fix: 限制 nobody 的执行权限

fix: 限制命令执行权限 fix: 修复部分执行权限
jumpserver · Sep 25, 2023 · 857f8b9 · 857f8b9
1 parent 4a59ecd
commit 857f8b9
Show file tree

Hide file tree

Showing 6 changed files with 58 additions and 4 deletions.
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -6,6 +6,14 @@ do
     echo "wait for jms_core $CORE_HOST ready"
     sleep 2
 done
+# 限制所有可执行目录的权限
+chmod -R  700 /usr/local/sbin/* && chmod -R 700 /usr/local/bin/*
+chmod -R  700 /usr/sbin/* && chmod -R 700 /sbin/* && chmod -R 700 /bin/*
+
+
+# 放开部分需要的可执行权限
+chmod 755 `which mysql` `which psql` `which mongosh` `which tsql` `which redis` `which clickhouse-client`
+chmod 755 `which kubectl` `which rawkubectl` `which helm` `which rawhelm`
 
 cd /opt/koko
 ./koko
diff --git a/pkg/srvconn/conn_mongodb.go b/pkg/srvconn/conn_mongodb.go
@@ -8,6 +8,7 @@ import (
 	"strconv"
 	"time"
 
+	"github.com/jumpserver/koko/pkg/logger"
 	"go.mongodb.org/mongo-driver/mongo"
 	"go.mongodb.org/mongo-driver/mongo/options"
 
@@ -92,7 +93,12 @@ func (conn *MongoDBConn) Close() error {
 
 func startMongoDBCommand(opt *sqlOption) (lcmd *localcommand.LocalCommand, err error) {
 	cmd := opt.MongoDBCommandArgs()
-	lcmd, err = localcommand.New("mongosh", cmd, localcommand.WithPtyWin(opt.win.Width, opt.win.Height))
+	opts, err := BuildNobodyWithOpts(localcommand.WithPtyWin(opt.win.Width, opt.win.Height))
+	if err != nil {
+		logger.Errorf("build nobody with opts error: %s", err)
+		return nil, err
+	}
+	lcmd, err = localcommand.New("mongosh", cmd, opts...)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/srvconn/conn_nobody.go b/pkg/srvconn/conn_nobody.go
@@ -0,0 +1,23 @@
+package srvconn
+
+import (
+	"os/user"
+	"strconv"
+	"syscall"
+
+	"github.com/jumpserver/koko/pkg/localcommand"
+)
+
+func BuildNobodyWithOpts(opts ...localcommand.Option) (nobodyOpts []localcommand.Option, err error) {
+	nobody, err := user.Lookup("nobody")
+	if err != nil {
+		return nil, err
+	}
+	uid, _ := strconv.Atoi(nobody.Uid)
+	gid, _ := strconv.Atoi(nobody.Gid)
+	nobodyOpts = make([]localcommand.Option, 0, len(opts)+1)
+	nobodyOpts = append(nobodyOpts, opts...)
+	nobodyCredential := localcommand.WithCmdCredential(&syscall.Credential{Uid: uint32(uid), Gid: uint32(gid)})
+	nobodyOpts = append(nobodyOpts, nobodyCredential)
+	return nobodyOpts, nil
+}
diff --git a/pkg/srvconn/conn_postgresql.go b/pkg/srvconn/conn_postgresql.go
@@ -5,6 +5,7 @@ import (
 	"os"
 	"strconv"
 
+	"github.com/jumpserver/koko/pkg/logger"
 	_ "github.com/lib/pq"
 
 	"github.com/jumpserver/koko/pkg/localcommand"
@@ -61,7 +62,12 @@ func (conn *PostgreSQLConn) Close() error {
 func startPostgreSQLCommand(opt *sqlOption) (lcmd *localcommand.LocalCommand, err error) {
 	argv := opt.PostgreSQLCommandArgs()
 	//psql 是启动postgresql的客户端
-	lcmd, err = localcommand.New("psql", argv, localcommand.WithPtyWin(opt.win.Width, opt.win.Height))
+	opts, err := BuildNobodyWithOpts(localcommand.WithPtyWin(opt.win.Width, opt.win.Height))
+	if err != nil {
+		logger.Errorf("build nobody with opts error: %s", err)
+		return nil, err
+	}
+	lcmd, err = localcommand.New("psql", argv, opts...)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/srvconn/conn_redis.go b/pkg/srvconn/conn_redis.go
@@ -9,6 +9,7 @@ import (
 	"time"
 
 	"github.com/jumpserver/koko/pkg/localcommand"
+	"github.com/jumpserver/koko/pkg/logger"
 	"github.com/mediocregopher/radix/v3"
 )
 
@@ -95,7 +96,12 @@ func (conn *RedisConn) Close() error {
 
 func startRedisCommand(opt *sqlOption) (lcmd *localcommand.LocalCommand, err error) {
 	cmd := opt.RedisCommandArgs()
-	lcmd, err = localcommand.New("redis-cli", cmd, localcommand.WithPtyWin(opt.win.Width, opt.win.Height))
+	opts, err := BuildNobodyWithOpts(localcommand.WithPtyWin(opt.win.Width, opt.win.Height))
+	if err != nil {
+		logger.Errorf("build nobody with opts error: %s", err)
+		return nil, err
+	}
+	lcmd, err = localcommand.New("redis-cli", cmd, opts...)
 	if err != nil {
 		return nil, err
 	}

diff --git a/pkg/srvconn/conn_sqlserver.go b/pkg/srvconn/conn_sqlserver.go
@@ -72,7 +72,12 @@ func startSQLServerCommand(opt *sqlOption) (lcmd *localcommand.LocalCommand, err
 
 func startSQLServerNormalCommand(opt *sqlOption) (lcmd *localcommand.LocalCommand, err error) {
 	//tsql 是启动sqlserver的客户端
-	return localcommand.New("tsql", opt.SQLServerCommandArgs())
+	opts, err := BuildNobodyWithOpts(localcommand.WithPtyWin(opt.win.Width, opt.win.Height))
+	if err != nil {
+		logger.Errorf("build nobody with opts error: %s", err)
+		return nil, err
+	}
+	return localcommand.New("tsql", opt.SQLServerCommandArgs(), opts...)
 }
 
 func tryManualLoginSQLServerServer(opt *sqlOption, lcmd *localcommand.LocalCommand) (*localcommand.LocalCommand, error) {