From 1c6c6d62ca665f9d1126b6bad849f7fd584b6a80 Mon Sep 17 00:00:00 2001 From: Steven Barth Date: Sat, 29 Mar 2008 18:22:21 +0000 Subject: [PATCH] * Replaced luafilesystem with luaposix library * Introduced privilege dropping capability * Automatically drop privileges for "public" to "nobody/nogroup" (as defined in ffluci.uci) --- Makefile | 6 ++-- contrib/ffluci.uci | 2 ++ contrib/package/ffluci/Makefile | 2 +- .../package/{luafilesystem => luaposix}/Makefile | 24 ++++++++-------- src/ffluci/cbi.lua | 2 +- src/ffluci/controller/admin/system.lua | 5 ++-- src/ffluci/dispatcher.lua | 13 +++++++++ src/ffluci/fs.lua | 26 +++++++++-------- src/ffluci/i18n.lua | 2 +- src/ffluci/menu.lua | 4 +-- src/ffluci/sys.lua | 33 ++++++++++++++++++++-- src/ffluci/template.lua | 2 +- src/ffluci/util.lua | 10 +++++++ 13 files changed, 93 insertions(+), 38 deletions(-) rename contrib/package/{luafilesystem => luaposix}/Makefile (56%) diff --git a/Makefile b/Makefile index 2e986d8cb..a43766e66 100644 --- a/Makefile +++ b/Makefile @@ -4,9 +4,9 @@ LUAC_OPTIONS = -s FILES = CFILES = ffluci/util.lua ffluci/http.lua ffluci/fs.lua \ -ffluci/model/uci.lua ffluci/config.lua ffluci/i18n.lua \ -ffluci/template.lua ffluci/cbi.lua ffluci/dispatcher.lua \ -ffluci/menu.lua ffluci/init.lua ffluci/sys.lua +ffluci/sys.lua ffluci/model/uci.lua ffluci/config.lua \ +ffluci/i18n.lua ffluci/template.lua ffluci/cbi.lua \ +ffluci/dispatcher.lua ffluci/menu.lua ffluci/init.lua DIRECTORIES = dist/ffluci/model/cbi dist/ffluci/controller dist/ffluci/i18n dist/ffluci/view diff --git a/contrib/ffluci.uci b/contrib/ffluci.uci index c887b1b33..640faf170 100644 --- a/contrib/ffluci.uci +++ b/contrib/ffluci.uci @@ -2,6 +2,8 @@ config core main option lang de option mediaurlbase /ffluci/media +config core category_privileges + option public nobody:nogroup config public contact option nickname diff --git a/contrib/package/ffluci/Makefile b/contrib/package/ffluci/Makefile index 04093a974..4709767d1 100644 --- a/contrib/package/ffluci/Makefile +++ b/contrib/package/ffluci/Makefile @@ -15,7 +15,7 @@ define Package/ffluci SECTION:=admin CATEGORY:=Administration TITLE:=FFLuCI - DEPENDS:=+liblua +luafilesystem +haserl + DEPENDS:=+liblua +luaposix +haserl MAINTAINER:=Steven Barth endef diff --git a/contrib/package/luafilesystem/Makefile b/contrib/package/luaposix/Makefile similarity index 56% rename from contrib/package/luafilesystem/Makefile rename to contrib/package/luaposix/Makefile index 6c73cf501..177583bb8 100644 --- a/contrib/package/luafilesystem/Makefile +++ b/contrib/package/luaposix/Makefile @@ -1,23 +1,23 @@ include $(TOPDIR)/rules.mk -PKG_NAME:=luafilesystem -PKG_VERSION:=1.4.0 +PKG_NAME:=luaposix +PKG_VERSION:=5.1.2 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz -PKG_SOURCE_URL:=http://luaforge.net/frs/download.php/3158 -PKG_MD5SUM:=6f3d247f27820b8f045431ad81bcd3ad +PKG_SOURCE_URL:=http://luaforge.net/frs/download.php/3063 +PKG_MD5SUM:=31deeb4add91f76b3c2d36aae2888d81 PKG_BUILD_DIR:=$(BUILD_DIR)/$(PKG_NAME)-$(PKG_VERSION) PKG_INSTALL_DIR:=$(PKG_BUILD_DIR)/ipkg-install include $(INCLUDE_DIR)/package.mk -define Package/luafilesystem +define Package/luaposix SECTION:=lib CATEGORY:=Libraries - TITLE:=Lua FS library - URL:=http://www.keplerproject.org/luafilesystem/ + TITLE:=Lua Posix library + URL:=http://luaforge.net/projects/luaposix/ DEPENDS:=+liblua MAINTAINER:=Steven Barth endef @@ -32,13 +32,13 @@ define Build/Compile AR="$(TARGET_CROSS)ar rcu" \ RANLIB="$(TARGET_CROSS)ranlib" \ INSTALL_ROOT=/usr \ - LUA_INC=$(STAGING_DIR)/usr/include + LUAINC=$(STAGING_DIR)/usr/include endef -define Package/luafilesystem/install +define Package/luaposix/install $(INSTALL_DIR) $(1)/usr/lib/lua - $(STRIP) $(PKG_BUILD_DIR)/src/lfs.so - $(INSTALL_BIN) $(PKG_BUILD_DIR)/src/lfs.so $(1)/usr/lib/lua + $(STRIP) $(PKG_BUILD_DIR)/posix.so + $(INSTALL_BIN) $(PKG_BUILD_DIR)/posix.so $(1)/usr/lib/lua endef -$(eval $(call BuildPackage,luafilesystem)) +$(eval $(call BuildPackage,luaposix)) \ No newline at end of file diff --git a/src/ffluci/cbi.lua b/src/ffluci/cbi.lua index 296a77b49..d89405516 100644 --- a/src/ffluci/cbi.lua +++ b/src/ffluci/cbi.lua @@ -39,7 +39,7 @@ function load(cbimap) require("ffluci.fs") require("ffluci.i18n") - local cbidir = ffluci.fs.dirname(ffluci.util.__file__()) .. "model/cbi/" + local cbidir = ffluci.fs.dirname(ffluci.util.__file__()) .. "/model/cbi/" local func, err = loadfile(cbidir..cbimap..".lua") if not func then diff --git a/src/ffluci/controller/admin/system.lua b/src/ffluci/controller/admin/system.lua index df2d981e4..be2d9b6eb 100644 --- a/src/ffluci/controller/admin/system.lua +++ b/src/ffluci/controller/admin/system.lua @@ -1,6 +1,6 @@ module("ffluci.controller.admin.system", package.seeall) -require("ffluci.util") +require("ffluci.sys") require("ffluci.http") menu = { @@ -18,8 +18,7 @@ function action_passwd() local cm if p1 or p2 then - cm = "(echo '"..p1.."';sleep 1;echo '"..p2.."') | passwd root 2>&1" - msg = ffluci.util.exec(cm) + msg = ffluci.sys.user.setpasswd("root", p1, p2) end ffluci.template.render("admin_system/passwd", {msg=msg}) diff --git a/src/ffluci/dispatcher.lua b/src/ffluci/dispatcher.lua index 139b0e308..b60a9beef 100644 --- a/src/ffluci/dispatcher.lua +++ b/src/ffluci/dispatcher.lua @@ -84,8 +84,20 @@ limitations under the License. module("ffluci.dispatcher", package.seeall) require("ffluci.http") require("ffluci.template") +require("ffluci.config") +require("ffluci.sys") +-- Sets privilege for given category +function assign_privileges(category) + local cp = ffluci.config.category_privileges + if cp and cp[category] then + local u, g = cp[category]:match("([^:]+):([^:]+)") + ffluci.sys.process.setuser(u) + ffluci.sys.process.setgroup(g) + end +end + -- Dispatches the "request" function dispatch(req) request = req @@ -137,6 +149,7 @@ function httpdispatch() local mod = sanitize(parts(), "index") local act = sanitize(parts(), "index") + assign_privileges(cat) dispatch({category=cat, module=mod, action=act}) end diff --git a/src/ffluci/fs.lua b/src/ffluci/fs.lua index fdea1b51e..189612279 100644 --- a/src/ffluci/fs.lua +++ b/src/ffluci/fs.lua @@ -26,7 +26,7 @@ limitations under the License. module("ffluci.fs", package.seeall) -require("lfs") +require("posix") -- Checks whether a file exists function isfile(filename) @@ -80,26 +80,28 @@ end -- Returns the file modification date/time of "path" function mtime(path) - return lfs.attributes(path, "modification") + return posix.stat(path, "mtime") end --- Simplified dirname function -function dirname(file) - return string.gsub(file, "[^/]+$", "") +-- basename wrapper +function basename(path) + return posix.basename(path) +end + +-- dirname wrapper +function dirname(path) + return posix.dirname(path) end -- Diriterator - alias for lfs.dir - filter . and .. function dir(path) - local e = {} - for entry in lfs.dir(path) do - if not(entry == "." or entry == "..") then - table.insert(e, entry) - end - end + local e = posix.dir(path) + table.remove(e, 1) + table.remove(e, 1) return e end -- Alias for lfs.mkdir function mkdir(...) - return lfs.mkdir(...) + return posix.mkdir(...) end \ No newline at end of file diff --git a/src/ffluci/i18n.lua b/src/ffluci/i18n.lua index 1abe22fd7..c362d3e5f 100644 --- a/src/ffluci/i18n.lua +++ b/src/ffluci/i18n.lua @@ -31,7 +31,7 @@ require("ffluci.util") require("ffluci.config") table = {} -i18ndir = ffluci.fs.dirname(ffluci.util.