summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2020-04-24 18:49:31 +0200
committerGitHub <noreply@github.com>2020-04-24 18:49:31 +0200
commit35dc9d35c5d97e1c7d4fc0602ad437f1eb373b94 (patch)
tree0376fefbe726de45cf393ff0b3b1e8ff6b7e8f26
parent401036b4d1ff922ff8a6fe67d9cda96064f9cff4 (diff)
parentea98771cba738d6fcfe47f650ecaa598c17c7c8a (diff)
downloadvyos-1x-35dc9d35c5d97e1c7d4fc0602ad437f1eb373b94.tar.gz
vyos-1x-35dc9d35c5d97e1c7d4fc0602ad437f1eb373b94.zip
Merge pull request #376 from thomas-mangin/T2377
log: T2377: do not modify log file if not 666
-rw-r--r--python/vyos/debug.py21
1 files changed, 16 insertions, 5 deletions
diff --git a/python/vyos/debug.py b/python/vyos/debug.py
index 20090fb85..1a042cbb4 100644
--- a/python/vyos/debug.py
+++ b/python/vyos/debug.py
@@ -41,8 +41,9 @@ def message(message, flag='', destination=sys.stdout):
try:
# at boot the file is created as root:vyattacfg
# at runtime the file is created as user:vyattacfg
- # the default permission are 644
- mask = os.umask(0o113)
+ # but the helper scripts are not run as this so it
+ # need the default permission to be 666 (an not 660)
+ mask = os.umask(0o111)
with open(logfile, 'a') as f:
f.write(_format('log', message))
@@ -133,7 +134,7 @@ def _contentenv(flag):
return os.environ.get(f'VYOS_{flag.upper()}_DEBUG', '').strip()
-def _contentfile(flag):
+def _contentfile(flag, default=''):
"""
Check if debug exist for a given debug flag name
@@ -153,7 +154,8 @@ def _contentfile(flag):
if not os.path.isfile(flagfile):
continue
with open(flagfile) as f:
- return f.readline().strip()
+ content = f.readline().strip()
+ return content or default
return ''
@@ -166,7 +168,7 @@ def _logfile(flag, default):
"""
# For log we return the location of the log file
- log_location = _contentenv(flag) or _contentfile(flag)
+ log_location = _contentenv(flag) or _contentfile(flag, default)
# it was not set
if not log_location:
@@ -177,6 +179,15 @@ def _logfile(flag, default):
not log_location.startswith('/config/') and \
not log_location.startswith('/var/log/'):
return default
+ # Do not allow to escape the folders
if '..' in log_location:
return default
+
+ if not os.path.exists(log_location):
+ return log_location
+
+ # this permission is unique the the config and var folder
+ stat = os.stat(log_location).st_mode
+ if stat != 0o100666:
+ return default
return log_location