def test_16_allowed_ld_preload_builtin(self):
""" U16 | builtin commands should NOT be prepended with LD_PRELOAD """
args = self.args + ["--allowed=['echo','export']"]
userconf = CheckConfig(args).returnconf()
# verify that export is not automatically added to the aliases (i.e.
# prepended with LD_PRELOAD)
return self.assertNotIn('export', userconf['aliases'])
def test_09_checkpath_notallowed_path_completion(self):
""" U09 | forbidden command, should return 1 """
args = self.args + ["--path=['/home', '/var']"]
userconf = CheckConfig(args).returnconf()
INPUT = "cd /tmp/"
return self.assertEqual(
sec.check_path(INPUT, userconf, completion=1)[0], 1)
def test_15_allowed_ld_preload_cmd(self):
""" U15 | all allowed commands should be prepended with LD_PRELOAD """
args = self.args + ["--allowed=['echo','export']"]
userconf = CheckConfig(args).returnconf()
# sort lists to compare
return self.assertEqual(userconf['aliases']['echo'],
'LD_PRELOAD=%s echo' % userconf['path_noexec'])
def test_17_allowed_exec_cmd(self):
""" U17 | allowed_shell_escape should NOT be prepended with LD_PRELOAD
The command should not be added to the aliases variable
"""
args = self.args + ["--allowed_shell_escape=['echo']"]
userconf = CheckConfig(args).returnconf()
# sort lists to compare
return self.assertNotIn('echo', userconf['aliases'])
def test_23_prompt_short_1(self):
""" U23 | short_prompt = 1 should show only current dir """
expected = '%s: foo$ ' % getuser()
args = self.args + ['--prompt_short=1']
userconf = CheckConfig(args).returnconf()
currentpath = "%s/foo" % userconf['home_path']
prompt = updateprompt(currentpath, userconf)
# sort lists to compare
return self.assertEqual(prompt, expected)
def test_24_prompt_short_2(self):
""" U24 | short_prompt = 2 should show full dir path """
expected = '%s: %s$ ' % (getuser(), os.getcwd())
args = self.args + ['--prompt_short=2']
userconf = CheckConfig(args).returnconf()
currentpath = "%s/foo" % userconf['home_path']
prompt = updateprompt(currentpath, userconf)
# sort lists to compare
return self.assertEqual(prompt, expected)
def test_12_overssh(self):
""" U12 | command over ssh """
args = self.args + ["--overssh=['exit']", '-c exit']
os.environ['SSH_CLIENT'] = '8.8.8.8 36000 22'
if 'SSH_TTY' in os.environ:
os.environ.pop('SSH_TTY')
with self.assertRaises(SystemExit) as cm:
CheckConfig(args).returnconf()
return self.assertEqual(cm.exception.code, 0)
def test_22_prompt_short_0(self):
""" U22 | short_prompt = 0 should show dir compared to home dir """
expected = '%s:~/foo$ ' % getuser()
args = self.args + ['--prompt_short=0']
userconf = CheckConfig(args).returnconf()
currentpath = "%s/foo" % userconf['home_path']
prompt = updateprompt(currentpath, userconf)
# sort lists to compare
return self.assertEqual(prompt, expected)
def test_14_sudo_all_commands_expansion(self):
""" U14 | sudo_commands set to 'all' is equal to allowed variable """
args = self.args + ["--sudo_commands=all"]
userconf = CheckConfig(args).returnconf()
# exclude internal and sudo(8) commands
exclude = builtins_list + ['sudo']
allowed = [x for x in userconf['allowed'] if x not in exclude]
# sort lists to compare
userconf['sudo_commands'].sort()
allowed.sort()
return self.assertEqual(allowed, userconf['sudo_commands'])
def test_20_winscp_allowed_commands(self):
""" U20 | when winscp is enabled, new allowed commands are automatically
added (see man).
