diff options
| author | Paul Buetow <paul@buetow.org> | 2021-11-06 12:33:19 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2021-11-06 12:33:19 +0200 |
| commit | c8c42aa26861e28e6f22458fffd8db6d9b712d70 (patch) | |
| tree | b70a61237969e212c40e18f9b46f8332c11e0c2c | |
| parent | 3d02a4a917dbdd85c40dbdb0fcac65c82fb7fe5b (diff) | |
Remove insecure and dangerous relaxed auth mode
| -rw-r--r-- | cmd/dserver/main.go | 6 | ||||
| -rw-r--r-- | doc/testing.md | 2 | ||||
| -rw-r--r-- | docker/.gitignore | 3 | ||||
| -rw-r--r-- | docker/Dockerfile | 13 | ||||
| -rw-r--r-- | docker/Makefile | 17 | ||||
| -rw-r--r-- | internal/config/server.go | 3 | ||||
| -rw-r--r-- | internal/server/server.go | 5 | ||||
| -rw-r--r-- | internal/ssh/server/publickeycallback.go | 5 | ||||
| -rw-r--r-- | internal/user/server/user.go | 4 |
9 files changed, 23 insertions, 35 deletions
diff --git a/cmd/dserver/main.go b/cmd/dserver/main.go index 1a4af75..fff41f0 100644 --- a/cmd/dserver/main.go +++ b/cmd/dserver/main.go @@ -31,8 +31,6 @@ func main() { user.NoRootCheck() flag.BoolVar(&color, "color", false, "Enable ANSII terminal colors") - flag.BoolVar(&config.ServerRelaxedAuthEnable, "RELAXED_AUTH_I_AM_REALLY_SURE", false, - "Enable relaxced SSH auth mode (don't use in production!)") flag.BoolVar(&displayVersion, "version", false, "Display version") flag.IntVar(&args.SSHPort, "port", config.DefaultSSHPort, "SSH server port") flag.IntVar(&shutdownAfter, "shutdownAfter", 0, "Shutdown after so many seconds") @@ -72,10 +70,6 @@ func main() { wg.Add(1) dlog.Start(ctx, &wg, source.Server) - if config.ServerRelaxedAuthEnable { - dlog.Server.Fatal("SSH relaxed-auth mode enabled") - } - if pprof != "" { dlog.Server.Info("Starting PProf", pprof) go http.ListenAndServe(pprof, nil) diff --git a/doc/testing.md b/doc/testing.md index 4ad935f..92455c9 100644 --- a/doc/testing.md +++ b/doc/testing.md @@ -49,7 +49,7 @@ To run the integration test together with all the unit tests simply run `make te ### Requirements -This assumes, that you have Docker up and running on your system. The following has been tested only on Fedora Linux. You might need to do some extra setup if you want to run this on Docker for Mac/Windows. +This assumes, that you have Docker up and running on your system. The following has been tested only on Fedora Linux 35. For other versions of Fedora (or Linux) you might need to change the Docker base image used (see Dockerfile) as otherwise you might run into issues with the `GLIBC` major version used. This also assumes, that you have compiled all the DTail binaries already (with `make` in the top level source directory). diff --git a/docker/.gitignore b/docker/.gitignore index e69de29..fb43ecf 100644 --- a/docker/.gitignore +++ b/docker/.gitignore @@ -0,0 +1,3 @@ +id_rsa_docker* +dmap2-A.csv.query +dmap2-B.csv.query diff --git a/docker/Dockerfile b/docker/Dockerfile index 3cc5f6a..1ca59be 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -2,13 +2,20 @@ # The container can be used for developing and testing # Purposes -FROM fedora:34 -RUN mkdir -p /etc/dserver /var/run/dserver/ /var/log/dserver +FROM fedora:35 +RUN mkdir -p /etc/dserver /var/run/dserver/cache /var/log/dserver ADD ./dtail.json /etc/dserver/dtail.json +# TODO: Compile dserver in a container as well, as otherwise might have glibc +# errors. ADD ./dserver /usr/local/bin/dserver ADD ./mapr_testdata.log /var/log/mapr_testdata.log +# Normal Linux user (simulates someone who want's to use DTail) +RUN useradd fred +ADD ./id_rsa_docker.pub /var/run/dserver/cache/fred.authorized_keys + +# DTail server user RUN useradd dserver RUN chown -R dserver /var/run/dserver /var/log/dserver USER dserver @@ -16,4 +23,4 @@ USER dserver WORKDIR /var/run/dserver EXPOSE 2222/tcp -CMD ["/usr/local/bin/dserver", "-RELAXED_AUTH_I_AM_REALLY_SURE", "-cfg", "/etc/dserver/dtail.json"] +CMD ["/usr/local/bin/dserver", "-cfg", "/etc/dserver/dtail.json"] diff --git a/docker/Makefile b/docker/Makefile index aace8d3..a2ee81a 100644 --- a/docker/Makefile +++ b/docker/Makefile @@ -2,6 +2,7 @@ all: build testrun: build spinup dcat spindown serverfarm: spindown build spinup build: + sh -c 'yes | ssh-keygen -t rsa -f id_rsa_docker' cp ../integrationtests/mapr_testdata.log . cp ../dserver . docker build . -t dserver:develop @@ -14,20 +15,20 @@ spindown: spinup1: docker run -p 2222:2222 dserver:develop dtail: - ../dtail --servers serverlist.txt --files '/var/log/dserver/*' --trustAllHosts --logLevel DEBUG + ../dtail --user fred --key id_rsa_docker --servers serverlist.txt --files '/var/log/dserver/*' --trustAllHosts --logLevel DEBUG dtail2: - ../dtail --servers serverlist.txt --files '/var/log/dserver/*' --trustAllHosts --logLevel DEBUG --query 'from stats select