live: add restricted execution mode to shell/run

Try to find the script to run for a shell/run request in /opt/opengnsys/shell/, restricted mode is enabled if the script is found. Excute the script without shell=True and executable=OG_SHELL in restricted mode. Restricted mode is a safer execution method as it only executes code manually defined by the administrator. Each script needs to define a shebang, this way more than just bash is supported.
2024-06-24 11:01:22 +02:00 · 2024-06-24 11:01:22 +02:00 · 6282cb41a8
parent 1c9a13cd96
commit 6282cb41a8
1 changed files with 19 additions and 4 deletions
--- a/src/live/ogOperations.py
+++ b/src/live/ogOperations.py
@ -281,11 +281,26 @@ class OgLiveOperations:

        self._restartBrowser(self._url_log)

+        shell_path = '/opt/opengnsys/shell/'
+
+        restricted_mode = False
+
+        for file_name in os.listdir(shell_path):
+            file_path = os.path.join(shell_path, file_name)
+
+            if cmds[0] == file_name:
+                cmds[0] = file_path
+                restricted_mode = True
+                break
+
        try:
-            ogRest.proc = subprocess.Popen(cmds,
-                               stdout=subprocess.PIPE,
-                               shell=True,
-                               executable=OG_SHELL)
+            if restricted_mode:
+                ogRest.proc = subprocess.Popen(cmds, stdout=subprocess.PIPE)
+            else:
+                ogRest.proc = subprocess.Popen(cmds,
+                                stdout=subprocess.PIPE,
+                                shell=True,
+                                executable=OG_SHELL)
            (output, error) = ogRest.proc.communicate()
        except OSError as e:
            raise OgError(f'Error when running "shell run" subprocess: {e}') from e