[CalendarServer-changes] [15363] CalendarServer/trunk/support/python-wrapper.c
source_changes at macosforge.org
source_changes at macosforge.org
Thu Dec 3 13:53:56 PST 2015
Revision: 15363
http://trac.calendarserver.org//changeset/15363
Author: sagen at apple.com
Date: 2015-12-03 13:53:56 -0800 (Thu, 03 Dec 2015)
Log Message:
-----------
The python wrapper now disallowed non-whitelisted users
Modified Paths:
--------------
CalendarServer/trunk/support/python-wrapper.c
Modified: CalendarServer/trunk/support/python-wrapper.c
===================================================================
--- CalendarServer/trunk/support/python-wrapper.c 2015-12-03 21:00:49 UTC (rev 15362)
+++ CalendarServer/trunk/support/python-wrapper.c 2015-12-03 21:53:56 UTC (rev 15363)
@@ -8,7 +8,15 @@
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
+#include <pwd.h>
+const char * const allowedUsernames[] = {
+ "_calendar",
+ "_devicemgr",
+ "_teamsserver",
+ "_xserverdocs"
+};
+
const char* python = "/usr/bin/python2.7";
const char* bin = "/Applications/Server.app/Contents/ServerRoot/Library/CalendarServer/bin";
const char* site = "/Applications/Server.app/Contents/ServerRoot/Library/CalendarServer/lib/python2.7/site-packages";
@@ -35,13 +43,46 @@
return 0;
}
+int uidIsAllowed() {
+ // Returns 1 if we're root or any of the whitelisted users; 0 otherwise
+
+ int uid = getuid();
+
+ if (uid == 0) {
+ // Always allow root
+ return 1;
+
+ } else {
+ // Check the other whitelisted users
+ int i, len;
+ struct passwd* passwdInfo;
+
+ len = sizeof(allowedUsernames) / sizeof(allowedUsernames[0]);
+ for (i = 0; i < len; i++) {
+ passwdInfo = getpwnam(allowedUsernames[i]);
+ if (passwdInfo != NULL) {
+ if (passwdInfo->pw_uid == uid) {
+ return 1;
+ }
+ }
+ }
+ }
+
+ // No match
+ return 0;
+}
+
int main(int argc, const char * argv[]) {
-
- // Update PATH and PYTHONPATH
- prependToPath("PATH", bin);
- prependToPath("PYTHONPATH", site);
-
- // Launch real python
- argv[0] = python;
- return execvp(python, (char* const*)argv);
+
+ if (uidIsAllowed()) {
+ // Update PATH and PYTHONPATH
+ prependToPath("PATH", bin);
+ prependToPath("PYTHONPATH", site);
+
+ // Launch real python
+ argv[0] = python;
+ return execvp(python, (char* const*)argv);
+ } else {
+ printf("You are not allowed to run this executable.\n");
+ }
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20151203/ed9867db/attachment-0001.html>
More information about the calendarserver-changes
mailing list