Moved some stuff around, added the first unit test, with no instructions on how to run it; updated readme for NOOP explanation.

2012-08-06 19:27:55 -04:00
parent cea08e9d74
commit 22aa757238
9 changed files with 54 additions and 15 deletions
--- a/README.md
+++ b/README.md
@@ -46,14 +46,27 @@ Is DISCO noop friendly (report all incoming changes)?
 Yes, DISCO is noop friendly, with a caveat: The way we implement noop is through restricted bash
 shells. This is generally sufficient, and already proven and simple. 

-There are some questions around "is the NOOP really secure then?" Well, yes and no.
+There are some questions around "is the NOOP really secure then?" Well, yes and no. 
+The disco NOOP, like any (bash --restricted) shell, can be broken out of without a whole lot of work.
+Especially considering that the restricted shell runs as root. In this case, the disco NOOP,
+much like a barbed wire fence at a buffalo farm, is not expected to ACTUALLY keep anyone inside -
+it's just a gentle suggestion that you please not run all over the farm breaking things. 

 Unlike puppet's noop, which is implemented via a guaranteed safe DSL, DISCO assumes an
 existing trust network between your disco server and disco client; the goal of DISCO noop is to
-prevent well-meaning trusted sysadmins from doing really stupid things. It does not try
+prevent well-meaning trusted sysadmins from accidentally doing stupid things. It does not try
 to secure your systems from malicious code. That security layer is moved up, onto the maintainer,
 who must verify the sanity of all code they are sending to client machines.

+Specifically: Since DISCO use a unionfs and chroot for the restricted bash shell, I am confiden
+that your physical disk is safe from accidental modifications (everything is captured on the
+scratchpad, with the exception of writes to /proc and /sys, which are read-only and simply discarded).
+The bit that I can't promise is that one of your module maintainers won't find a way to kill a
+running process, or signal/restart a service in a way that DISCO can't trap/log/noop it. 
+This may or may not be a big deal to you, but should be a consideration before you start 
+migrating to DISCO - how much do you trust your module maintainers?
+
+
 How do you establish the trust relationship?
 =====

--- a/client/bin/disco-fs-mount
+++ b/client/bin/disco-fs-mount
@@ -43,7 +43,7 @@ if [ "$NOOP" != "" ]; then
    echo "export PATH=${DISCOROOT}/restricted/bin" >> ${DISCOROOT}/munge/etc/profile

    # Make default wrapper
-    echo -e "#!/bin/bash\necho \"info: Would execute \$0 \$@\"" > ${DISCOROOT}/restricted/bin/_disco_restricted_cmd
+    echo -e "#!/bin/bash\necho \"info: Would execute : \$(basename \$0) \$@\"" > ${DISCOROOT}/restricted/bin/_disco_restricted_cmd
    chmod +x ${DISCOROOT}/restricted/bin/_disco_restricted_cmd

    # Now link everything to the default wrapper
--- a/client/bin/disco-sh-exec
+++ b/client/bin/disco-sh-exec
@@ -8,12 +8,7 @@ if [ $? -ne 0 ]; then
 fi

 # Strip out any shebang and put the script in the root
-mkdir -p ${DISCOROOT}/execs/$(dirname $2)
-cat $1 | sed s/'^#!.*'/''/g > ${DISCOROOT}/execs/$2
-if [ "$NOOP" != "" ]; then
-    chroot ${DISCOROOT}/chroot /bin/bash --restricted $2
-else
-    chroot ${DISCOROOT}/chroot /bin/bash $2
-fi
-./disco-fs-unmount
+mkdir -p ${DISCOROOT}/restricted/$(dirname $2)
+cat $1 | sed s/'^#!.*'/''/g > ${DISCOROOT}/restricted/$2
+$(dirname $0)/disco-sh-shell ${DISCOROOT}/restricted/$2
 exit $?
--- a/client/bin/disco-sh-shell
+++ b/client/bin/disco-sh-shell
@@ -4,12 +4,13 @@ DISCOROOT=/var/disco/testfs

 mount | grep $DISCOROOT >/dev/null 2>&1
 if [ $? -ne 0 ]; then
-    ./disco-fs-mount
+    echo "disco filesystem is not mounted"
+    exit 0
 fi
+
 if [ "$NOOP" != "" ]; then
-    chroot ${DISCOROOT}/chroot /bin/rbash
+    chroot ${DISCOROOT}/chroot /bin/env PATH=${DISCOROOT}/restricted/bin /bin/bash --login --restricted $@
 else
-    chroot ${DISCOROOT}/chroot /bin/bash 
+    chroot ${DISCOROOT}/chroot /bin/bash --login $@
 fi
-./disco-fs-unmount
 exit $?
--- a/client/bin/disco-shutup
+++ b/client/bin/disco-shutup
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# This is a convenience to the user of restricted shells, so they can redirect stdout to /dev/null
+# Use like [ COMMAND | disco-shutup] ... doesn't do much for stderr, sorry.
+
+cat > /dev/null
--- a/client/etc/disco/client.cfg
+++ b/client/etc/disco/client.cfg
@@ -0,0 +1,8 @@
+DISCOROOT=/var/disco/testfs
+COLOR_CYAN=$(echo -e '\033[0;36;40m'); 
+COLOR_MAGENTA=$(echo -e '\033[0;35;40m');
+COLOR_GREEN=$(echo -e '\033[0;32;40m');
+COLOR_YELLOW=$(echo -e '\033[0;33;40m');
+COLOR_BLUE=$(echo -e '\033[0;34;40m');
+COLOR_RED=$(echo -e '\033[0;31;40m');
+COLOR_NORMAL=$(echo -e '\033[0m');
--- a/client/etc/disco/rerstricted.d/base.bin.d
+++ b/client/etc/disco/rerstricted.d/base.bin.d
--- a/client/etc/disco/rerstricted.d/base.usr.bin.d
+++ b/client/etc/disco/rerstricted.d/base.usr.bin.d
--- a/tests/client/test-restricted-kill.sh
+++ b/tests/client/test-restricted-kill.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+ps ax | grep -i ssh
+echo 'I am going to kill some SSH processes now!'
+killall -9 ssh
+ps ax | grep -i ssh
+if [ $? -eq 0 ]; then
+	echo "Well crap that didnt work"
+	/usr/bin/killall -9 ssh
+	ps ax | grep -i ssh 
+	if [ $? -eq 0 ]; then
+		echo "SAD FACE I CANT KILL STUFF :("
+	else
+		echo "The jokes on you"
+	fi
+fi