"""
args = self.args + ["--allowed=[]", "--winscp=1"]
userconf = CheckConfig(args).returnconf()
# sort lists to compare, except 'export'
exclude = list(set(builtins_list) - set(['export']))
expected = exclude + [
'scp', 'env', 'pwd', 'groups', 'unset', 'unalias'
]
expected.sort()
allowed = userconf['allowed']
allowed.sort()
return self.assertEqual(allowed, expected)
def test_11_checkconfig_configoverwrite(self):
""" U12 | forbid ';', then check_secure should return 1 """
args = ['--config=%s/etc/lshell.conf' % TOPDIR, '--strict=123']
userconf = CheckConfig(args).returnconf()
return self.assertEqual(userconf['strict'], 123)
def test_10_checkpath_dollarparenthesis(self):
""" U10 | when $() is allowed, return 0 if path allowed """
args = self.args + ["--forbidden=[';', '&', '|','`','>','<', '${']"]
userconf = CheckConfig(args).returnconf()
INPUT = "echo $(echo aze)"
return self.assertEqual(sec.check_path(INPUT, userconf)[0], 0)
class TestFunctions(unittest.TestCase):
args = ['--config=%s/etc/lshell.conf' % TOPDIR, "--quiet=1"]
userconf = CheckConfig(args).returnconf()
shell = ShellCmd(userconf, args)
def test_03_checksecure_doublepipe(self):
""" U03 | double pipes should be allowed, even if pipe is forbidden """
args = self.args + ["--forbidden=['|']"]
userconf = CheckConfig(args).returnconf()
INPUT = "ls || ls"
return self.assertEqual(sec.check_secure(INPUT, userconf)[0], 0)
def test_04_checksecure_forbiddenpipe(self):
""" U04 | forbid pipe, should return 1 """
args = self.args + ["--forbidden=['|']"]
userconf = CheckConfig(args).returnconf()
INPUT = "ls | ls"
return self.assertEqual(sec.check_secure(INPUT, userconf)[0], 1)
def test_05_checksecure_forbiddenchar(self):
""" U05 | forbid character, should return 1 """
args = self.args + ["--forbidden=['l']"]
userconf = CheckConfig(args).returnconf()
INPUT = "ls"
return self.assertEqual(sec.check_secure(INPUT, userconf)[0], 1)
def test_06_checksecure_sudo_command(self):
""" U06 | quoted text should not be forbidden """
INPUT = "sudo ls"
return self.assertEqual(sec.check_secure(INPUT, self.userconf)[0], 1)
def test_07_checksecure_notallowed_command(self):
""" U07 | forbidden command, should return 1 """
args = self.args + ["--allowed=['ls']"]
userconf = CheckConfig(args).returnconf()
INPUT = "ll"
return self.assertEqual(sec.check_secure(INPUT, userconf)[0], 1)
def test_08_checkpath_notallowed_path(self):
""" U08 | forbidden command, should return 1 """
args = self.args + ["--path=['/home', '/var']"]
userconf = CheckConfig(args).returnconf()
INPUT = "cd /tmp"
return self.assertEqual(sec.check_path(INPUT, userconf)[0], 1)
def test_09_checkpath_notallowed_path_completion(self):
""" U09 | forbidden command, should return 1 """
args = self.args + ["--path=['/home', '/var']"]
userconf = CheckConfig(args).returnconf()
INPUT = "cd /tmp/"
return self.assertEqual(
sec.check_path(INPUT, userconf, completion=1)[0], 1)
def test_10_checkpath_dollarparenthesis(self):
""" U10 | when $() is allowed, return 0 if path allowed """
args = self.args + ["--forbidden=[';', '&', '|','`','>','<', '${']"]
userconf = CheckConfig(args).returnconf()
