diff --git a/README.md b/README.md index 3b558eb..d399845 100644 --- a/README.md +++ b/README.md @@ -46,14 +46,27 @@ Is DISCO noop friendly (report all incoming changes)? Yes, DISCO is noop friendly, with a caveat: The way we implement noop is through restricted bash shells. This is generally sufficient, and already proven and simple. -There are some questions around "is the NOOP really secure then?" Well, yes and no. +There are some questions around "is the NOOP really secure then?" Well, yes and no. +The disco NOOP, like any (bash --restricted) shell, can be broken out of without a whole lot of work. +Especially considering that the restricted shell runs as root. In this case, the disco NOOP, +much like a barbed wire fence at a buffalo farm, is not expected to ACTUALLY keep anyone inside - +it's just a gentle suggestion that you please not run all over the farm breaking things. Unlike puppet's noop, which is implemented via a guaranteed safe DSL, DISCO assumes an existing trust network between your disco server and disco client; the goal of DISCO noop is to -prevent well-meaning trusted sysadmins from doing really stupid things. It does not try +prevent well-meaning trusted sysadmins from accidentally doing stupid things. It does not try to secure your systems from malicious code. That security layer is moved up, onto the maintainer, who must verify the sanity of all code they are sending to client machines. +Specifically: Since DISCO use a unionfs and chroot for the restricted bash shell, I am confiden +that your physical disk is safe from accidental modifications (everything is captured on the +scratchpad, with the exception of writes to /proc and /sys, which are read-only and simply discarded). +The bit that I can't promise is that one of your module maintainers won't find a way to kill a +running process, or signal/restart a service in a way that DISCO can't trap/log/noop it. +This may or may not be a big deal to you, but should be a consideration before you start +migrating to DISCO - how much do you trust your module maintainers? + + How do you establish the trust relationship? ===== diff --git a/client/bin/disco-fs-mount b/client/bin/disco-fs-mount index ad774a7..f8a3262 100755 --- a/client/bin/disco-fs-mount +++ b/client/bin/disco-fs-mount @@ -43,7 +43,7 @@ if [ "$NOOP" != "" ]; then echo "export PATH=${DISCOROOT}/restricted/bin" >> ${DISCOROOT}/munge/etc/profile # Make default wrapper - echo -e "#!/bin/bash\necho \"info: Would execute \$0 \$@\"" > ${DISCOROOT}/restricted/bin/_disco_restricted_cmd + echo -e "#!/bin/bash\necho \"info: Would execute : \$(basename \$0) \$@\"" > ${DISCOROOT}/restricted/bin/_disco_restricted_cmd chmod +x ${DISCOROOT}/restricted/bin/_disco_restricted_cmd # Now link everything to the default wrapper diff --git a/client/bin/disco-sh-exec b/client/bin/disco-sh-exec index f87aa5a..94a2039 100755 --- a/client/bin/disco-sh-exec +++ b/client/bin/disco-sh-exec @@ -8,12 +8,7 @@ if [ $? -ne 0 ]; then fi # Strip out any shebang and put the script in the root -mkdir -p ${DISCOROOT}/execs/$(dirname $2) -cat $1 | sed s/'^#!.*'/''/g > ${DISCOROOT}/execs/$2 -if [ "$NOOP" != "" ]; then - chroot ${DISCOROOT}/chroot /bin/bash --restricted $2 -else - chroot ${DISCOROOT}/chroot /bin/bash $2 -fi -./disco-fs-unmount +mkdir -p ${DISCOROOT}/restricted/$(dirname $2) +cat $1 | sed s/'^#!.*'/''/g > ${DISCOROOT}/restricted/$2 +$(dirname $0)/disco-sh-shell ${DISCOROOT}/restricted/$2 exit $? diff --git a/client/bin/disco-sh-shell b/client/bin/disco-sh-shell index 963169d..110089a 100755 --- a/client/bin/disco-sh-shell +++ b/client/bin/disco-sh-shell @@ -4,12 +4,13 @@ DISCOROOT=/var/disco/testfs mount | grep $DISCOROOT >/dev/null 2>&1 if [ $? -ne 0 ]; then - ./disco-fs-mount + echo "disco filesystem is not mounted" + exit 0 fi + if [ "$NOOP" != "" ]; then - chroot ${DISCOROOT}/chroot /bin/rbash + chroot ${DISCOROOT}/chroot /bin/env PATH=${DISCOROOT}/restricted/bin /bin/bash --login --restricted $@ else - chroot ${DISCOROOT}/chroot /bin/bash + chroot ${DISCOROOT}/chroot /bin/bash --login $@ fi -./disco-fs-unmount exit $? diff --git a/client/bin/disco-shutup b/client/bin/disco-shutup new file mode 100644 index 0000000..7c47d3a --- /dev/null +++ b/client/bin/disco-shutup @@ -0,0 +1,6 @@ +#!/bin/bash + +# This is a convenience to the user of restricted shells, so they can redirect stdout to /dev/null +# Use like [ COMMAND | disco-shutup] ... doesn't do much for stderr, sorry. + +cat > /dev/null \ No newline at end of file diff --git a/client/etc/disco/client.cfg b/client/etc/disco/client.cfg new file mode 100644 index 0000000..ad6542e --- /dev/null +++ b/client/etc/disco/client.cfg @@ -0,0 +1,8 @@ +DISCOROOT=/var/disco/testfs +COLOR_CYAN=$(echo -e '\033[0;36;40m'); +COLOR_MAGENTA=$(echo -e '\033[0;35;40m'); +COLOR_GREEN=$(echo -e '\033[0;32;40m'); +COLOR_YELLOW=$(echo -e '\033[0;33;40m'); +COLOR_BLUE=$(echo -e '\033[0;34;40m'); +COLOR_RED=$(echo -e '\033[0;31;40m'); +COLOR_NORMAL=$(echo -e '\033[0m'); diff --git a/client/etc/restricted.d/base.bin.d b/client/etc/disco/rerstricted.d/base.bin.d similarity index 100% rename from client/etc/restricted.d/base.bin.d rename to client/etc/disco/rerstricted.d/base.bin.d diff --git a/client/etc/restricted.d/base.usr.bin.d b/client/etc/disco/rerstricted.d/base.usr.bin.d similarity index 100% rename from client/etc/restricted.d/base.usr.bin.d rename to client/etc/disco/rerstricted.d/base.usr.bin.d diff --git a/tests/client/test-restricted-kill.sh b/tests/client/test-restricted-kill.sh new file mode 100644 index 0000000..b898767 --- /dev/null +++ b/tests/client/test-restricted-kill.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +ps ax | grep -i ssh +echo 'I am going to kill some SSH processes now!' +killall -9 ssh +ps ax | grep -i ssh +if [ $? -eq 0 ]; then + echo "Well crap that didnt work" + /usr/bin/killall -9 ssh + ps ax | grep -i ssh + if [ $? -eq 0 ]; then + echo "SAD FACE I CANT KILL STUFF :(" + else + echo "The jokes on you" + fi +fi