diff --git a/entrypoint.sh b/entrypoint.sh index d1187570..8d777ac5 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -6,6 +6,14 @@ do echo "wait for jms_core $CORE_HOST ready" sleep 2 done +# 限制所有可执行目录的权限 +chmod -R 700 /usr/local/sbin/* && chmod -R 700 /usr/local/bin/* +chmod -R 700 /usr/sbin/* && chmod -R 700 /sbin/* && chmod -R 700 /bin/* + + +# 放开部分需要的可执行权限 +chmod 755 `which mysql` `which psql` `which mongosh` `which tsql` `which redis` `which clickhouse-client` +chmod 755 `which kubectl` `which rawkubectl` `which helm` `which rawhelm` cd /opt/koko ./koko diff --git a/pkg/srvconn/conn_mongodb.go b/pkg/srvconn/conn_mongodb.go index 8937b821..3f3e5b6c 100644 --- a/pkg/srvconn/conn_mongodb.go +++ b/pkg/srvconn/conn_mongodb.go @@ -8,6 +8,7 @@ import ( "strconv" "time" + "github.com/jumpserver/koko/pkg/logger" "go.mongodb.org/mongo-driver/mongo" "go.mongodb.org/mongo-driver/mongo/options" @@ -92,7 +93,12 @@ func (conn *MongoDBConn) Close() error { func startMongoDBCommand(opt *sqlOption) (lcmd *localcommand.LocalCommand, err error) { cmd := opt.MongoDBCommandArgs() - lcmd, err = localcommand.New("mongosh", cmd, localcommand.WithPtyWin(opt.win.Width, opt.win.Height)) + opts, err := BuildNobodyWithOpts(localcommand.WithPtyWin(opt.win.Width, opt.win.Height)) + if err != nil { + logger.Errorf("build nobody with opts error: %s", err) + return nil, err + } + lcmd, err = localcommand.New("mongosh", cmd, opts...) if err != nil { return nil, err } diff --git a/pkg/srvconn/conn_nobody.go b/pkg/srvconn/conn_nobody.go new file mode 100644 index 00000000..b45d5f5d --- /dev/null +++ b/pkg/srvconn/conn_nobody.go @@ -0,0 +1,23 @@ +package srvconn + +import ( + "os/user" + "strconv" + "syscall" + + "github.com/jumpserver/koko/pkg/localcommand" +) + +func BuildNobodyWithOpts(opts ...localcommand.Option) (nobodyOpts []localcommand.Option, err error) { + nobody, err := user.Lookup("nobody") + if err != nil { + return nil, err + } + uid, _ := strconv.Atoi(nobody.Uid) + gid, _ := strconv.Atoi(nobody.Gid) + nobodyOpts = make([]localcommand.Option, 0, len(opts)+1) + nobodyOpts = append(nobodyOpts, opts...) + nobodyCredential := localcommand.WithCmdCredential(&syscall.Credential{Uid: uint32(uid), Gid: uint32(gid)}) + nobodyOpts = append(nobodyOpts, nobodyCredential) + return nobodyOpts, nil +} diff --git a/pkg/srvconn/conn_postgresql.go b/pkg/srvconn/conn_postgresql.go index 9a52d3d5..b3f406d1 100644 --- a/pkg/srvconn/conn_postgresql.go +++ b/pkg/srvconn/conn_postgresql.go @@ -5,6 +5,7 @@ import ( "os" "strconv" + "github.com/jumpserver/koko/pkg/logger" _ "github.com/lib/pq" "github.com/jumpserver/koko/pkg/localcommand" @@ -61,7 +62,12 @@ func (conn *PostgreSQLConn) Close() error { func startPostgreSQLCommand(opt *sqlOption) (lcmd *localcommand.LocalCommand, err error) { argv := opt.PostgreSQLCommandArgs() //psql 是启动postgresql的客户端 - lcmd, err = localcommand.New("psql", argv, localcommand.WithPtyWin(opt.win.Width, opt.win.Height)) + opts, err := BuildNobodyWithOpts(localcommand.WithPtyWin(opt.win.Width, opt.win.Height)) + if err != nil { + logger.Errorf("build nobody with opts error: %s", err) + return nil, err + } + lcmd, err = localcommand.New("psql", argv, opts...) if err != nil { return nil, err } diff --git a/pkg/srvconn/conn_redis.go b/pkg/srvconn/conn_redis.go index a90db0ee..3bd37c3f 100644 --- a/pkg/srvconn/conn_redis.go +++ b/pkg/srvconn/conn_redis.go @@ -9,6 +9,7 @@ import ( "time" "github.com/jumpserver/koko/pkg/localcommand" + "github.com/jumpserver/koko/pkg/logger" "github.com/mediocregopher/radix/v3" ) @@ -95,7 +96,12 @@ func (conn *RedisConn) Close() error { func startRedisCommand(opt *sqlOption) (lcmd *localcommand.LocalCommand, err error) { cmd := opt.RedisCommandArgs() - lcmd, err = localcommand.New("redis-cli", cmd, localcommand.WithPtyWin(opt.win.Width, opt.win.Height)) + opts, err := BuildNobodyWithOpts(localcommand.WithPtyWin(opt.win.Width, opt.win.Height)) + if err != nil { + logger.Errorf("build nobody with opts error: %s", err) + return nil, err + } + lcmd, err = localcommand.New("redis-cli", cmd, opts...) if err != nil { return nil, err } diff --git a/pkg/srvconn/conn_sqlserver.go b/pkg/srvconn/conn_sqlserver.go index 6e5c01bf..02cf238b 100644 --- a/pkg/srvconn/conn_sqlserver.go +++ b/pkg/srvconn/conn_sqlserver.go @@ -72,7 +72,12 @@ func startSQLServerCommand(opt *sqlOption) (lcmd *localcommand.LocalCommand, err func startSQLServerNormalCommand(opt *sqlOption) (lcmd *localcommand.LocalCommand, err error) { //tsql 是启动sqlserver的客户端 - return localcommand.New("tsql", opt.SQLServerCommandArgs()) + opts, err := BuildNobodyWithOpts(localcommand.WithPtyWin(opt.win.Width, opt.win.Height)) + if err != nil { + logger.Errorf("build nobody with opts error: %s", err) + return nil, err + } + return localcommand.New("tsql", opt.SQLServerCommandArgs(), opts...) } func tryManualLoginSQLServerServer(opt *sqlOption, lcmd *localcommand.LocalCommand) (*localcommand.LocalCommand, error) {