beenull/crowdsec
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Update test env (#987)

Browse source 
* update test_env
This commit is contained in:
he2ss 2021-09-24 18:06:30 +02:00 committed by GitHub
parent 9d2cd58f31
commit db5ffb0040
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 31 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
config/dev.yaml
View file

@ -6,13 +6,18 @@ common:
working_dir: .
config_paths:
config_dir: ./config
data_dir: ./data/
data_dir: ./data/
notification_dir: ./config/notifications/
plugin_dir: ./plugins/
#simulation_path: /etc/crowdsec/config/simulation.yaml
#hub_dir: /etc/crowdsec/hub/
#index_path: ./config/hub/.index.json
crowdsec_service:
acquisition_path: ./config/acquis.yaml
parser_routines: 1
plugin_config:
user: $USER # plugin process would be ran on behalf of this user
group: $USER # plugin process would be ran on behalf of this group
cscli:
output: human
db_config:

19
pkg/csplugin/broker.go
View file

@ -240,7 +240,8 @@ func (pb *PluginBroker) loadNotificationPlugin(name string, binaryPath string) (
return nil, err
}
cmd := exec.Command(binaryPath)
cmd.SysProcAttr, err = getProccessAtr(pb.pluginProcConfig.User, pb.pluginProcConfig.Group)
cmd.SysProcAttr, err = getProcessAtr(pb.pluginProcConfig.User, pb.pluginProcConfig.Group)
cmd.SysProcAttr.Credential.NoSetGroups = true
if err != nil {
return nil, errors.Wrap(err, "while getting process attributes")
}
@ -350,10 +351,18 @@ func pluginIsValid(path string) error {
return errors.Wrap(err, fmt.Sprintf("plugin at %s does not exist", path))
}
// check if it is owned by root
// check if it is owned by current user
currentUser, err := user.Current()
if err != nil {
return errors.Wrap(err, "while getting current user")
}
procAttr, err := getProcessAtr(currentUser.Username, currentUser.Username)
if err != nil {
return errors.Wrap(err, "while getting process attributes")
}
stat := details.Sys().(*syscall.Stat_t)
if stat.Uid != 0 || stat.Gid != 0 {
return fmt.Errorf("plugin at %s is not owned by root user and group", path)
if stat.Uid != procAttr.Credential.Uid || stat.Gid != procAttr.Credential.Gid {
return fmt.Errorf("plugin at %s is not owned by %s user and group", path, currentUser.Username)
}
if (int(details.Mode()) & 2) != 0 {
@ -387,7 +396,7 @@ func getPluginTypeAndSubtypeFromPath(path string) (string, string, error) {
return strings.Join(parts[:len(parts)-1], "-"), parts[len(parts)-1], nil
}
func getProccessAtr(username string, groupname string) (*syscall.SysProcAttr, error) {
func getProcessAtr(username string, groupname string) (*syscall.SysProcAttr, error) {
u, err := user.Lookup(username)
if err != nil {
return nil, err

12
scripts/test_env.sh
View file

@ -39,6 +39,9 @@ PARSER_S02="$PARSER_DIR/s02-enrich"
SCENARIOS_DIR="$CONFIG_DIR/scenarios"
POSTOVERFLOWS_DIR="$CONFIG_DIR/postoverflows"
HUB_DIR="$CONFIG_DIR/hub"
PLUGINS="http slack splunk"
PLUGINS_DIR="plugins"
NOTIF_DIR="notifications"
log_info() {
msg=$1
@ -59,11 +62,12 @@ create_arbo() {
mkdir -p "$POSTOVERFLOWS_DIR"
mkdir -p "$CSCLI_DIR"
mkdir -p "$HUB_DIR"
mkdir -p $CONFIG_DIR/$NOTIF_DIR/$plugin
mkdir -p $BASE/$PLUGINS_DIR
}
copy_files() {
cp "./config/profiles.yaml" "$CONFIG_DIR"
cp "./config/dev.yaml" "$BASE"
cp "./config/simulation.yaml" "$CONFIG_DIR"
cp "./cmd/crowdsec/crowdsec" "$BASE"
cp "./cmd/crowdsec-cli/cscli" "$BASE"
@ -71,6 +75,12 @@ copy_files() {
cp "./config/acquis.yaml" "$CONFIG_DIR"
touch "$CONFIG_DIR"/local_api_credentials.yaml
touch "$CONFIG_DIR"/online_api_credentials.yaml
envsubst < "./config/dev.yaml" > $BASE/dev.yaml
for plugin in $PLUGINS
do
cp $PLUGINS_DIR/$NOTIF_DIR/$plugin/notification-$plugin $BASE/$PLUGINS_DIR/notification-$plugin
cp $PLUGINS_DIR/$NOTIF_DIR/$plugin/$plugin.yaml $CONFIG_DIR/$NOTIF_DIR/$plugin.yaml
done
}