diff options
| author | Paul Buetow <pbuetow@mimecast.com> | 2020-02-28 17:22:17 +0000 |
|---|---|---|
| committer | Paul Buetow <pbuetow@mimecast.com> | 2020-02-28 17:22:17 +0000 |
| commit | 1922e448e84e218cc39d4394e9b4becfa6f0a83d (patch) | |
| tree | 175ea9dd6a839fbe25be8f9f404a28aa324cd59c /internal | |
| parent | 71d2786aeaa793d9cf51c389d2e91cf472d25f7a (diff) | |
change whitelisting to blacklisting
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/user/server/user.go | 37 |
1 files changed, 18 insertions, 19 deletions
diff --git a/internal/user/server/user.go b/internal/user/server/user.go index 2c1df64..00cc611 100644 --- a/internal/user/server/user.go +++ b/internal/user/server/user.go @@ -79,23 +79,6 @@ func (u *User) hasFilePermission(cleanPath, permissionType string) (bool, error) } logger.Info(u, cleanPath, permissionType, "User with OS file system permissions to path") - // If file system permission is given, also check permissions - // as configured in DTail config file. - if len(u.permissions) == 0 { - p, err := config.ServerUserPermissions(u.Name) - if err != nil { - return false, err - } - u.permissions = p - } - - var hasPermission bool - var err error - - if hasPermission, err = u.iteratePaths(cleanPath, permissionType); err != nil { - return false, err - } - // Only allow to follow regular files or symlinks. info, err := os.Lstat(cleanPath) if err != nil { @@ -106,10 +89,24 @@ func (u *User) hasFilePermission(cleanPath, permissionType string) (bool, error) return false, fmt.Errorf("Can only open regular files or follow symlinks") } + permissions, err := config.ServerUserPermissions(u.Name) + if err != nil { + return false, err + } + u.permissions = permissions + + hasPermission, err := u.iteratePaths(cleanPath, permissionType) + if err != nil { + return false, err + } + return hasPermission, nil } func (u *User) iteratePaths(cleanPath, permissionType string) (bool, error) { + // By default assume no permissions + hasPermission := false + for _, permission := range u.permissions { typeStr := "readfiles" // Assume ReadFiles by default. @@ -138,13 +135,15 @@ func (u *User) iteratePaths(cleanPath, permissionType string) (bool, error) { } if negate && re.MatchString(cleanPath) { - return false, fmt.Errorf("Permission test failed, matching negative pattern '%s'", permission) + logger.Info(u, cleanPath, "Permission test failed partially, matching negative pattern '%s'", permission) + hasPermission = false } if !negate && re.MatchString(cleanPath) { logger.Info(u, cleanPath, "Permission test passed partially, matching positive pattern", permission) + hasPermission = true } } - return true, nil + return hasPermission, nil } |