity {
RuleIdentity::User(rule_user) => if rule_user != user {
return false;
},
RuleIdentity::Group(group) => if !groups.iter().any(|x| x.as_ref() == group) {
return false;
},
}
if let Some(rule_cmd) = &self.command {
if rule_cmd != cmd {
return false;
}
match matched {
Some(rule) => Some(rule.options.clone()),
None => None,
}
if let Some(rule_args) = &self.args {
if rule_args.iter().zip(args).all(|(x, y)| x == y.as_ref()) {
return false;
}
}
if let Some(rule_target) = &self.target {
if rule_target != target {
return false;
}
};
let matched = match_rules(&self.allowed);
if matched.is_some() && match_rules(&self.denied).is_none() {
matched
} else {
None
}
true
}
}

impl TryFrom<&str> for Rules {
type Error = String;

fn try_from(config: &str) -> Result<Self, Self::Error> {
pub fn parse_into_rules(config: &str) -> Result<Vec<Rule>, String> {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

parse_into_rules() is now incorrectly indented, but if I change the whitespace the diff becomes really hard to read >_<

const DEFAULT_RULE: Rule = Rule {
action: RuleAction::Deny,
options: RuleOpts {
nopass: false,
nolog: false,
persist: false,
keepenv: false,
Expand All @@ -263,10 +238,7 @@ pub mod config {
args: None,
};

let mut rules = Rules {
allowed: Vec::new(),
denied: Vec::new(),
};
let mut rules = Vec::new();

enum Expect {
Permission,
Expand All @@ -278,13 +250,6 @@ pub mod config {
let mut state = Expect::Permission;
let mut new_rule = false;
let mut rule: Rule = DEFAULT_RULE.clone();
let mut push_rule = |rule: &mut Rule| {
let value = std::mem::replace(rule, DEFAULT_RULE.clone());
match value.action {
RuleAction::Permit => rules.allowed.push(value),
RuleAction::Deny => rules.denied.push(value),
};
};
while let Some((token, pure)) = tokens.next() {
if new_rule {
rule = DEFAULT_RULE.clone();
Expand All @@ -295,7 +260,7 @@ pub mod config {
Expect::Permission => {
if pure {
if token == "permit" {
rule.action = RuleAction::Permit;
rule.action = RuleAction::PermitWithPassword;
} else if token == "deny" {
rule.action = RuleAction::Deny;
} else {
Expand All @@ -308,7 +273,10 @@ pub mod config {
},
Expect::OptionOrIdentity => {
match (&*token, pure) {
("nopass", true) => rule.options.nopass = true,
("nopass", true) => match rule.action {
RuleAction::Deny => return Err("The nopass option cannot be used with the deny action".to_string()),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does doas do in this case?

_ => rule.action = RuleAction::PermitWithoutPassword,
},
("nolog", true) => rule.options.nolog = true,
("persist", true) => rule.options.persist = true,
("keepenv", true) => rule.options.keepenv = true,
Expand Down Expand Up @@ -352,16 +320,11 @@ pub mod config {
},
}
if tokens.line_ended {
push_rule(&mut rule);
rules.push(std::mem::replace(&mut rule, DEFAULT_RULE.clone()));
new_rule = true;
}
}

if !new_rule {
// Push the leftover rule (happens when config doesn't end with a NL)
push_rule(&mut rule);
}

return Ok(rules);

fn parse_env<'a>(tokens: &mut Tokenizer<'a>) -> Result<HashMap<String, String>, String> {
Expand Down Expand Up @@ -470,5 +433,4 @@ pub mod config {
}
}
}
}
}
44 changes: 26 additions & 18 deletions src/main.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,8 +57,9 @@ fn execute(opts: Execute) {
config_file = file;
},
}
let config = std::fs::read_to_string(config_file).expect("Failed to read config");
let rules = match Rules::try_from(&*config) {
// Make sure the config file ends with a newline.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why?

let config = std::fs::read_to_string(config_file).expect("Failed to read config") + "\n";
let rules = match config::parse_into_rules(&config) {
Ok(x) => x,
Err(_) => print_error_and_exit("Error parsing config", 1),
};
Expand All @@ -79,32 +80,39 @@ fn execute(opts: Execute) {
Some(x) => x,
None => passwd_target.shell.clone(),
};
let matched = rules.r#match(user, &groups, &*cmd, &opts.args, &opts.user);
let matching_rule = rules.into_iter().rev().find(|rule|
rule.matches(user, &groups, &cmd, &opts.args, &opts.user)
);
let action = match matching_rule {
None => RuleAction::Deny,
Some(ref rule) => rule.action.clone(),
};

if only_check {
match matched {
None => println!("deny"),
Some(rule_opts) => {
println!("permit{}", if rule_opts.nopass {" nopass"} else {""});
},
match action {
RuleAction::Deny => println!("deny"),
RuleAction::PermitWithPassword => println!("permit"),
RuleAction::PermitWithoutPassword => println!("permit nopass"),
}
return;
}

if action == RuleAction::Deny {
let cmdline = get_cmdline(&cmd, &opts.args);
let msg = format!("command not permitted for {}: {}", &user, &cmdline);
syslog(libc::LOG_AUTHPRIV | libc::LOG_NOTICE, &msg);
print_error_and_exit("Not permitted", 1);
}

let rule_opts = match matched {
None => {
let cmdline = get_cmdline(&cmd, &opts.args);
let msg = format!("command not permitted for {}: {}", &user, &cmdline);
syslog(libc::LOG_AUTHPRIV | libc::LOG_NOTICE, &msg);
print_error_and_exit("Not permitted", 1);
},
Some(match_opts) => match_opts,
};
if !rule_opts.nopass {
if action == RuleAction::PermitWithPassword {
if !challenge_user(&passwd) {
eprintln!("Authentication failed");
return;
}
}

let rule_opts = matching_rule.unwrap().options;

if !rule_opts.nolog {
let cmdline = get_cmdline(&cmd, &opts.args);
let cwd = env::current_dir();
Expand Down