mirror/CumulusNetworks-ifupdown2
1
0
Fork 0
mirror of https://github.com/CumulusNetworks/ifupdown2.git synced 2024-05-06 15:54:50 +00:00
Code

add param in ifupdown2.conf to prevent fupdown2 users from specify interface config file on the CLI

Browse Source 
Ticket: CM-7066
Reviewed By: scotte,roopa,olson
Testing Done: Unit testing and regression testing

This patch does two things:

1. It moves the interfaces config file name to the ifupdown2.conf file in /etc/network/ifupdown2.
This should allow administrators to specify a config file location different from the default and allow
subsets of users to use it without giving them access to specifying their own with the -i option in ifup/ifdown.

2. It also adds a new config setting called "disable_cli_interfacesfile" used to prevent users
from specifying their own interfaces file. This defaults to "1" (even if it is not configured).

Note: this new default takes away users ability to specify an interfaces file.

This should close the vulnerability where users could specify their own interfaces file
and add arbitrary user commands.

This leaves the shell=True option in the user commands add-on module since the ifup/ifdown/ifreload/ifquery
commands already require root access to run and the interfaces config file also requires root access to modify.
This commit is contained in:
Sam Tannous
2015-08-20 22:59:44 -04:00
parent a2f424643a
commit 1e6d7bd76c
8 changed files with 55 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
config/ifupdown2.conf
View File

@ -10,6 +10,12 @@ template_engine=mako
# default template lookup path during template rendering # default template lookup path during template rendering
template_lookuppath=/etc/network/ifupdown2/templates template_lookuppath=/etc/network/ifupdown2/templates
# default network configuration filepath
default_interfaces_configfile=/etc/network/interfaces
# The -i interfacefile option is not allowed by default to
# reduce security issues (due to the pre- and post- commands)
disable_cli_interfacesfile=1
# Support /etc/network/if-*/ scripts # Support /etc/network/if-*/ scripts
addon_scripts_support=0 addon_scripts_support=0

2
docs/source/userguide.rst
View File

@ -66,7 +66,7 @@ Man Pages
Configuration Files Configuration Files
=================== ===================
* /etc/network/interfaces * config file defined in ifupdown2.conf (default /etc/network/interfaces)
ifupdown Built-in Interfaces ifupdown Built-in Interfaces

4
ifupdown/networkinterfaces.py
View File

@ -434,6 +434,10 @@ class networkInterfaces():
Assumes networkinterfaces parser object is initialized with the Assumes networkinterfaces parser object is initialized with the
parser arguments parser arguments
""" """
if self.interfacesfile == None:
self.logger.warn('no network interfaces file defined in ifupdown2.conf')
return
if self.interfacesfileformat == 'json': if self.interfacesfileformat == 'json':
return self.read_file_json(self.interfacesfile, return self.read_file_json(self.interfacesfile,
self.interfacesfileiobuf) self.interfacesfileiobuf)

5
man.rst/ifquery.8.rst
View File

@ -33,7 +33,8 @@ DESCRIPTION
**ifquery** always works on the current **interfaces(5)** file **ifquery** always works on the current **interfaces(5)** file
**/etc/network/interfaces** unless an alternate interfaces file is **/etc/network/interfaces** unless an alternate interfaces file is
provided with the **-i** option. defined in ifupdown2.conf or provided with the **-i** option.
Note: the -i option is disabled by default in ifupdown2.conf.
OPTIONS OPTIONS
======= =======
@ -67,7 +68,7 @@ OPTIONS
-i INTERFACESFILE, --interfaces INTERFACESFILE -i INTERFACESFILE, --interfaces INTERFACESFILE
Use interfaces file instead of default Use interfaces file instead of default
/etc/network/interfaces defined in ifupdown2.conf (default /etc/network/interfaces)
-t {native,json}, --interfaces-format {native,json} -t {native,json}, --interfaces-format {native,json}
interfaces file format interfaces file format

3
man.rst/ifreload.8.rst
View File

@ -18,7 +18,8 @@ SYNOPSIS
DESCRIPTION DESCRIPTION
=========== ===========
reloads network **interfaces(5)** file **/etc/network/interfaces**. reloads network **interfaces(5)** file **/etc/network/interfaces**
or config file defined in ifupdown2.conf file.
Runs **ifdown** on interfaces that were removed from the file and Runs **ifdown** on interfaces that were removed from the file and
subsequently runs **ifup** on all interfaces. subsequently runs **ifup** on all interfaces.