INPUT = "echo $(echo aze)"
return self.assertEqual(sec.check_path(INPUT, userconf)[0], 0)
def test_11_checkconfig_configoverwrite(self):
""" U12 | forbid ';', then check_secure should return 1 """
args = ['--config=%s/etc/lshell.conf' % TOPDIR, '--strict=123']
userconf = CheckConfig(args).returnconf()
return self.assertEqual(userconf['strict'], 123)
def test_12_overssh(self):
""" U12 | command over ssh """
args = self.args + ["--overssh=['exit']", '-c exit']
os.environ['SSH_CLIENT'] = '8.8.8.8 36000 22'
if 'SSH_TTY' in os.environ:
os.environ.pop('SSH_TTY')
with self.assertRaises(SystemExit) as cm:
CheckConfig(args).returnconf()
return self.assertEqual(cm.exception.code, 0)
def test_13_multiple_aliases_with_separator(self):
""" U13 | multiple aliases using &&, || and ; separators """
# enable &, | and ; characters
aliases = {'foo': 'foo -l', 'bar': 'open'}
INPUT = "foo; fooo ;bar&&foo && foo | bar||bar || foo"
return self.assertEqual(
get_aliases(INPUT, aliases), ' foo -l; fooo ; open&& foo -l '
'&& foo -l | open|| open || foo -l')
def test_14_sudo_all_commands_expansion(self):
""" U14 | sudo_commands set to 'all' is equal to allowed variable """
args = self.args + ["--sudo_commands=all"]
userconf = CheckConfig(args).returnconf()
# exclude internal and sudo(8) commands
exclude = builtins_list + ['sudo']
allowed = [x for x in userconf['allowed'] if x not in exclude]
# sort lists to compare
userconf['sudo_commands'].sort()
allowed.sort()
return self.assertEqual(allowed, userconf['sudo_commands'])
def test_15_allowed_ld_preload_cmd(self):
""" U15 | all allowed commands should be prepended with LD_PRELOAD """
args = self.args + ["--allowed=['echo','export']"]
userconf = CheckConfig(args).returnconf()
# sort lists to compare
return self.assertEqual(userconf['aliases']['echo'],
'LD_PRELOAD=%s echo' % userconf['path_noexec'])
def test_16_allowed_ld_preload_builtin(self):
""" U16 | builtin commands should NOT be prepended with LD_PRELOAD """
args = self.args + ["--allowed=['echo','export']"]
userconf = CheckConfig(args).returnconf()
# verify that export is not automatically added to the aliases (i.e.
# prepended with LD_PRELOAD)
return self.assertNotIn('export', userconf['aliases'])
def test_17_allowed_exec_cmd(self):
""" U17 | allowed_shell_escape should NOT be prepended with LD_PRELOAD
The command should not be added to the aliases variable
"""
args = self.args + ["--allowed_shell_escape=['echo']"]
userconf = CheckConfig(args).returnconf()
# sort lists to compare
return self.assertNotIn('echo', userconf['aliases'])
def test_18_forbidden_environment(self):
""" U18 | unsafe environment are forbidden
"""
INPUT = 'export LD_PRELOAD=/lib64/ld-2.21.so'
args = INPUT
retcode = builtins.export(args)[0]
return self.assertEqual(retcode, 1)
def test_19_allowed_environment(self):
""" U19 | other environment are accepted
"""
INPUT = 'export MY_PROJECT_VERSION=43'
args = INPUT
retcode = builtins.export(args)[0]
return self.assertEqual(retcode, 0)
def test_20_winscp_allowed_commands(self):
""" U20 | when winscp is enabled, new allowed commands are automatically
added (see man).