__file__()) .. "i18n/" +i18ndir = ffluci.fs.dirname(ffluci.util.__file__()) .. "/i18n/" -- Clears the translation table function clear() diff --git a/src/ffluci/menu.lua b/src/ffluci/menu.lua index 7b192aaea..724faaeaa 100644 --- a/src/ffluci/menu.lua +++ b/src/ffluci/menu.lua @@ -29,8 +29,8 @@ require("ffluci.fs") require("ffluci.util") require("ffluci.template") -ctrldir = ffluci.fs.dirname(ffluci.util.__file__()) .. "controller/" -modelpath = ffluci.fs.dirname(ffluci.util.__file__()) .. "model/menudata.lua" +ctrldir = ffluci.fs.dirname(ffluci.util.__file__()) .. "/controller/" +modelpath = ffluci.fs.dirname(ffluci.util.__file__()) .. "/model/menudata.lua" -- Cache menudata into a Luafile instead of recollecting it at every pageload -- Warning: Make sure the menudata cache gets deleted everytime you update diff --git a/src/ffluci/sys.lua b/src/ffluci/sys.lua index 4ed2262c8..97a926b0b 100644 --- a/src/ffluci/sys.lua +++ b/src/ffluci/sys.lua @@ -25,7 +25,7 @@ limitations under the License. ]]-- module("ffluci.sys", package.seeall) -require("ffluci.fs") +require("posix") -- Returns the hostname function hostname() @@ -38,11 +38,40 @@ function loadavg() return loadavg:match("^(.-) (.-) (.-) (.-) (.-)$") end + +group = {} +group.getgroup = posix.getgroup + +net = {} -- Returns all available network interfaces -function net_devices() +function net.devices() local devices = {} for line in io.lines("/proc/net/dev") do table.insert(devices, line:match(" *(.-):")) end return devices +end + +process = {} +process.info = posix.getpid + +-- Sets the gid of a process +function process.setgroup(pid, gid) + return posix.setpid("g", pid, gid) +end + +-- Sets the uid of a process +function process.setuser(pid, uid) + return posix.setpid("u", pid, uid) +end + +user = {} +-- returns user information to a given uid +user.getuser = posix.getpasswd + +-- Changes the user password of given user +function user.setpasswd(user, pwd1, pwd2) + local cmd = "(echo '"..pwd1.."';sleep 1;echo '"..pwd2.."')|" + cmd = cmd .. "passwd "..user.." 2>&1" + return ffluci.util.exec(cmd) end \ No newline at end of file diff --git a/src/ffluci/template.lua b/src/ffluci/template.lua index f7131488e..2bc015081 100644 --- a/src/ffluci/template.lua +++ b/src/ffluci/template.lua @@ -31,7 +31,7 @@ require("ffluci.fs") require("ffluci.i18n") require("ffluci.model.uci") -viewdir = ffluci.fs.dirname(ffluci.util.__file__()) .. "view/" +viewdir = ffluci.fs.dirname(ffluci.util.__file__()) .. "/view/" -- Compile modes: diff --git a/src/ffluci/util.lua b/src/ffluci/util.lua index 85092f065..c47a89895 100644 --- a/src/ffluci/util.lua +++ b/src/ffluci/util.lua @@ -150,6 +150,16 @@ function instanceof(object, class) end +-- Creates valid XML PCDATA from a string +function pcdata(value) + value = value:gsub("&", "&") + value = value:gsub('"', """) + value = value:gsub("'", "'") + value = value:gsub("<", "<") + return value:gsub(">", ">") +end + + -- Resets the scope of f doing a shallow copy of its scope into a new table function resfenv(f) setfenv(f, clone(getfenv(f))) -- 2.11.0