13
man.rst/ifup.8.rst
View File

@ -33,13 +33,13 @@ DESCRIPTION
=========== ===========
**ifup** and **ifdown** commands can be used to configure (or, respectively, **ifup** and **ifdown** commands can be used to configure (or, respectively,
deconfigure) network interfaces based on interface definitions in the deconfigure) network interfaces based on interface definitions in the
file **/etc/network/interfaces/** file. config file ifupdown2.conf (defaults to **/etc/network/interfaces/** file).
**ifquery(8)** maybe used in conjunction with **ifup** and **ifdown** **ifquery(8)** maybe used in conjunction with **ifup** and **ifdown**
commands to query and validate applied/running configuration. commands to query and validate applied/running configuration.
**ifup** always works on the current **interfaces(5)** file under **ifup** always works on the current **interfaces(5)** file defined in ifupdown2.conf
**/etc/network/interfaces**. **ifdown** works on the last applied interface (default **/etc/network/interfaces**). **ifdown** works on the last applied interface
configuration. configuration.
**ifup** on an already ifup'ed interface will re-apply the configuration, **ifup** on an already ifup'ed interface will re-apply the configuration,
@ -88,8 +88,11 @@ OPTIONS
to be excluded. to be excluded.
-i INTERFACESFILE, --interfaces INTERFACESFILE -i INTERFACESFILE, --interfaces INTERFACESFILE
Use interfaces file instead of default Uses interfaces file instead of default defined in
/etc/network/interfaces ifupdown2.conf (default /etc/network/interfaces).
Also in ifupdown2.conf, users are not allowed to specify their own
interfaces file unless disable_cli_interfacesfile is set to 0
(default is 1).
-t {native,json}, --interfaces-format {native,json} -t {native,json}, --interfaces-format {native,json}
interfaces file format interfaces file format

7
man.rst/interfaces.5.rst
View File

@ -14,8 +14,9 @@ network interface configuration for ifupdown
DESCRIPTION DESCRIPTION
=========== ===========
**/etc/network/interfaces** contains network interface configuration By default, ifupdown2.conf sets **/etc/network/interfaces** as the
information for the **ifup(8)**, **ifdown(8)** and **ifquery(8)** commands. network interface configuration file. This file contains information
for the **ifup(8)**, **ifdown(8)** and **ifquery(8)** commands.
This is where you configure how your system is connected to the network. This is where you configure how your system is connected to the network.
@ -145,7 +146,7 @@ EXAMPLES
FILES FILES
===== =====
/etc/network/interfaces configuration file defined in ifupdown2.conf (default /etc/network/interfaces)
SEE ALSO SEE ALSO
======== ========

