From ebff6cea9d9c98da6a1d13a90c0cfcc1aaafe4e4eaf9fe3476c3e35bc6ba7e1c Mon Sep 17 00:00:00 2001 From: Robert Frohl Date: Tue, 26 Sep 2023 13:37:00 +0000 Subject: [PATCH] Accepting request 1113657 from home:lnussel new package OBS-URL: https://build.opensuse.org/request/show/1113657 OBS-URL: https://build.opensuse.org/package/show/security/fudo?expand=0&rev=1 --- .gitattributes | 23 +++++++++ .gitignore | 1 + 30-fudo-machinectl-shell.rules | 20 ++++++++ 50-machinectl-shell-run-env.rules | 34 +++++++++++++ fudo.changes | 4 ++ fudo.sh | 8 +++ fudo.spec | 82 +++++++++++++++++++++++++++++++ 7 files changed, 172 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 30-fudo-machinectl-shell.rules create mode 100644 50-machinectl-shell-run-env.rules create mode 100644 fudo.changes create mode 100644 fudo.sh create mode 100644 fudo.spec diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/30-fudo-machinectl-shell.rules b/30-fudo-machinectl-shell.rules new file mode 100644 index 0000000..290a208 --- /dev/null +++ b/30-fudo-machinectl-shell.rules @@ -0,0 +1,20 @@ +/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */ + +// create e.g 40-fudo-noauth-xxx and in there set +// polkit._fudo_noauth_group = "xxx"; +polkit._fudo_noauth_group = null; +polkit._fudo_selfauth_group = null; + +polkit.addRule(function(action, subject) { + if (action.id != 'org.freedesktop.machine1.host-shell') + return polkit.Result.NOT_HANDLED; + + if (polkit._fudo_noauth_group && subject.isInGroup(polkit._fudo_noauth_group)) + return polkit.Result.YES; + + if (polkit._fudo_selfauth_group && subject.isInGroup(polkit._fudo_selfauth_group)) + return polkit.Result.AUTH_SELF; + + return polkit.Result.NOT_HANDLED; +}); +// vim: syntax=javascript sw=4 et diff --git a/50-machinectl-shell-run-env.rules b/50-machinectl-shell-run-env.rules new file mode 100644 index 0000000..016b8e8 --- /dev/null +++ b/50-machinectl-shell-run-env.rules @@ -0,0 +1,34 @@ +/* -*- mode: js; js-indent-level: 4; indent-tabs-mode: nil -*- */ + +/* + * Sample config that allows to run /usr/bin/env without arguments as root. + * Install e.g. as /etc/polkit-1/rules.d/50-machinectl-shell-run-env.rules + */ + +polkit.addRule(function(action, subject) { + if (action.id != 'org.freedesktop.machine1.host-shell') + return polkit.Result.NOT_HANDLED; + + // check whether a user is in a specific group + if (!subject.isInGroup("users")) + return polkit.Result.NOT_HANDLED; + + // or alternatively match a specific user + user = subject.user; + if (user != 'geeko') + return polkit.Result.NOT_HANDLED; + + // just the path to the program that is run. Matching that might be + // dangerous as it allows arbitrary arguments then + // program = action.lookup('program'); + + // using the full command line is better + command_line = action.lookup('command_line'); + + polkit.log("running \"" + command_line + "\" as " + user); + if (command_line == '/usr/bin/env') + return polkit.Result.YES; + + return polkit.Result.NOT_HANDLED; +}); +// vim: syntax=javascript sw=4 et diff --git a/fudo.changes b/fudo.changes new file mode 100644 index 0000000..7039e94 --- /dev/null +++ b/fudo.changes @@ -0,0 +1,4 @@ +------------------------------------------------------------------- +Tue Sep 26 07:57:43 UTC 2023 - Ludwig Nussel + +- initial package diff --git a/fudo.sh b/fudo.sh new file mode 100644 index 0000000..3fd5407 --- /dev/null +++ b/fudo.sh @@ -0,0 +1,8 @@ +fudo() { + [ "$#" -gt 0 -a "${1:0:1}" != '-' ] || { echo "Usage: ${FUNCNAME[0]} COMMAND [ARGS...]"; return 1; } + set -- "$(type -P "$1")" "${@:2}" + [ -n "$1" ] || { echo "invalid command" >&2; return 1; } + machinectl shell -q .host "$@" +} +# take over sudo if the real one is not installed +type -P sudo >/dev/null || alias sudo=fudo diff --git a/fudo.spec b/fudo.spec new file mode 100644 index 0000000..a1d40b8 --- /dev/null +++ b/fudo.spec @@ -0,0 +1,82 @@ +# +# spec file for package fudo +# +# Copyright (c) 2023 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +Name: fudo +Version: 0 +Release: 0 +Summary: Fake sudo +License: MIT +Source: 30-fudo-machinectl-shell.rules +Source1: fudo.sh +Source2: 50-machinectl-shell-run-env.rules +BuildRequires: polkit +Requires: polkit +Requires: systemd-container + +%description +Fake sudo leveraging machinctl shell and polkit to be able to +execute commands as root + +- just a few lines of shell and js +- no setuid program +- no hard to understand config file + +%package policy-noauth-wheel +Summary: fudo policy no authentication for wheel group +Requires: group(wheel) +Conflicts: fudo-policy +Provides: fudo-policy + +%description policy-noauth-wheel +Members of the wheel group do not need to authenticate when using +fudo + +%package policy-selfauth-wheel +Summary: fudo policy wheel group members use own password +Requires: group(wheel) +Conflicts: fudo-policy +Provides: fudo-policy + +%description policy-selfauth-wheel +Members of the wheel group use their own password to authenticate +as root + +%prep +%setup -q -c -T + +%build + +%install +install -D -m 644 %{SOURCE0} %{buildroot}%{_datadir}/polkit-1/rules.d/30-fudo-machinectl-shell.rules +install -D -m 644 %{SOURCE1} %{buildroot}%{_prefix}%{_sysconfdir}/profile.d/fudo.sh +install -D -m 644 %{SOURCE2} %{buildroot}%{_docdir}/50-machinectl-shell-run-env.rules +echo 'polkit._fudo_noauth_group = "wheel";' > %{buildroot}%{_datadir}/polkit-1/rules.d/31-fudo-machinectl-shell-noauth-wheel.rules +echo 'polkit._fudo_selfauth_group = "wheel";' > %{buildroot}%{_datadir}/polkit-1/rules.d/31-fudo-machinectl-shell-selfauth-wheel.rules + +%files +%{_docdir}/50-machinectl-shell-run-env.rules +%{_datadir}/polkit-1/rules.d/30-fudo-machinectl-shell.rules +%{_prefix}%{_sysconfdir}/profile.d/fudo.sh + +%files policy-noauth-wheel +%{_datadir}/polkit-1/rules.d/31-fudo-machinectl-shell-noauth-wheel.rules + +%files policy-selfauth-wheel +%{_datadir}/polkit-1/rules.d/31-fudo-machinectl-shell-selfauth-wheel.rules + +%changelog