mirror of
https://github.com/CumulusNetworks/ifupdown2.git
synced 2024-05-06 15:54:50 +00:00
add param in ifupdown2.conf to prevent fupdown2 users from specify interface config file on the CLI
Ticket: CM-7066 Reviewed By: scotte,roopa,olson Testing Done: Unit testing and regression testing This patch does two things: 1. It moves the interfaces config file name to the ifupdown2.conf file in /etc/network/ifupdown2. This should allow administrators to specify a config file location different from the default and allow subsets of users to use it without giving them access to specifying their own with the -i option in ifup/ifdown. 2. It also adds a new config setting called "disable_cli_interfacesfile" used to prevent users from specifying their own interfaces file. This defaults to "1" (even if it is not configured). Note: this new default takes away users ability to specify an interfaces file. This should close the vulnerability where users could specify their own interfaces file and add arbitrary user commands. This leaves the shell=True option in the user commands add-on module since the ifup/ifdown/ifreload/ifquery commands already require root access to run and the interfaces config file also requires root access to modify.
This commit is contained in:
Sam Tannous
@ -10,6 +10,12 @@ template_engine=mako
|
||||
# default template lookup path during template rendering
|
||||
template_lookuppath=/etc/network/ifupdown2/templates
|
||||
|
||||
# default network configuration filepath
|
||||
default_interfaces_configfile=/etc/network/interfaces
|
||||
# The -i interfacefile option is not allowed by default to
|
||||
# reduce security issues (due to the pre- and post- commands)
|
||||
disable_cli_interfacesfile=1
|
||||
|
||||
# Support /etc/network/if-*/ scripts
|
||||
addon_scripts_support=0
|
||||
|
||||
|
||||
@ -66,7 +66,7 @@ Man Pages
|
||||
Configuration Files
|
||||
===================
|
||||
|
||||
* /etc/network/interfaces
|
||||
* config file defined in ifupdown2.conf (default /etc/network/interfaces)
|
||||
|
||||
|
||||
ifupdown Built-in Interfaces
|
||||
|
||||
@ -434,6 +434,10 @@ class networkInterfaces():
|
||||
Assumes networkinterfaces parser object is initialized with the
|
||||
parser arguments
|
||||
"""
|
||||
if self.interfacesfile == None:
|
||||
self.logger.warn('no network interfaces file defined in ifupdown2.conf')
|
||||
return
|
||||
|
||||
if self.interfacesfileformat == 'json':
|
||||
return self.read_file_json(self.interfacesfile,
|
||||
self.interfacesfileiobuf)
|
||||
|
||||
@ -33,7 +33,8 @@ DESCRIPTION
|
||||
|
||||
**ifquery** always works on the current **interfaces(5)** file
|
||||
**/etc/network/interfaces** unless an alternate interfaces file is
|
||||
provided with the **-i** option.
|
||||
defined in ifupdown2.conf or provided with the **-i** option.
|
||||
Note: the -i option is disabled by default in ifupdown2.conf.
|
||||
|
||||
OPTIONS
|
||||
=======
|
||||
@ -67,7 +68,7 @@ OPTIONS
|
||||
|
||||
-i INTERFACESFILE, --interfaces INTERFACESFILE
|
||||
Use interfaces file instead of default
|
||||
/etc/network/interfaces
|
||||
defined in ifupdown2.conf (default /etc/network/interfaces)
|
||||
|
||||
-t {native,json}, --interfaces-format {native,json}
|
||||
interfaces file format
|
||||
|
||||
@ -18,7 +18,8 @@ SYNOPSIS
|
||||
|
||||
DESCRIPTION
|
||||
===========
|
||||
reloads network **interfaces(5)** file **/etc/network/interfaces**.
|
||||
reloads network **interfaces(5)** file **/etc/network/interfaces**
|
||||
or config file defined in ifupdown2.conf file.
|
||||
|
||||
Runs **ifdown** on interfaces that were removed from the file and
|
||||
subsequently runs **ifup** on all interfaces.
|
||||
|
||||
@ -33,13 +33,13 @@ DESCRIPTION
|
||||
===========
|
||||
**ifup** and **ifdown** commands can be used to configure (or, respectively,
|
||||
deconfigure) network interfaces based on interface definitions in the
|
||||
file **/etc/network/interfaces/** file.
|
||||
config file ifupdown2.conf (defaults to **/etc/network/interfaces/** file).
|
||||
|
||||
**ifquery(8)** maybe used in conjunction with **ifup** and **ifdown**
|
||||
commands to query and validate applied/running configuration.
|
||||
|
||||
**ifup** always works on the current **interfaces(5)** file under
|
||||
**/etc/network/interfaces**. **ifdown** works on the last applied interface
|
||||
**ifup** always works on the current **interfaces(5)** file defined in ifupdown2.conf
|
||||
(default **/etc/network/interfaces**). **ifdown** works on the last applied interface
|
||||
configuration.
|
||||
|
||||
**ifup** on an already ifup'ed interface will re-apply the configuration,
|
||||
@ -88,8 +88,11 @@ OPTIONS
|
||||
to be excluded.
|
||||
|
||||
-i INTERFACESFILE, --interfaces INTERFACESFILE
|
||||
Use interfaces file instead of default
|
||||
/etc/network/interfaces
|
||||
Uses interfaces file instead of default defined in
|
||||
ifupdown2.conf (default /etc/network/interfaces).
|
||||
Also in ifupdown2.conf, users are not allowed to specify their own
|
||||
interfaces file unless disable_cli_interfacesfile is set to 0
|
||||
(default is 1).
