Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(lockfiles): fix privileges in lockfile scan #1512

Merged
merged 2 commits into from
Sep 2, 2022
Merged

fix(lockfiles): fix privileges in lockfile scan #1512

merged 2 commits into from
Sep 2, 2022

Conversation

MaineK00n
Copy link
Collaborator

@MaineK00n MaineK00n commented Aug 8, 2022
edited
Loading

What did you implement:

lockfile scan searches for the target lockfile and retrieves its contents from the scan destination.
Until now, even in fast-root mode, all command execution has been done as the executing user.
This PR grants privileges to the command according to its execution mode.

Type of change

  • Bug fix (non-breaking change which fixes an issue)

How Has This Been Tested?

env

$ vagrant ssh
vagrant@ubuntu-focal:~$ find / -type f -and -name "Cargo.lock" 2>&1 | grep -v "find:"
vagrant@ubuntu-focal:~$ sudo find / -type f -and -name "Cargo.lock" 2>&1 | grep -v "find:"
/root/Cargo.lock

findlock = true

  • config.toml
[servers.vagrant]
host = "127.0.0.1"
port = "2222"
user = "vagrant"
keyPath            = "/home/mainek00n/github/github.com/MaineK00n/vuls-targets-docker/.ssh/id_rsa"
scanMode = ["fast-root"]
scanModules = ["lockfile"]
findLock = true
  • before
$ vuls scan
[Aug  8 18:07:47]  INFO [localhost] vuls-v0.20.0-build-20220808_180441_1e45732
[Aug  8 18:07:47]  INFO [localhost] Start scanning
[Aug  8 18:07:47]  INFO [localhost] config: /home/mainek00n/github/github.com/MaineK00n/vuls/config.toml
[Aug  8 18:07:47]  INFO [localhost] Validating config...
[Aug  8 18:07:47]  INFO [localhost] Detecting Server/Container OS... 
[Aug  8 18:07:47]  INFO [localhost] Detecting OS of servers... 
[Aug  8 18:07:47]  INFO [localhost] (1/1) Detected: vagrant: ubuntu 20.04
[Aug  8 18:07:47]  INFO [localhost] Detecting OS of containers... 
[Aug  8 18:07:47]  INFO [localhost] Checking Scan Modes... 
[Aug  8 18:07:47]  INFO [localhost] Detecting Platforms... 
[Aug  8 18:07:48]  INFO [localhost] (1/1) vagrant is running on other
[Aug  8 18:07:48]  INFO [vagrant] Scanning Lockfile...


Scan Summary
================
vagrant	ubuntu20.04	0 installed, 0 updatable
  • after
$ vuls scan
[Aug  8 18:27:44]  INFO [localhost] vuls-v0.20.0-build-20220808_182706_7ae7d4e
[Aug  8 18:27:44]  INFO [localhost] Start scanning
[Aug  8 18:27:44]  INFO [localhost] config: /home/mainek00n/github/github.com/MaineK00n/vuls/config.toml
[Aug  8 18:27:44]  INFO [localhost] Validating config...
[Aug  8 18:27:44]  INFO [localhost] Detecting Server/Container OS... 
[Aug  8 18:27:44]  INFO [localhost] Detecting OS of servers... 
[Aug  8 18:27:45]  INFO [localhost] (1/1) Detected: vagrant: ubuntu 20.04
[Aug  8 18:27:45]  INFO [localhost] Detecting OS of containers... 
[Aug  8 18:27:45]  INFO [localhost] Checking Scan Modes... 
[Aug  8 18:27:45]  INFO [localhost] Detecting Platforms... 
[Aug  8 18:27:46]  INFO [localhost] (1/1) vagrant is running on other
[Aug  8 18:27:46]  INFO [vagrant] Scanning Lockfile...


Scan Summary
================
vagrant	ubuntu20.04	0 installed, 0 updatable	399 libs

