Strengthen meta.mount security by passing the password via environmen…

…t variable instead of the command line. Still an optional parameter as upgrading will require changing sudo file as well.

(cherry picked from commit 5449444)

core/src/plugins/meta.mount/class.FilesystemMounter.php

@@ -123,12 +123,25 @@ public function mountFS()
         $MOUNT_OPTIONS = $this->getOption("MOUNT_OPTIONS", $user, $password);
 
         $cmd = ($MOUNT_SUDO? "sudo ": ""). "mount -t " .$MOUNT_TYPE. (empty( $MOUNT_OPTIONS )? " " : " -o " .$MOUNT_OPTIONS. " " ) .$UNC_PATH. " " .$MOUNT_POINT;
-        shell_exec($cmd);
-        // Check it is correctly mounted now!
-        $cmd = ($MOUNT_SUDO?"sudo":"")." mount | grep ".escapeshellarg($MOUNT_POINT);
-        $output = shell_exec($cmd);
-        if ($output == null || trim($output) == "") {
-            throw new Exception("Error while mounting file system - Test was ".$cmd);
+        $res = null;
+        if($this->getOption("MOUNT_ENV_PASSWD") === true){
+            putenv("PASSWD=$password");
+        }
+        system($cmd, $res);
+        if($this->getOption("MOUNT_ENV_PASSWD") === true){
+            putenv("PASSWD=");
+        }
+        if($res === null){
+            // Check it is correctly mounted now!
+            // Could not get the output return code
+            $cmd1 = ($MOUNT_SUDO?"sudo":"")." mount | grep ".escapeshellarg($MOUNT_POINT);
+            $output = shell_exec($cmd1);
+            $success = !empty($output);
+        }else{
+            $success = ($res == 0);
+        }
+        if (!$success) {
+            throw new Exception("Error while mounting file system!");
         } else {
             if (!is_file($MOUNT_POINT."/.ajxp_mount")) {
                 @file_put_contents($MOUNT_POINT."/.ajxp_mount", "");

core/src/plugins/meta.mount/manifest.xml

@@ -8,6 +8,7 @@
    		<param name="UNC_PATH" type="string" label="CONF_MESSAGE[Remote Path]" description="CONF_MESSAGE[Path to the remote share to mount, use //123.456.789.654/path you can use AJXP_USER]" mandatory="true" default=""/>
    		<param name="MOUNT_POINT" type="string" label="CONF_MESSAGE[Mount Point]" description="CONF_MESSAGE[Mount Path, use AJXP_USER]" mandatory="true" default=""/>
    		<param name="MOUNT_OPTIONS" type="string" label="CONF_MESSAGE[Mount Options]" description="CONF_MESSAGE[Used with the -o command option, use AJXP_USER, AJXP_PASS, AJXP_SERVER_UID, AJXP_SERVER_GID]" mandatory="false" default="user=AJXP_USER,pass=AJXP_PASS,uid=AJXP_SERVER_UID,gid=AJXP_SERVER_GID"/>
+   		<param name="MOUNT_ENV_PASSWD" type="boolean" label="CONF_MESSAGE[Pass Password via environment instead of command line]" description="CONF_MESSAGE[Instead of setting password through the AJXP_PASS variable in mount options, pass it through the environment variables. Sudo file must be changed accordingly.]" mandatory="false" default="false"/>
     </server_settings>
    	<client_settings>
    		<resources>

core/src/plugins/meta.mount/plugin_doc.html

@@ -1 +1,9 @@
-<p><b>Linux Only</b> : Generic purpose meta plugin that is triggered before the repository is opened, and can be configured to mount any filesystem and unmount it when the user either switch to another repository or logs out.</p>
+<p><b>Linux Only</b> : Generic purpose meta plugin that is triggered before the repository is opened, and can be configured to mount any filesystem and unmount it when the user either switch to another repository or logs out.</p>
+        <p>
+            If you have permissions issues, you can use the "sudo" parameter to sudo all system operations.
+            In that case, make sure to set the sudoers permission accordingly: apache user (www-data or httpd generaly) must be allowed to
+            perform a mount operation using sudo.
+        </p>
+        <p>
+            To strengthen the security, use the parameter to pass password via the system environment and not via the command line itself. Sudo file must also be adapted to be allowed for that ( something like defaults@pydio-*-app* env_keep += "PASSWD").
+        </p>