|
||||
|
||||
-t {native,json}, --interfaces-format {native,json}
|
||||
interfaces file format
|
||||
|
||||
@ -14,8 +14,9 @@ network interface configuration for ifupdown
|
||||
|
||||
DESCRIPTION
|
||||
===========
|
||||
**/etc/network/interfaces** contains network interface configuration
|
||||
information for the **ifup(8)**, **ifdown(8)** and **ifquery(8)** commands.
|
||||
By default, ifupdown2.conf sets **/etc/network/interfaces** as the
|
||||
network interface configuration file. This file contains information
|
||||
for the **ifup(8)**, **ifdown(8)** and **ifquery(8)** commands.
|
||||
|
||||
This is where you configure how your system is connected to the network.
|
||||
|
||||
@ -145,7 +146,7 @@ EXAMPLES
|
||||
|
||||
FILES
|
||||
=====
|
||||
/etc/network/interfaces
|
||||
configuration file defined in ifupdown2.conf (default /etc/network/interfaces)
|
||||
|
||||
SEE ALSO
|
||||
========
|
||||
|
||||
@ -23,6 +23,7 @@ configfile="/etc/network/ifupdown2/ifupdown2.conf"
|
||||
configmap_g=None
|
||||
logger = None
|
||||
interfacesfileiobuf=None
|
||||
interfacesfilename=None
|
||||
ENVPATH = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||
|
||||
def run_up(args):
|
||||
@ -44,7 +45,7 @@ def run_up(args):
|
||||
cache=cachearg,
|
||||
addons_enable=not args.noaddons,
|
||||
statemanager_enable=not args.noaddons,
|
||||
interfacesfile=args.interfacesfile,
|
||||
interfacesfile=interfacesfilename,
|
||||
interfacesfileiobuf=interfacesfileiobuf,
|
||||
interfacesfileformat=args.interfacesfileformat)
|
||||
if args.noaddons:
|
||||
@ -75,7 +76,7 @@ def run_down(args):
|
||||
dryrun=args.noact,
|
||||
addons_enable=not args.noaddons,
|
||||
statemanager_enable=not args.noaddons,
|
||||
interfacesfile=args.interfacesfile,
|
||||
interfacesfile=interfacesfilename,
|
||||
interfacesfileiobuf=interfacesfileiobuf,
|
||||
interfacesfileformat=args.interfacesfileformat)
|
||||
|
||||
@ -119,7 +120,7 @@ def run_query(args):
|
||||
withdepends=args.withdepends,
|
||||
perfmode=args.perfmode,
|
||||
cache=cachearg,
|
||||
interfacesfile=args.interfacesfile,
|
||||
interfacesfile=interfacesfilename,
|
||||
interfacesfileiobuf=interfacesfileiobuf,
|
||||
interfacesfileformat=args.interfacesfileformat)
|
||||
|
||||
@ -136,6 +137,7 @@ def run_reload(args):
|
||||
try:
|
||||
logger.debug('creating ifupdown object ..')
|
||||
ifupdown_handle = ifupdownMain(config=configmap_g,
|
||||
interfacesfile=interfacesfilename,
|
||||
withdepends=args.withdepends,
|
||||
perfmode=args.perfmode)
|
||||
ifupdown_handle.reload(['pre-up', 'up', 'post-up'],
|
||||
@ -150,6 +152,7 @@ def run_reload(args):
|
||||
def init(args):
|
||||
global logger
|
||||
global interfacesfileiobuf
|
||||
global interfacesfilename
|
||||
|
||||
log_level = logging.WARNING
|
||||
if args.verbose:
|
||||
@ -182,9 +185,24 @@ def init(args):
|
||||
except:
|
||||
raise
|
||||
|
||||
# If interfaces file is stdin, read
|
||||
if hasattr(args, 'interfacesfile') and args.interfacesfile == '-':
|
||||
interfacesfileiobuf = sys.stdin.read()
|
||||
if hasattr(args, 'interfacesfile') and args.interfacesfile != None:
|
||||
# Check to see if -i option is allowed by config file
|
||||
if configmap_g.get('disable_cli_interfacesfile','1') == '1':
|
||||
logger.error('disable_cli_interfacesfile is set so users '
|
||||
'not allowed to specify interfaces file on cli.')
|
||||
exit(1)
|
||||
if args.interfacesfile == '-':
|
||||
# If interfaces file is stdin, read
|
||||
interfacesfileiobuf = sys.stdin.read()
|
||||
else:
|
||||
interfacesfilename = args.interfacesfile
|
||||
else:
|
||||
# if the ifupdown2 config file does not have it, default to standard
|
||||
interfacesfilename = configmap_g.get('default_interfaces_configfile',
|
||||
'/etc/network/interfaces')
|
||||
|
||||
|
||||
|
||||
|
||||
def deinit():
|
||||
{}
|
||||
@ -222,9 +240,9 @@ def update_argparser(argparser):
|
||||
help='Exclude interfaces from the list of interfaces' +
|
||||
' to operate on. Can be specified multiple times.')
|
||||
argparser.add_argument('-i', '--interfaces', dest='interfacesfile',
|
||||
default='/etc/network/interfaces',
|
||||
help='use interfaces file instead of default ' +
|
||||
'/etc/network/interfaces')
|
||||
default=None,
|
||||
help='Specify interfaces file instead of file defined ' +
|
||||
'in ifupdown2.conf file')
|
||||
argparser.add_argument('-t', '--interfaces-format',
|
||||
dest='interfacesfileformat',
|
||||
default='native',
|
||||
|
||||
Reference in New Issue
Block a user