valitydev/salt
14
0
Fork 0
mirror of https://github.com/valitydev/salt.git synced 2024-11-09 01:36:48 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add cmd white and blacklists

Browse Source
This commit is contained in:
Thomas S Hatch 2016-06-09 14:33:34 -06:00
parent 62edce685f
commit 509c0c1195
1 changed files with 42 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
salt/modules/cmdmod.py
View File

@ -18,14 +18,15 @@ import subprocess
import sys import sys
import time import time
import traceback import traceback
import fnmatch
import base64 import base64
from salt.utils import vt
# Import salt libs # Import salt libs
import salt.utils import salt.utils
import salt.utils.timed_subprocess import salt.utils.timed_subprocess
import salt.grains.extra import salt.grains.extra
import salt.ext.six as six import salt.ext.six as six
from salt.utils import vt
from salt.exceptions import CommandExecutionError, TimedProcTimeoutError from salt.exceptions import CommandExecutionError, TimedProcTimeoutError
from salt.log import LOG_LEVELS from salt.log import LOG_LEVELS
from salt.ext.six.moves import range from salt.ext.six.moves import range
@ -215,6 +216,31 @@ def _gather_pillar(pillarenv, pillar_override):
return ret return ret
def _check_avail(cmd):
'''
Check to see if the given command can be run
'''
bret = True
wret = False
if __salt__['config.get']('cmd_blacklist_glob', []):
blist = __salt__['config.get']('cmd_blacklist_glob', [])
for comp in blist:
if fnmatch.fnmatch(cmd, comp):
# BAD! you are blacklisted
bret = False
if __salt__['config.get']('cmd_whitelist_glob', []):
blist = __salt__['config.get']('cmd_whitelist_glob', [])
for comp in blist:
if fnmatch.fnmatch(cmd, comp):
# GOOD! You are whitelisted
wret = True
break
else:
# If no whitelist set then alls good!
wret = True
return bret and wret
def _run(cmd, def _run(cmd,
cwd=None, cwd=None,
stdin=None, stdin=None,
@ -300,6 +326,13 @@ def _run(cmd,
ret = {} ret = {}
# If the pub jid is here then this is a remote ex or salt call command and needs to be
# checked if blacklisted
if '__pub_jid' in kwargs:
if not _check_avail(cmd):
msg = 'This shell command is not permitted: "{0}"'.format(cmd)
raise CommandExecutionError(msg)
env = _parse_env(env) env = _parse_env(env)
for bad_env_key in (x for x, y in six.iteritems(env) if y is None): for bad_env_key in (x for x, y in six.iteritems(env) if y is None):
@ -853,12 +886,10 @@ def run(cmd,
reset_system_locale=reset_system_locale, reset_system_locale=reset_system_locale,
ignore_retcode=ignore_retcode, ignore_retcode=ignore_retcode,
saltenv=saltenv, saltenv=saltenv,
pillarenv=kwargs.get('pillarenv'),
pillar_override=kwargs.get('pillar'),
use_vt=use_vt, use_vt=use_vt,
password=kwargs.get('password', None),
bg=bg, bg=bg,
encoded_cmd=encoded_cmd) encoded_cmd=encoded_cmd,
**kwargs)
log_callback = _check_cb(log_callback) log_callback = _check_cb(log_callback)
@ -1239,8 +1270,6 @@ def run_stdout(cmd,
reset_system_locale=reset_system_locale, reset_system_locale=reset_system_locale,
ignore_retcode=ignore_retcode, ignore_retcode=ignore_retcode,
saltenv=saltenv, saltenv=saltenv,
pillarenv=kwargs.get('pillarenv'),
pillar_override=kwargs.get('pillar'),
use_vt=use_vt, use_vt=use_vt,
**kwargs) **kwargs)
@ -1422,9 +1451,7 @@ def run_stderr(cmd,
ignore_retcode=ignore_retcode, ignore_retcode=ignore_retcode,
use_vt=use_vt, use_vt=use_vt,
saltenv=saltenv, saltenv=saltenv,
pillarenv=kwargs.get('pillarenv'), **kwargs)
pillar_override=kwargs.get('pillar'),
password=kwargs.get('password', None))
log_callback = _check_cb(log_callback) log_callback = _check_cb(log_callback)
@ -1614,10 +1641,8 @@ def run_all(cmd,
reset_system_locale=reset_system_locale, reset_system_locale=reset_system_locale,
ignore_retcode=ignore_retcode, ignore_retcode=ignore_retcode,
saltenv=saltenv, saltenv=saltenv,
pillarenv=kwargs.get('pillarenv'),
pillar_override=kwargs.get('pillar'),
use_vt=use_vt, use_vt=use_vt,
password=kwargs.get('password', None)) **kwargs)
log_callback = _check_cb(log_callback) log_callback = _check_cb(log_callback)
@ -1797,10 +1822,8 @@ def retcode(cmd,
reset_system_locale=reset_system_locale, reset_system_locale=reset_system_locale,
ignore_retcode=ignore_retcode, ignore_retcode=ignore_retcode,
saltenv=saltenv, saltenv=saltenv,
pillarenv=kwargs.get('pillarenv'),
pillar_override=kwargs.get('pillar'),
use_vt=use_vt, use_vt=use_vt,
password=kwargs.get('password', None)) **kwargs)
log_callback = _check_cb(log_callback) log_callback = _check_cb(log_callback)
@ -2064,11 +2087,9 @@ def script(source,
timeout=timeout, timeout=timeout,
reset_system_locale=reset_system_locale, reset_system_locale=reset_system_locale,
saltenv=saltenv, saltenv=saltenv,
pillarenv=kwargs.get('pillarenv'),
pillar_override=kwargs.get('pillar'),
use_vt=use_vt, use_vt=use_vt,
password=kwargs.get('password', None), bg=bg,
bg=bg) **kwargs)
_cleanup_tempfile(path) _cleanup_tempfile(path)
return ret return ret
@ -2939,8 +2960,7 @@ def run_bg(cmd,
reset_system_locale=reset_system_locale, reset_system_locale=reset_system_locale,
# ignore_retcode=ignore_retcode, # ignore_retcode=ignore_retcode,
saltenv=saltenv, saltenv=saltenv,
pillarenv=kwargs.get('pillarenv'), **kwargs
pillar_override=kwargs.get('pillar'),
# password=kwargs.get('password', None), # password=kwargs.get('password', None),
) )