specify a path outside of the executing user privileges

  • config.toml
[servers.vagrant]
host = "127.0.0.1"
port = "2222"
user = "vagrant"
keyPath            = "/home/mainek00n/github/github.com/MaineK00n/vuls-targets-docker/.ssh/id_rsa"
scanMode = ["fast-root"]
scanModules = ["lockfile"]
lockfiles = ["/root/Cargo.lock"]
  • before
$ vuls scan
[Aug  8 18:30:38]  INFO [localhost] vuls-v0.20.0-build-20220808_180441_1e45732
[Aug  8 18:30:38]  INFO [localhost] Start scanning
[Aug  8 18:30:38]  INFO [localhost] config: /home/mainek00n/github/github.com/MaineK00n/vuls/config.toml
[Aug  8 18:30:38]  INFO [localhost] Validating config...
[Aug  8 18:30:38]  INFO [localhost] Detecting Server/Container OS... 
[Aug  8 18:30:38]  INFO [localhost] Detecting OS of servers... 
[Aug  8 18:30:38]  INFO [localhost] (1/1) Detected: vagrant: ubuntu 20.04
[Aug  8 18:30:38]  INFO [localhost] Detecting OS of containers... 
[Aug  8 18:30:38]  INFO [localhost] Checking Scan Modes... 
[Aug  8 18:30:38]  INFO [localhost] Detecting Platforms... 
[Aug  8 18:30:39]  INFO [localhost] (1/1) vagrant is running on other
[Aug  8 18:30:39]  INFO [vagrant] Scanning Lockfile...
[Aug  8 18:30:39] ERROR [localhost] Error on vagrant, err: [Failed to scan Library:
    github.com/future-architect/vuls/scanner.Scanner.getScanResults.func1
        /home/mainek00n/go/src/github.com/future-architect/vuls/scanner/scanner.go:888
  - Failed to get target file permission: execResult: servername: vagrant
      cmd: /usr/bin/ssh -tt -o StrictHostKeyChecking=yes -o LogLevel=quiet -o ConnectionAttempts=3 -o ConnectTimeout=10 -o ControlMaster=auto -o ControlPath=/home/mainek00n/.vuls/controlmaster-%r-vagrant.%p -o Controlpersist=10m -l vagrant -p 2222 -i /home/mainek00n/github/github.com/MaineK00n/vuls-targets-docker/.ssh/id_rsa -o PasswordAuthentication=no 127.0.0.1 stty cols 1000; stat -c "%a" /root/Cargo.lock
      exitstatus: 1
      stdout: stat: cannot stat '/root/Cargo.lock': Permission denied
    
      stderr: 
      err: %!s(<nil>), filepath: /root/Cargo.lock:
    github.com/future-architect/vuls/scanner.(*base).scanLibraries
        /home/mainek00n/go/src/github.com/future-architect/vuls/scanner/base.go:639]


Scan Summary
================
vagrant	Error		Use configtest subcommand or scan with --debug to view the details


[Aug  8 18:30:39] ERROR [localhost] Failed to scan: Failed to scan. err:
    github.com/future-architect/vuls/scanner.Scanner.Scan
        /home/mainek00n/go/src/github.com/future-architect/vuls/scanner/scanner.go:106
  - An error occurred on [vagrant]
  • after
vuls scan
[Aug  8 18:32:33]  INFO [localhost] vuls-v0.20.0-build-20220808_182706_7ae7d4e
[Aug  8 18:32:33]  INFO [localhost] Start scanning
[Aug  8 18:32:33]  INFO [localhost] config: /home/mainek00n/github/github.com/MaineK00n/vuls/config.toml
[Aug  8 18:32:33]  INFO [localhost] Validating config...
[Aug  8 18:32:33]  INFO [localhost] Detecting Server/Container OS... 
[Aug  8 18:32:33]  INFO [localhost] Detecting OS of servers... 
[Aug  8 18:32:33]  INFO [localhost] (1/1) Detected: vagrant: ubuntu 20.04
[Aug  8 18:32:33]  INFO [localhost] Detecting OS of containers... 
[Aug  8 18:32:33]  INFO [localhost] Checking Scan Modes... 
[Aug  8 18:32:33]  INFO [localhost] Detecting Platforms... 
[Aug  8 18:32:34]  INFO [localhost] (1/1) vagrant is running on other
[Aug  8 18:32:34]  INFO [vagrant] Scanning Lockfile...


Scan Summary
================
vagrant	ubuntu20.04	0 installed, 0 updatable	399 libs

Checklist:

You don't have to satisfy all of the following.

  • Write tests
  • Write documentation
  • Check that there aren't other open pull requests for the same issue/feature
  • Format your source code by make fmt
  • Pass the test by make test
  • Provide verification config / commands
  • Enable "Allow edits from maintainers" for this PR
  • Update the messages below

Is this ready for review?: YES

Reference

@MaineK00n MaineK00n self-assigned this Aug 8, 2022
@MaineK00n MaineK00n force-pushed the MaineK00n/fix-find-priv branch from c5e81ad to 7ae7d4e Compare August 8, 2022 09:18
@MaineK00n MaineK00n marked this pull request as ready for review August 8, 2022 09:29
@MaineK00n MaineK00n requested a review from kotakanbe August 8, 2022 09:29
@MaineK00n MaineK00n changed the title fix(lockfiles): exec find according to privilege when findLock is true fix(lockfiles): fix privileges in lockfile scan Aug 8, 2022
@kotakanbe kotakanbe merged commit 2a00339 into master Sep 2, 2022
@kotakanbe kotakanbe deleted the MaineK00n/fix-find-priv branch September 2, 2022 09:18
@MaineK00n MaineK00n mentioned this pull request Sep 6, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kotakanbe kotakanbe kotakanbe approved these changes

Assignees

@MaineK00n MaineK00n

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MaineK00n @kotakanbe