max($$goroutines),count($$hostname),$$hostname,last($$time) group by $$hostname order by max($$goroutines)' + ../dtail --user fred --key id_rsa_docker --servers serverlist.txt --files '/var/log/dserver/*' --trustAllHosts --logLevel DEBUG --query 'from stats select max($$goroutines),count($$hostname),$$hostname,last($$time) group by $$hostname order by max($$goroutines)' dgrep: - ../dgrep --servers serverlist.txt --files '/var/log/dserver/*' --regex MAPREDUCE --trustAllHosts + ../dgrep --user fred --key id_rsa_docker --servers serverlist.txt --files '/var/log/dserver/*' --regex MAPREDUCE --trustAllHosts dcat: - ../dcat --servers serverlist.txt --files '/etc/passwd' --trustAllHosts + ../dcat --user fred --key id_rsa_docker --servers serverlist.txt --files '/etc/passwd' --trustAllHosts dcat_notrust: - ../dcat --servers serverlist.txt --files '/etc/passwd' + ../dcat --user fred --key id_rsa_docker --servers serverlist.txt --files '/etc/passwd' dmap: - ../dmap --servers serverlist.txt --files '/var/log/dserver/*' --trustAllHosts --query 'from stats select avg($$goroutines),max($$goroutines),min($$goroutines),last($$goroutines),count($$hostname),$$hostname group by $$hostname order by avg($$goroutines)' + ../dmap --user fred --key id_rsa_docker --servers serverlist.txt --files '/var/log/dserver/*' --trustAllHosts --query 'from stats select avg($$goroutines),max($$goroutines),min($$goroutines),last($$goroutines),count($$hostname),$$hostname group by $$hostname order by avg($$goroutines)' test: dmap_test dmap2_test dmap_test: - ../dmap --servers serverlist.txt --files '/var/log/mapr_testdata.log' --trustAllHosts --query 'from stats select count($$time),last($$time) group by $$time order by count($$time) outfile dmap2-A.csv' - ../dmap --servers serverlist.txt --files '/var/log/mapr_testdata.log' --trustAllHosts --query 'from stats select count($$time),last($$time) group by $$time order by count($$time) outfile dmap2-B.csv' + ../dmap --user fred --key id_rsa_docker --servers serverlist.txt --files '/var/log/mapr_testdata.log' --trustAllHosts --query 'from stats select count($$time),last($$time) group by $$time order by count($$time) outfile dmap2-A.csv' + ../dmap --user fred --key id_rsa_docker --servers serverlist.txt --files '/var/log/mapr_testdata.log' --trustAllHosts --query 'from stats select count($$time),last($$time) group by $$time order by count($$time) outfile dmap2-B.csv' @echo Expecting zero diff! diff -u <(sort dmap2-A.csv) <(sort dmap2-B.csv) diff --git a/internal/config/server.go b/internal/config/server.go index 8285bdf..e901a7a 100644 --- a/internal/config/server.go +++ b/internal/config/server.go @@ -63,9 +63,6 @@ type ServerConfig struct { Continuous []Continuous `json:",omitempty"` } -// ServerRelaxedAuthEnable should be used for development and testing purposes only. -var ServerRelaxedAuthEnable bool - // Create a new default server configuration. func newDefaultServerConfig() *ServerConfig { defaultPermissions := []string{"^/.*"} diff --git a/internal/server/server.go b/internal/server/server.go index fffa560..c7d7aaa 100644 --- a/internal/server/server.go +++ b/internal/server/server.go @@ -216,11 +216,6 @@ func (s *Server) Callback(c gossh.ConnMetadata, return nil, err } - if config.ServerRelaxedAuthEnable { - dlog.Server.Fatal(user, "Granting permissions via relaxed-auth") - return nil, nil - } - authInfo := string(authPayload) splitted := strings.Split(c.RemoteAddr().String(), ":") remoteIP := splitted[0] diff --git a/internal/ssh/server/publickeycallback.go b/internal/ssh/server/publickeycallback.go index c661419..f7655b4 100644 --- a/internal/ssh/server/publickeycallback.go +++ b/internal/ssh/server/publickeycallback.go @@ -22,12 +22,7 @@ func PublicKeyCallback(c gossh.ConnMetadata, if err != nil { return nil, err } - dlog.Server.Info(user, "Incoming authorization") - if config.ServerRelaxedAuthEnable { - dlog.Server.Fatal(user, "Granting permissions via relaxed-auth") - return nil, nil - } authorizedKeysFile, err := authorizedKeysFile(user) if err != nil { diff --git a/internal/user/server/user.go b/internal/user/server/user.go index aa7f8b1..004bda4 100644 --- a/internal/user/server/user.go +++ b/internal/user/server/user.go @@ -45,10 +45,6 @@ func (u *User) String() string { // HasFilePermission is used to determine whether user is alowed to read a file. func (u *User) HasFilePermission(filePath, permissionType string) (hasPermission bool) { dlog.Server.Debug(u, filePath, permissionType, "Checking config permissions") - if config.ServerRelaxedAuthEnable { - dlog.Server.Fatal(u, filePath, permissionType, "Server releaxed auth enabled") - return true - } if u.Name == config.ScheduleUser || u.Name == config.ContinuousUser { // Background user has same permissions as dtail process itself. return true |