Changeset cf4b7f4

Timestamp:

Sep 15, 2012, 10:51:23 PM (13 years ago)

Author:

Alex Dehnert <adehnert@…>

Branches:

master, space-access, stable, stage

Children:

0f60d8b

Parents:

08d4fa6

git-author:

Alex Dehnert <adehnert@…> (09/15/12 22:51:23)

git-committer:

Alex Dehnert <adehnert@…> (09/15/12 22:51:23)

Message:

Use a new PAG for accessing constitutions

This fixes a potential privilege escalation issue from asa-internal (or anybody
else who can read constitutions) to asa-db-root. In particular, by putting a
path within the asa-db locker in for their constitution, they could convince
the DB to copy /mit/asa-db/.my.cnf or other sensitive files into the
constitutions directory, and then read it. By creating a new PAG, we drop the
daemon.scripts privileges and prevent the attack.

In a future change, we may wish to aklog with a new principal so as to be able
to read non-public constitutions. When we do so, we should be careful not to
use daemon.asa-db or any other principal with privileged read access to AFS.

File:

• asadb/groups/models.py (modified) (2 diffs)

asadb/groups/models.py

@@ -11 +11 @@
 import re
 import shutil
+import subprocess
 import urlparse
 import urllib
@@ -169 +170 @@
                 new_mimetype = None
                 if url.startswith('/afs/') or url.startswith('/mit/'):
-                    new_fp = open(url, 'rb')
+                    new_data = mit.pag_check_output(['/bin/cat', url], aklog=False, stderr=subprocess.STDOUT)
                 else:
                     new_fp = urllib2.urlopen(url)
                     if new_fp.info().getheader('Content-Type'):
                         new_mimetype = new_fp.info().gettype()
-
-                new_data = new_fp.read()
-                new_fp.close()
+                    new_data = new_fp.read()
+                    new_fp.close()
             except urllib2.HTTPError, e:
                 error_msg = "HTTPError: %s %s" % (e.code, e.msg)
             except urllib2.URLError, e:
                 error_msg = "URLError: %s" % (e.reason)
+            except subprocess.CalledProcessError, e:
+                results = e.output.split(": ")
+                if len(results) == 3 and results[0] == '/bin/cat' and results[1] == url:
+                    cat_err = results[2]
+                else:
+                    cat_err = e.output
+                error_msg = "CalledProcessError %d: %s" % (e.returncode, cat_err)
             except IOError:
                 error_msg = "IOError"