36
sbin/ifupdown
View File

@ -23,6 +23,7 @@ configfile="/etc/network/ifupdown2/ifupdown2.conf"
configmap_g=None configmap_g=None
logger = None logger = None
interfacesfileiobuf=None interfacesfileiobuf=None
interfacesfilename=None
ENVPATH = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ENVPATH = "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
def run_up(args): def run_up(args):
@ -44,7 +45,7 @@ def run_up(args):
cache=cachearg, cache=cachearg,
addons_enable=not args.noaddons, addons_enable=not args.noaddons,
statemanager_enable=not args.noaddons, statemanager_enable=not args.noaddons,
interfacesfile=args.interfacesfile, interfacesfile=interfacesfilename,
interfacesfileiobuf=interfacesfileiobuf, interfacesfileiobuf=interfacesfileiobuf,
interfacesfileformat=args.interfacesfileformat) interfacesfileformat=args.interfacesfileformat)
if args.noaddons: if args.noaddons:
@ -75,7 +76,7 @@ def run_down(args):
dryrun=args.noact, dryrun=args.noact,
addons_enable=not args.noaddons, addons_enable=not args.noaddons,
statemanager_enable=not args.noaddons, statemanager_enable=not args.noaddons,
interfacesfile=args.interfacesfile, interfacesfile=interfacesfilename,
interfacesfileiobuf=interfacesfileiobuf, interfacesfileiobuf=interfacesfileiobuf,
interfacesfileformat=args.interfacesfileformat) interfacesfileformat=args.interfacesfileformat)
@ -119,7 +120,7 @@ def run_query(args):
withdepends=args.withdepends, withdepends=args.withdepends,
perfmode=args.perfmode, perfmode=args.perfmode,
cache=cachearg, cache=cachearg,
interfacesfile=args.interfacesfile, interfacesfile=interfacesfilename,
interfacesfileiobuf=interfacesfileiobuf, interfacesfileiobuf=interfacesfileiobuf,
interfacesfileformat=args.interfacesfileformat) interfacesfileformat=args.interfacesfileformat)
@ -136,6 +137,7 @@ def run_reload(args):
try: try:
logger.debug('creating ifupdown object ..') logger.debug('creating ifupdown object ..')
ifupdown_handle = ifupdownMain(config=configmap_g, ifupdown_handle = ifupdownMain(config=configmap_g,
interfacesfile=interfacesfilename,
withdepends=args.withdepends, withdepends=args.withdepends,
perfmode=args.perfmode) perfmode=args.perfmode)
ifupdown_handle.reload(['pre-up', 'up', 'post-up'], ifupdown_handle.reload(['pre-up', 'up', 'post-up'],
@ -150,6 +152,7 @@ def run_reload(args):
def init(args): def init(args):
global logger global logger
global interfacesfileiobuf global interfacesfileiobuf
global interfacesfilename
log_level = logging.WARNING log_level = logging.WARNING
if args.verbose: if args.verbose:
@ -182,9 +185,24 @@ def init(args):
except: except:
raise raise
# If interfaces file is stdin, read if hasattr(args, 'interfacesfile') and args.interfacesfile != None:
if hasattr(args, 'interfacesfile') and args.interfacesfile == '-': # Check to see if -i option is allowed by config file
interfacesfileiobuf = sys.stdin.read() if configmap_g.get('disable_cli_interfacesfile','1') == '1':
logger.error('disable_cli_interfacesfile is set so users '
'not allowed to specify interfaces file on cli.')
exit(1)
if args.interfacesfile == '-':
# If interfaces file is stdin, read
interfacesfileiobuf = sys.stdin.read()
else:
interfacesfilename = args.interfacesfile
else:
# if the ifupdown2 config file does not have it, default to standard
interfacesfilename = configmap_g.get('default_interfaces_configfile',
'/etc/network/interfaces')
def deinit(): def deinit():
{} {}
@ -222,9 +240,9 @@ def update_argparser(argparser):
help='Exclude interfaces from the list of interfaces' + help='Exclude interfaces from the list of interfaces' +
' to operate on. Can be specified multiple times.') ' to operate on. Can be specified multiple times.')
argparser.add_argument('-i', '--interfaces', dest='interfacesfile', argparser.add_argument('-i', '--interfaces', dest='interfacesfile',
default='/etc/network/interfaces', default=None,
help='use interfaces file instead of default ' + help='Specify interfaces file instead of file defined ' +
'/etc/network/interfaces') 'in ifupdown2.conf file')
argparser.add_argument('-t', '--interfaces-format', argparser.add_argument('-t', '--interfaces-format',
dest='interfacesfileformat', dest='interfacesfileformat',
default='native', default='native',