From a3f7b764d68a4b28fdb816549d22d0ea2d4dcb11 Mon Sep 17 00:00:00 2001 From: "Kali Kaneko (leap communications)" Date: Thu, 25 May 2017 19:07:45 +0200 Subject: [feat] do not use pkexec if we are root --- src/leap/bitmask/vpn/fw/firewall.py | 36 +++++++++++++++++++++++++++--------- 1 file changed, 27 insertions(+), 9 deletions(-) (limited to 'src/leap') diff --git a/src/leap/bitmask/vpn/fw/firewall.py b/src/leap/bitmask/vpn/fw/firewall.py index 8b71a9f..7f3f404 100644 --- a/src/leap/bitmask/vpn/fw/firewall.py +++ b/src/leap/bitmask/vpn/fw/firewall.py @@ -20,12 +20,29 @@ Firewall Manager """ import commands +import os import subprocess from leap.bitmask.vpn.constants import IS_MAC from leap.common.events import catalog, emit_async +# TODO -- subclass it for osx/windows, not only for linux. + + +# A regular user should not run bitmask as root, but we contemplate +# this case for tests inside docker. + +NOT_ROOT = os.getuid() != 0 + + +def check_root(cmd): + if NOT_ROOT: + cmd = ['pkexec'] + cmd + print "COMMAND IS >>>", cmd + return cmd + + class FirewallManager(object): """ @@ -34,7 +51,6 @@ class FirewallManager(object): This allows us to achieve fail close on a vpn connection. """ - # FIXME -- get the path BITMASK_ROOT = "/usr/local/sbin/bitmask-root" def __init__(self, remotes): @@ -60,7 +76,9 @@ class FirewallManager(object): # XXX check for wrapper existence, check it's root owned etc. # XXX check that the iptables rules are in place. - cmd = ["pkexec", self.BITMASK_ROOT, "firewall", "start"] + cmd = [self.BITMASK_ROOT, "firewall", "start"] + cmd = check_root(cmd) + if restart: cmd.append("restart") @@ -73,17 +91,17 @@ class FirewallManager(object): else: return False - # def tear_down_firewall(self): def stop(self): """ Tear the firewall down using the privileged wrapper. """ + # We don't support Mac so far if IS_MAC: - # We don't support Mac so far return True - exitCode = subprocess.call(["pkexec", self.BITMASK_ROOT, - "firewall", "stop"]) + cmd = [self.BITMASK_ROOT, "firewall", "stop"] + cmd = check_root(cmd) + exitCode = subprocess.call(cmd) emit_async(catalog.VPN_STATUS_CHANGED) if exitCode == 0: return True @@ -96,9 +114,9 @@ class FirewallManager(object): :rtype: bool """ - # TODO test this, refactored from is_fw_down - - cmd = "pkexec {0} firewall isup".format(self.BITMASK_ROOT) + cmd = [self.BITMASK_ROOT, "firewall", "isup"] + cmd = check_root(cmd) + cmd = ' '.join(cmd) output = commands.getstatusoutput(cmd)[0] return output != 256 -- cgit v1.2.3