fix non root tamper persist files
This commit is contained in:
parent
c003d1d030
commit
c4c70d9695
1 changed files with 21 additions and 3 deletions
24
src/main.rs
24
src/main.rs
|
@ -1,9 +1,10 @@
|
||||||
use std::fs;
|
use std::fs;
|
||||||
|
use std::os::linux::fs::MetadataExt;
|
||||||
use std::{env, os::unix::prelude::PermissionsExt};
|
use std::{env, os::unix::prelude::PermissionsExt};
|
||||||
use std::process::ExitCode;
|
use std::process::ExitCode;
|
||||||
use std::time::SystemTime;
|
use std::time::SystemTime;
|
||||||
use pwd::Passwd;
|
use pwd::Passwd;
|
||||||
use nix::{unistd};
|
use nix::unistd;
|
||||||
use serde_json::Value;
|
use serde_json::Value;
|
||||||
|
|
||||||
extern crate time;
|
extern crate time;
|
||||||
|
@ -37,7 +38,7 @@ fn main() -> ExitCode {
|
||||||
let persist = match allowed(&config, &user.name) {
|
let persist = match allowed(&config, &user.name) {
|
||||||
Some(data) => data,
|
Some(data) => data,
|
||||||
None => {
|
None => {
|
||||||
eprintln!("Operation Not Permitted. This incidence will be reported.");
|
eprintln!("Operation Not Permitted.");
|
||||||
return ExitCode::from(ERROR_NOT_AUTHORIZED);
|
return ExitCode::from(ERROR_NOT_AUTHORIZED);
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
@ -137,11 +138,28 @@ fn get_terminal_process() -> Option<i32> {
|
||||||
Some(stat.tty_nr)
|
Some(stat.tty_nr)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
fn is_file_root_only(id: &i32) -> bool {
|
||||||
|
let metadata = match std::fs::metadata(path(&id)) {
|
||||||
|
Ok(data) => data,
|
||||||
|
Err(e) => {
|
||||||
|
if let Some(err) = e.raw_os_error() {
|
||||||
|
return err == 2;
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
};
|
||||||
|
let perms = metadata.permissions();
|
||||||
|
return perms.mode() == 33200 && metadata.st_uid() == 0 && metadata.st_gid() == 0;
|
||||||
|
}
|
||||||
|
|
||||||
fn get_terminal_config() -> Option<Value> {
|
fn get_terminal_config() -> Option<Value> {
|
||||||
let id = match get_terminal_process() {
|
let id = match get_terminal_process() {
|
||||||
Some(data) => data,
|
Some(data) => data,
|
||||||
None => return None
|
None => return None
|
||||||
};
|
};
|
||||||
|
if !is_file_root_only(&id) {
|
||||||
|
return None;
|
||||||
|
}
|
||||||
let data = match std::fs::read_to_string(path(&id)) {
|
let data = match std::fs::read_to_string(path(&id)) {
|
||||||
Ok(data) => data,
|
Ok(data) => data,
|
||||||
Err(_) => "{}".to_string()
|
Err(_) => "{}".to_string()
|
||||||
|
@ -158,7 +176,7 @@ fn write_terminal_config(id: &i32, data: &str) -> Result<(), Box<dyn std::error:
|
||||||
unistd::chown(std::path::Path::new(&path(&id)), Some(unistd::Uid::from(0)), Some(unistd::Gid::from(0)))?;
|
unistd::chown(std::path::Path::new(&path(&id)), Some(unistd::Uid::from(0)), Some(unistd::Gid::from(0)))?;
|
||||||
let metadata = std::fs::metadata(path(&id))?;
|
let metadata = std::fs::metadata(path(&id))?;
|
||||||
let mut perms = metadata.permissions();
|
let mut perms = metadata.permissions();
|
||||||
perms.set_mode(0o0660);
|
perms.set_mode(0o660);
|
||||||
fs::set_permissions(path(&id), perms)?;
|
fs::set_permissions(path(&id), perms)?;
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue