glenux/vagrant-lxc-ng
glenux/vagrant-lxc-ng
1
0
Fork 0
Code Issues 4 Pull requests Projects 1 Releases Packages Wiki Activity

Removed unsecure calls to SudoWrapper#su_c.

Browse source
This commit is contained in:
Jef Mathiot 2014-04-17 12:56:56 +02:00
parent 94e175dc07
commit 0eae5c0926
4 changed files with 27 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/vagrant-lxc/command/sudoers.rb
View file

@ -126,8 +126,8 @@ Whitelist.add '/bin/cat', base_path
# - Shared folders # - Shared folders
Whitelist.add '/bin/mkdir', '-p', base_path Whitelist.add '/bin/mkdir', '-p', base_path
# - Container config customizations and pruning # - Container config customizations and pruning
Whitelist.add '/bin/su', 'root', '-c', %r{\\A"sed -e '.*' -ibak \#{base}/.*/config"\\z} Whitelist.add '/bin/cp', '-f', %r{/tmp/.*}, base_path
Whitelist.add '/bin/su', 'root', '-c', %r{\\A"echo '.*' >> \#{base}/.*/config"\\z} Whitelist.add '/bin/chown', 'root:root', base_path
# - Template import # - Template import
Whitelist.add '/bin/cp', boxes_path, templates_path Whitelist.add '/bin/cp', boxes_path, templates_path
Whitelist.add '/bin/cp', gems_path, templates_path Whitelist.add '/bin/cp', gems_path, templates_path
@ -136,7 +136,7 @@ Whitelist.add '/bin/chmod', '+x', templates_path
# - Template removal # - Template removal
Whitelist.add '/bin/rm', templates_path Whitelist.add '/bin/rm', templates_path
# - Packaging # - Packaging
Whitelist.add '/bin/su', 'root', '-c', %r{\\A"cd \#{base}/.* && rm -f rootfs\.tar\.gz && tar --numeric-owner -czf /tmp/.*/rootfs\.tar\.gz -C \#{base}/.*/rootfs '\./\.'"\\z} Whitelist.add '/bin/tar', '--numeric-owner', '-cvzf', %r{/tmp/.*/rootfs.tar.gz}, '-C', base_path, './rootfs'
Whitelist.add '/bin/chown', /\\A\\d+:\\d+\\z/, %r{\\A/tmp/.*/rootfs\.tar\.gz\\z} Whitelist.add '/bin/chown', /\\A\\d+:\\d+\\z/, %r{\\A/tmp/.*/rootfs\.tar\.gz\\z}
## ##

32
lib/vagrant-lxc/driver.rb
View file

@ -121,17 +121,8 @@ module Vagrant
target_path = "#{Dir.mktmpdir}/rootfs.tar.gz" target_path = "#{Dir.mktmpdir}/rootfs.tar.gz"
@logger.info "Compressing '#{rootfs_path}' rootfs to #{target_path}" @logger.info "Compressing '#{rootfs_path}' rootfs to #{target_path}"
# "vagrant package" will copy the existing lxc-template in the new box file @sudo_wrapper.run('tar', '--numeric-owner', '-cvzf', target_path, '-C',
# To keep this function backwards compatible with existing boxes, the path rootfs_path.parent.to_s, "./#{rootfs_path.basename.to_s}")
# included in the tarball needs to have the same amount of path components (2)
# that will be stripped before extraction, hence the './.'
# TODO: This should be reviewed before 1.0
cmds = [
"cd #{base_path}",
"rm -f rootfs.tar.gz",
"tar --numeric-owner -czf #{target_path} -C #{rootfs_path} './.'"
]
@sudo_wrapper.su_c(cmds.join(' && '))
@logger.info "Changing rootfs tarball owner" @logger.info "Changing rootfs tarball owner"
user_details = Etc.getpwnam(Etc.getlogin) user_details = Etc.getpwnam(Etc.getlogin)
@ -149,7 +140,9 @@ module Vagrant
def prune_customizations def prune_customizations
# Use sed to just strip out the block of code which was inserted by Vagrant # Use sed to just strip out the block of code which was inserted by Vagrant
@logger.debug 'Prunning vagrant-lxc customizations' @logger.debug 'Prunning vagrant-lxc customizations'
@sudo_wrapper.su_c("sed -e '/^# VAGRANT-BEGIN/,/^# VAGRANT-END/ d' -ibak #{base_path.join('config')}") contents = config_string
config_string.gsub! /^# VAGRANT-BEGIN(.|\s)*# VAGRANT-END/, ''
write_config(contents)
end end
protected protected
@ -160,10 +153,23 @@ module Vagrant
end end
customizations.unshift '# VAGRANT-BEGIN' customizations.unshift '# VAGRANT-BEGIN'
customizations << '# VAGRANT-END' customizations << '# VAGRANT-END'
contents = config_string
config_file = base_path.join('config').to_s config_file = base_path.join('config').to_s
customizations.each do |line| customizations.each do |line|
@sudo_wrapper.su_c("echo '#{line}' >> #{config_file}") contents << line
contents << "\n"
end
write_config(contents)
end
def write_config(contents)
Tempfile.new('lxc-config').tap do |file|
file.chmod 0644
file.write contents
file.close
@sudo_wrapper.run 'cp', '-f', file.path, base_path.join('config').to_s
@sudo_wrapper.run 'chown', 'root:root', base_path.join('config').to_s
end end
end end

10
lib/vagrant-lxc/sudo_wrapper.rb
View file

@ -15,16 +15,6 @@ module Vagrant
execute *(['sudo'] + command) execute *(['sudo'] + command)
end end
def su_c(command, options={})
su_command = if @wrapper_path && !options[:no_wrapper]
"#{@wrapper_path} su root -c \"\\\"#{command}\\\"\""
else
"su root -c \"#{command}\""
end
@logger.debug "Running 'sudo #{su_command}'"
system "sudo #{su_command}"
end
private private
# TODO: Review code below this line, it was pretty much a copy and # TODO: Review code below this line, it was pretty much a copy and

6
spec/unit/driver_spec.rb
View file

@ -75,11 +75,15 @@ describe Vagrant::LXC::Driver do
let(:customizations) { [['a', '1'], ['b', '2']] } let(:customizations) { [['a', '1'], ['b', '2']] }
let(:internal_customization) { ['internal', 'customization'] } let(:internal_customization) { ['internal', 'customization'] }
let(:cli) { double(Vagrant::LXC::Driver::CLI, start: true) } let(:cli) { double(Vagrant::LXC::Driver::CLI, start: true) }
let(:sudo) { double(Vagrant::LXC::SudoWrapper, su_c: true) } let(:sudo) { double(Vagrant::LXC::SudoWrapper) }
subject { described_class.new('name', sudo, cli) } subject { described_class.new('name', sudo, cli) }
before do before do
sudo.should_receive(:run).with('cat', '/var/lib/lxc/name/config').exactly(3).times.
and_return('# CONFIGURATION')
sudo.should_receive(:run).twice.with('cp', '-f', %r{/tmp/.*}, '/var/lib/lxc/name/config')
sudo.should_receive(:run).twice.with('chown', 'root:root', '/var/lib/lxc/name/config')
subject.customizations << internal_customization subject.customizations << internal_customization
subject.start(customizations) subject.start(customizations)
end end