"""
args = self.args + ["--allowed=[]", "--winscp=1"]
userconf = CheckConfig(args).returnconf()
# sort lists to compare, except 'export'
exclude = list(set(builtins_list) - set(['export']))
expected = exclude + [
'scp', 'env', 'pwd', 'groups', 'unset', 'unalias'
]
expected.sort()
allowed = userconf['allowed']
allowed.sort()
return self.assertEqual(allowed, expected)
def test_21_winscp_allowed_semicolon(self):
""" U21 | when winscp is enabled, use of semicolon is allowed """
args = self.args + ["--forbidden=[';']", "--winscp=1"]
userconf = CheckConfig(args).returnconf()
# sort lists to compare
return self.assertNotIn(';', userconf['forbidden'])
def test_22_prompt_short_0(self):
""" U22 | short_prompt = 0 should show dir compared to home dir """
expected = '%s:~/foo$ ' % getuser()
args = self.args + ['--prompt_short=0']
userconf = CheckConfig(args).returnconf()
currentpath = "%s/foo" % userconf['home_path']
prompt = updateprompt(currentpath, userconf)
# sort lists to compare
return self.assertEqual(prompt, expected)
def test_23_prompt_short_1(self):
""" U23 | short_prompt = 1 should show only current dir """
expected = '%s: foo$ ' % getuser()
args = self.args + ['--prompt_short=1']
userconf = CheckConfig(args).returnconf()
currentpath = "%s/foo" % userconf['home_path']
prompt = updateprompt(currentpath, userconf)
# sort lists to compare
return self.assertEqual(prompt, expected)
def test_24_prompt_short_2(self):
""" U24 | short_prompt = 2 should show full dir path """
expected = '%s: %s$ ' % (getuser(), os.getcwd())
args = self.args + ['--prompt_short=2']
userconf = CheckConfig(args).returnconf()
currentpath = "%s/foo" % userconf['home_path']
prompt = updateprompt(currentpath, userconf)
# sort lists to compare
return self.assertEqual(prompt, expected)
def test_25_disable_ld_preload(self):
""" U25 | empty path_noexec should disable LD_PRELOAD """
args = self.args + ["--allowed=['echo','export']", "--path_noexec=''"]
userconf = CheckConfig(args).returnconf()
# verify that no alias was created containing LD_PRELOAD
return self.assertNotIn('echo', userconf['aliases'])
def test_26_checksecure_quoted_command(self):
""" U26 | quoted command should be parsed """
INPUT = 'echo 1 && "bash"'
return self.assertEqual(sec.check_secure(INPUT, self.userconf)[0], 1)
def test_27_checksecure_quoted_command(self):
""" U27 | quoted command should be parsed """
INPUT = '"bash" && echo 1'
return self.assertEqual(sec.check_secure(INPUT, self.userconf)[0], 1)
def test_28_checksecure_quoted_command(self):
""" U28 | quoted command should be parsed """
INPUT = "echo'/1.sh'"
return self.assertEqual(sec.check_secure(INPUT, self.userconf)[0], 1)
def test_07_checksecure_notallowed_command(self):
""" U07 | forbidden command, should return 1 """
args = self.args + ["--allowed=['ls']"]
userconf = CheckConfig(args).returnconf()
INPUT = "ll"
return self.assertEqual(sec.check_secure(INPUT, userconf)[0], 1)
def test_05_checksecure_forbiddenchar(self):
""" U05 | forbid character, should return 1 """
args = self.args + ["--forbidden=['l']"]
userconf = CheckConfig(args).returnconf()
INPUT = "ls"
return self.assertEqual(sec.check_secure(INPUT, userconf)[0], 1)
def test_04_checksecure_forbiddenpipe(self):
""" U04 | forbid pipe, should return 1 """
args = self.args + ["--forbidden=['|']"]
userconf = CheckConfig(args).returnconf()
INPUT = "ls | ls"
return self.assertEqual(sec.check_secure(INPUT, userconf)[0], 1)
def test_25_disable_ld_preload(self):
""" U25 | empty path_noexec should disable LD_PRELOAD """
args = self.args + ["--allowed=['echo','export']", "--path_noexec=''"]
userconf = CheckConfig(args).returnconf()
# verify that no alias was created containing LD_PRELOAD
return self.assertNotIn('echo', userconf['aliases'])
def test_03_checksecure_doublepipe(self):
""" U03 | double pipes should be allowed, even if pipe is forbidden """
args = self.args + ["--forbidden=['|']"]
userconf = CheckConfig(args).returnconf()
INPUT = "ls || ls"
return self.assertEqual(sec.check_secure(INPUT, userconf)[0], 0)
def test_21_winscp_allowed_semicolon(self):
""" U21 | when winscp is enabled, use of semicolon is allowed """
args = self.args + ["--forbidden=[';']", "--winscp=1"]
userconf = CheckConfig(args).returnconf()
# sort lists to compare
return self.assertNotIn(';', userconf['forbidden'])
def __getattr__(self, attr):
""" This method actually takes care of all the called method that are
not resolved (i.e not existing methods). It actually will simulate
the existence of any method entered in the 'allowed' variable list.
e.g. You just have to add 'uname' in list of allowed commands in
the 'allowed' variable, and lshell will react as if you had
added a do_uname in the ShellCmd class!
