From 1e6d7bd76cca208764f259a5127ec3add8f9ab66 Mon Sep 17 00:00:00 2001 From: Sam Tannous Date: Thu, 20 Aug 2015 22:59:44 -0400 Subject: [PATCH] add param in ifupdown2.conf to prevent fupdown2 users from specify interface config file on the CLI Ticket: CM-7066 Reviewed By: scotte,roopa,olson Testing Done: Unit testing and regression testing This patch does two things: 1. It moves the interfaces config file name to the ifupdown2.conf file in /etc/network/ifupdown2. This should allow administrators to specify a config file location different from the default and allow subsets of users to use it without giving them access to specifying their own with the -i option in ifup/ifdown. 2. It also adds a new config setting called "disable_cli_interfacesfile" used to prevent users from specifying their own interfaces file. This defaults to "1" (even if it is not configured). Note: this new default takes away users ability to specify an interfaces file. This should close the vulnerability where users could specify their own interfaces file and add arbitrary user commands. This leaves the shell=True option in the user commands add-on module since the ifup/ifdown/ifreload/ifquery commands already require root access to run and the interfaces config file also requires root access to modify. --- config/ifupdown2.conf | 6 ++++++ docs/source/userguide.rst | 2 +- ifupdown/networkinterfaces.py | 4 ++++ man.rst/ifquery.8.rst | 5 +++-- man.rst/ifreload.8.rst | 3 ++- man.rst/ifup.8.rst | 13 ++++++++----- man.rst/interfaces.5.rst | 7 ++++--- sbin/ifupdown | 36 ++++++++++++++++++++++++++--------- 8 files changed, 55 insertions(+), 21 deletions(-) diff --git a/config/ifupdown2.conf b/config/ifupdown2.conf index 82c618e..55bfa55 100644 --- a/config/ifupdown2.conf +++ b/config/ifupdown2.conf @@ -10,6 +10,12 @@ template_engine=mako # default template lookup path during template rendering template_lookuppath=/etc/network/ifupdown2/templates +# default network configuration filepath +default_interfaces_configfile=/etc/network/interfaces +# The -i interfacefile option is not allowed by default to +# reduce security issues (due to the pre- and post- commands) +disable_cli_interfacesfile=1 + # Support /etc/network/if-*/ scripts addon_scripts_support=0 diff --git a/docs/source/userguide.rst b/docs/source/userguide.rst index 3e86206..6202bbc 100644 --- a/docs/source/userguide.rst +++ b/docs/source/userguide.rst @@ -66,7 +66,7 @@ Man Pages Configuration Files =================== -* /etc/network/interfaces +* config file defined in ifupdown2.conf (default /etc/network/interfaces) ifupdown Built-in Interfaces diff --git a/ifupdown/networkinterfaces.py b/ifupdown/networkinterfaces.py index 9fe366e..5ef74be 100644 --- a/ifupdown/networkinterfaces.py +++ b/ifupdown/networkinterfaces.py @@ -434,6 +434,10 @@ class networkInterfaces(): Assumes networkinterfaces parser object is initialized with the parser arguments """ + if self.interfacesfile == None: + self.logger.warn('no network interfaces file defined in ifupdown2.conf') + return + if self.interfacesfileformat == 'json': return self.read_file_json(self.interfacesfile, self.interfacesfileiobuf) diff --git a/man.rst/ifquery.8.rst b/man.rst/ifquery.8.rst index 731bf1c..ed808ca 100644 --- a/man.rst/ifquery.8.rst +++ b/man.rst/ifquery.8.rst @@ -33,7 +33,8 @@ DESCRIPTION **ifquery** always works on the current **interfaces(5)** file **/etc/network/interfaces** unless an alternate interfaces file is - provided with the **-i** option. + defined in ifupdown2.conf or provided with the **-i** option. + Note: the -i option is disabled by default in ifupdown2.conf. OPTIONS ======= @@ -67,7 +68,7 @@ OPTIONS -i INTERFACESFILE, --interfaces INTERFACESFILE Use interfaces file instead of default - /etc/network/interfaces + defined in ifupdown2.conf (default /etc/network/interfaces) -t {native,json}, --interfaces-format {native,json} interfaces file format diff --git a/man.rst/ifreload.8.rst b/man.rst/ifreload.8.rst index 4695e5b..0d46083 100644 --- a/man.rst/ifreload.8.rst +++ b/man.rst/ifreload.8.rst @@ -18,7 +18,8 @@ SYNOPSIS DESCRIPTION =========== - reloads network **interfaces(5)** file **/etc/network/interfaces**. + reloads network **interfaces(5)** file **/etc/network/interfaces** + or config file defined in ifupdown2.conf file. Runs **ifdown** on interfaces that were removed from the file and subsequently runs **ifup** on all interfaces. diff --git a/man.rst/ifup.8.rst b/man.rst/ifup.8.rst index 9fdf51c..7ac4541 100644 --- a/man.rst/ifup.8.rst +++ b/man.rst/ifup.8.rst @@ -33,13 +33,13 @@ DESCRIPTION =========== **ifup** and **ifdown** commands can be used to configure (or, respectively, deconfigure) network interfaces based on interface definitions in the - file **/etc/network/interfaces/** file. + config file ifupdown2.conf (defaults to **/etc/network/interfaces/** file). **ifquery(8)** maybe used in conjunction with **ifup** and **ifdown** commands to query and validate applied/running configuration. - **ifup** always works on the current **interfaces(5)** file under - **/etc/network/interfaces**. **ifdown** works on the last applied interface + **ifup** always works on the current **interfaces(5)** file defined in ifupdown2.conf + (default **/etc/network/interfaces**). **ifdown** works on the last applied interface configuration. **ifup** on an already ifup'ed interface will re-apply the configuration, @@ -88,8 +88,11 @@ OPTIONS to be excluded. -i INTERFACESFILE, --interfaces INTERFACESFILE - Use interfaces file instead of default - /etc/network/interfaces + Uses interfaces file instead of default defined in + ifupdown2.conf (default /etc/network/interfaces). + Also in ifupdown2.conf, users are not allowed to specify their own + interfaces file unless disable_cli_interfacesfile is set to 0 + (default is 1). -t {native,json}, --interfaces-format {native,json} interfaces file format diff --git a/man.rst/interfaces.5.rst b/man.rst/interfaces.5.rst index e77e1c9..cbdafa6 100644 --- a/man.rst/interfaces.5.rst +++ b/man.rst/interfaces.5.rst @@ -14,8 +14,9 @@ network interface configuration for ifupdown DESCRIPTION =========== - **/etc/network/interfaces** contains network interface configuration - information for the **ifup(8)**, **ifdown(8)** and **ifquery(8)** commands. + By default, ifupdown2.conf sets **/etc/network/interfaces** as the + network interface configuration file. This file contains information + for the **ifup(8)**, **ifdown(8)** and **ifquery(8)** commands. This is where you configure how your system is connected to the network. @@ -145,7 +146,7 @@ EXAMPLES FILES ===== - /etc/network/interfaces + configuration file defined in ifupdown2.conf (default /etc/network/interfaces) SEE ALSO ======== diff --git a/sbin/ifupdown b/sbin/ifupdown index d6bdeb2..e7469c4 100755 --- a/sbin/ifupdown +++ b/sbin/ifupdown @@ -23,6 +23,7 @@ configfile="/etc/network/ifupdown2/ifupdown2.conf" configmap_g=None logger = None interfacesfileiobuf=None +interfacesfilename=None ENVPATH = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" def run_up(args): @@ -44,7 +45,7 @@ def run_up(args): cache=cachearg, addons_enable=not args.noaddons, statemanager_enable=not args.noaddons, - interfacesfile=args.interfacesfile, + interfacesfile=interfacesfilename, interfacesfileiobuf=interfacesfileiobuf, interfacesfileformat=args.interfacesfileformat) if args.noaddons: @@ -75,7 +76,7 @@ def run_down(args): dryrun=args.noact, addons_enable=not args.noaddons, statemanager_enable=not args.noaddons, - interfacesfile=args.interfacesfile, + interfacesfile=interfacesfilename, interfacesfileiobuf=interfacesfileiobuf, interfacesfileformat=args.interfacesfileformat) @@ -119,7 +120,7 @@ def run_query(args): withdepends=args.withdepends, perfmode=args.perfmode, cache=cachearg, - interfacesfile=args.interfacesfile, + interfacesfile=interfacesfilename, interfacesfileiobuf=interfacesfileiobuf, interfacesfileformat=args.interfacesfileformat) @@ -136,6 +137,7 @@ def run_reload(args): try: logger.debug('creating ifupdown object ..') ifupdown_handle = ifupdownMain(config=configmap_g, + interfacesfile=interfacesfilename, withdepends=args.withdepends, perfmode=args.perfmode) ifupdown_handle.reload(['pre-up', 'up', 'post-up'], @@ -150,6 +152,7 @@ def run_reload(args): def init(args): global logger global interfacesfileiobuf + global interfacesfilename log_level = logging.WARNING if args.verbose: @@ -182,9 +185,24 @@ def init(args): except: raise - # If interfaces file is stdin, read - if hasattr(args, 'interfacesfile') and args.interfacesfile == '-': - interfacesfileiobuf = sys.stdin.read() + if hasattr(args, 'interfacesfile') and args.interfacesfile != None: + # Check to see if -i option is allowed by config file + if configmap_g.get('disable_cli_interfacesfile','1') == '1': + logger.error('disable_cli_interfacesfile is set so users ' + 'not allowed to specify interfaces file on cli.') + exit(1) + if args.interfacesfile == '-': + # If interfaces file is stdin, read + interfacesfileiobuf = sys.stdin.read() + else: + interfacesfilename = args.interfacesfile + else: + # if the ifupdown2 config file does not have it, default to standard + interfacesfilename = configmap_g.get('default_interfaces_configfile', + '/etc/network/interfaces') + + + def deinit(): {} @@ -222,9 +240,9 @@ def update_argparser(argparser): help='Exclude interfaces from the list of interfaces' + ' to operate on. Can be specified multiple times.') argparser.add_argument('-i', '--interfaces', dest='interfacesfile', - default='/etc/network/interfaces', - help='use interfaces file instead of default ' + - '/etc/network/interfaces') + default=None, + help='Specify interfaces file instead of file defined ' + + 'in ifupdown2.conf file') argparser.add_argument('-t', '--interfaces-format', dest='interfacesfileformat', default='native',