andrew/disco
Archived
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Moved some stuff around, added the first unit test, with no instructions on how to run it; updated readme for NOOP explanation.

Browse Source
This commit is contained in:
Andrew Kesterson
2012-08-06 19:27:55 -04:00
parent cea08e9d74
commit 22aa757238
9 changed files with 54 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
README.md
View File

@@ -47,13 +47,26 @@ Yes, DISCO is noop friendly, with a caveat: The way we implement noop is through
shells. This is generally sufficient, and already proven and simple. shells. This is generally sufficient, and already proven and simple.
There are some questions around "is the NOOP really secure then?" Well, yes and no. There are some questions around "is the NOOP really secure then?" Well, yes and no.
The disco NOOP, like any (bash --restricted) shell, can be broken out of without a whole lot of work.
Especially considering that the restricted shell runs as root. In this case, the disco NOOP,
much like a barbed wire fence at a buffalo farm, is not expected to ACTUALLY keep anyone inside -
it's just a gentle suggestion that you please not run all over the farm breaking things.
Unlike puppet's noop, which is implemented via a guaranteed safe DSL, DISCO assumes an Unlike puppet's noop, which is implemented via a guaranteed safe DSL, DISCO assumes an
existing trust network between your disco server and disco client; the goal of DISCO noop is to existing trust network between your disco server and disco client; the goal of DISCO noop is to
prevent well-meaning trusted sysadmins from doing really stupid things. It does not try prevent well-meaning trusted sysadmins from accidentally doing stupid things. It does not try
to secure your systems from malicious code. That security layer is moved up, onto the maintainer, to secure your systems from malicious code. That security layer is moved up, onto the maintainer,
who must verify the sanity of all code they are sending to client machines. who must verify the sanity of all code they are sending to client machines.
Specifically: Since DISCO use a unionfs and chroot for the restricted bash shell, I am confiden
that your physical disk is safe from accidental modifications (everything is captured on the
scratchpad, with the exception of writes to /proc and /sys, which are read-only and simply discarded).
The bit that I can't promise is that one of your module maintainers won't find a way to kill a
running process, or signal/restart a service in a way that DISCO can't trap/log/noop it.
This may or may not be a big deal to you, but should be a consideration before you start
migrating to DISCO - how much do you trust your module maintainers?
How do you establish the trust relationship? How do you establish the trust relationship?
===== =====

2
client/bin/disco-fs-mount
View File

@@ -43,7 +43,7 @@ if [ "$NOOP" != "" ]; then
echo "export PATH=${DISCOROOT}/restricted/bin" >> ${DISCOROOT}/munge/etc/profile echo "export PATH=${DISCOROOT}/restricted/bin" >> ${DISCOROOT}/munge/etc/profile
# Make default wrapper # Make default wrapper
echo -e "#!/bin/bash\necho \"info: Would execute \$0 \$@\"" > ${DISCOROOT}/restricted/bin/_disco_restricted_cmd echo -e "#!/bin/bash\necho \"info: Would execute : \$(basename \$0) \$@\"" > ${DISCOROOT}/restricted/bin/_disco_restricted_cmd
chmod +x ${DISCOROOT}/restricted/bin/_disco_restricted_cmd chmod +x ${DISCOROOT}/restricted/bin/_disco_restricted_cmd
# Now link everything to the default wrapper # Now link everything to the default wrapper

11
client/bin/disco-sh-exec
View File

@@ -8,12 +8,7 @@ if [ $? -ne 0 ]; then
fi fi
# Strip out any shebang and put the script in the root # Strip out any shebang and put the script in the root
mkdir -p ${DISCOROOT}/execs/$(dirname $2) mkdir -p ${DISCOROOT}/restricted/$(dirname $2)
cat $1 | sed s/'^#!.*'/''/g > ${DISCOROOT}/execs/$2 cat $1 | sed s/'^#!.*'/''/g > ${DISCOROOT}/restricted/$2
if [ "$NOOP" != "" ]; then $(dirname $0)/disco-sh-shell ${DISCOROOT}/restricted/$2
chroot ${DISCOROOT}/chroot /bin/bash --restricted $2
else
chroot ${DISCOROOT}/chroot /bin/bash $2
fi
./disco-fs-unmount
exit $? exit $?

9
client/bin/disco-sh-shell
View File

@@ -4,12 +4,13 @@ DISCOROOT=/var/disco/testfs
mount | grep $DISCOROOT >/dev/null 2>&1 mount | grep $DISCOROOT >/dev/null 2>&1
if [ $? -ne 0 ]; then if [ $? -ne 0 ]; then
./disco-fs-mount echo "disco filesystem is not mounted"
exit 0
fi fi
if [ "$NOOP" != "" ]; then if [ "$NOOP" != "" ]; then
chroot ${DISCOROOT}/chroot /bin/rbash chroot ${DISCOROOT}/chroot /bin/env PATH=${DISCOROOT}/restricted/bin /bin/bash --login --restricted $@
else else
chroot ${DISCOROOT}/chroot /bin/bash chroot ${DISCOROOT}/chroot /bin/bash --login $@
fi fi
./disco-fs-unmount
exit $? exit $?

6
client/bin/disco-shutup Normal file
View File

@@ -0,0 +1,6 @@
#!/bin/bash
# This is a convenience to the user of restricted shells, so they can redirect stdout to /dev/null
# Use like [ COMMAND | disco-shutup] ... doesn't do much for stderr, sorry.
cat > /dev/null

8
client/etc/disco/client.cfg Normal file
View File

@@ -0,0 +1,8 @@
DISCOROOT=/var/disco/testfs
COLOR_CYAN=$(echo -e '\033[0;36;40m');
COLOR_MAGENTA=$(echo -e '\033[0;35;40m');
COLOR_GREEN=$(echo -e '\033[0;32;40m');
COLOR_YELLOW=$(echo -e '\033[0;33;40m');
COLOR_BLUE=$(echo -e '\033[0;34;40m');
COLOR_RED=$(echo -e '\033[0;31;40m');
COLOR_NORMAL=$(echo -e '\033[0m');

0
client/etc/restricted.d/base.bin.d → client/etc/disco/rerstricted.d/base.bin.d
View File

0
client/etc/restricted.d/base.usr.bin.d → client/etc/disco/rerstricted.d/base.usr.bin.d
View File

16
tests/client/test-restricted-kill.sh Normal file
View File

@@ -0,0 +1,16 @@
#!/bin/bash
ps ax | grep -i ssh
echo 'I am going to kill some SSH processes now!'
killall -9 ssh
ps ax | grep -i ssh
if [ $? -eq 0 ]; then
echo "Well crap that didnt work"
/usr/bin/killall -9 ssh
ps ax | grep -i ssh
if [ $? -eq 0 ]; then
echo "SAD FACE I CANT KILL STUFF :("
else
echo "The jokes on you"
fi
fi