"""
# expand environment variables in command line
self.g_cmd = os.path.expandvars(self.g_cmd)
self.g_line = os.path.expandvars(self.g_line)
self.g_arg = os.path.expandvars(self.g_arg)
# in case the configuration file has been modified, reload it
if self.conf['config_mtime'] != os.path.getmtime(
self.conf['configfile']):
from lshell.checkconfig import CheckConfig
self.conf = CheckConfig(['--config', self.conf['configfile']],
refresh=1).returnconf()
self.conf['promptprint'] = utils.updateprompt(
os.getcwd(), self.conf)
self.log = self.conf['logpath']
if self.g_cmd in ['quit', 'exit', 'EOF']:
self.log.error('Exited')
if self.g_cmd == 'EOF':
self.stdout.write('\n')
if self.conf['disable_exit'] != 1:
sys.exit(0)
# check that commands/chars present in line are allowed/secure
ret_check_secure, self.conf = sec.check_secure(
self.g_line, self.conf, strict=self.conf['strict'])
if ret_check_secure == 1:
# see http://tldp.org/LDP/abs/html/exitcodes.html
self.retcode = 126
return object.__getattribute__(self, attr)
# check that path present in line are allowed/secure
ret_check_path, self.conf = sec.check_path(self.g_line,
self.conf,
strict=self.conf['strict'])
if ret_check_path == 1:
# see http://tldp.org/LDP/abs/html/exitcodes.html
self.retcode = 126
# in case request was sent by WinSCP, return error code has to be
# sent via an specific echo command
if self.conf['winscp'] and re.search('WinSCP: this is end-of-file',
self.g_line):
utils.exec_cmd('echo "WinSCP: this is end-of-file: %s"' %
self.retcode)
return object.__getattribute__(self, attr)
if self.g_cmd in self.conf['allowed']:
if self.conf['timer'] > 0:
self.mytimer(0)
self.g_arg = re.sub('^~$|^~/', '%s/' % self.conf['home_path'],
self.g_arg)
self.g_arg = re.sub(' ~/', ' %s/' % self.conf['home_path'],
self.g_arg)
# replace previous command exit code
# in case multiple commands (using separators), only replace first
# command. Regex replaces all occurrences of $?, before ;,&,|
if re.search('[;&|]', self.g_line):
p = re.compile("(\s|^)(\$\?)([\s|$]?[;&|].*)")
else:
p = re.compile("(\s|^)(\$\?)(\s|$)")
self.g_line = p.sub(r' %s \3' % self.retcode, self.g_line)
if type(self.conf['aliases']) == dict:
self.g_line = utils.get_aliases(self.g_line,
self.conf['aliases'])
self.log.info('CMD: "%s"' % self.g_line)
if self.g_cmd == 'cd':
# split cd <dir> and rest of command
cmd_split = re.split(';|&&|&|\|\||\|', self.g_line, 1)
# in case the are commands following cd, first change the
# directory, then execute the command
if len(cmd_split) == 2:
directory, command = cmd_split
# only keep cd's argument
directory = directory.split('cd', 1)[1].strip()
# change directory then, if success, execute the rest of
# the cmd line
self.retcode, self.conf = builtins.cd(directory, self.conf)
if self.retcode == 0:
self.retcode = utils.exec_cmd(command)
else:
# set directory to command line argument and change dir
directory = self.g_arg
self.retcode, self.conf = builtins.cd(directory, self.conf)
# built-in lpath function: list all allowed path
elif self.g_cmd == 'lpath':
self.retcode = builtins.lpath(self.conf)
# built-in lsudo function: list all allowed sudo commands
elif self.g_cmd == 'lsudo':
self.retcode = builtins.lsudo(self.conf)
# built-in history function: print command history
elif self.g_cmd == 'history':
self.retcode = builtins.history(self.conf, self.log)
# built-in export function
elif self.g_cmd == 'export':
self.retcode, var = builtins.export(self.g_line)
if self.retcode == 1:
self.log.critical(
"** forbidden environment variable '%s'" % var)
# case 'cd' is in an alias e.g. {'toto':'cd /var/tmp'}
elif self.g_line[0:2] == 'cd':
self.g_cmd = self.g_line.split()[0]
directory = ' '.join(self.g_line.split()[1:])
self.retcode, self.conf = builtins.cd(directory, self.conf)
else:
self.retcode = utils.exec_cmd(self.g_line)
elif self.g_cmd not in ['', '?', 'help', None]:
self.log.warn('INFO: unknown syntax -> "%s"' % self.g_line)
self.stderr.write('*** unknown syntax: %s\n' % self.g_cmd)
self.g_cmd, self.g_arg, self.g_line = ['', '', '']
if self.conf['timer'] > 0:
self.mytimer(self.conf['timer'])
return object.__getattribute__(self, attr)
def __getattr__(self, attr):
""" This method actually takes care of all the called method that are
not resolved (i.e not existing methods). It actually will simulate
the existance of any method entered in the 'allowed' variable list.
e.g. You just have to add 'uname' in list of allowed commands in
the 'allowed' variable, and lshell will react as if you had
added a do_uname in the ShellCmd class!
"""
# in case the configuration file has been modified, reload it
if self.conf['config_mtime'] != os.path.getmtime(
self.conf['configfile']):
from lshell.checkconfig import CheckConfig
self.conf = CheckConfig(['--config', \
self.conf['configfile']]).returnconf()
self.prompt = '%s:~$ ' % self.setprompt(self.conf)
self.log = self.conf['logpath']
if self.g_cmd in ['quit', 'exit', 'EOF']:
self.log.error('Exited')
if self.g_cmd == 'EOF':
self.stdout.write('\n')
sys.exit(0)
if self.check_secure(self.g_line, self.conf['strict']) == 1:
return object.__getattribute__(self, attr)
if self.check_path(self.g_line, strict=self.conf['strict']) == 1:
return object.__getattribute__(self, attr)
if self.g_cmd in self.conf['allowed']:
self.g_arg = re.sub('^~$|^~/', '%s/' %self.conf['home_path'], \
self.g_arg)
self.g_arg = re.sub(' ~/', ' %s/' %self.conf['home_path'], \
self.g_arg)
# replace previous command exit code
self.g_line = re.sub('(\s|^)\$\?(\s|$)', ' %s ' % self.retcode,
self.g_line)
if type(self.conf['aliases']) == dict:
self.g_line = get_aliases(self.g_line, self.conf['aliases'])
self.log.info('CMD: "%s"' % self.g_line)
if self.g_cmd == 'cd':
self.retcode = self.cd()
# builtin lpath function: list all allowed path
elif self.g_cmd == 'lpath':
self.retcode = self.lpath()
# builtin lsudo function: list all allowed sudo commands
elif self.g_cmd == 'lsudo':
self.retcode = self.lsudo()
# builtin history function: print command history
elif self.g_cmd == 'history':
self.retcode = self.history()
# builtin export function
elif self.g_cmd == 'export':
self.retcode = self.export()
# case 'cd' is in an alias e.g. {'toto':'cd /var/tmp'}
elif self.g_line[0:2] == 'cd':
self.g_cmd = self.g_line.split()[0]
self.g_arg = ' '.join(self.g_line.split()[1:])
self.retcode = self.cd()
else:
self.retcode = os.system('set -m; %s' % self.g_line)
elif self.g_cmd not in ['', '?', 'help', None]:
self.log.warn('INFO: unknown syntax -> "%s"' % self.g_line)
self.stderr.write('*** unknown syntax: %s\n' % self.g_cmd)
self.g_cmd, self.g_arg, self.g_line = ['', '', '']
return object.__getattribute__(self, attr)
