There are a number of things to improve security in the opcontrol script:
-Do not allow blindly use eval on unverified arguments
-Avoid using "." to source variable from /root/.oprofile/daemonrc
-Limit "--save-session" to the samples directory
Will, were you going to attach patches? Maybe got distracted and forgot? :-)
Patch to limit save sessions to inside the sample directory
Make opcontrol pickier about writing into $SESSION_DIR/opd_pipe
Reviewed 0001-Avoid-blindly-writing-to-SESSION_DIR-opd_pipe.patch. Patch looks good, so I committed it.
Reviewed 0002-Ensure-that-save-only-saves-things-in-SESSION_DIR.patch. Looks fine, so it's committed now.
Reviewing 0001-Do-additional-checks-on-user-supplied-arguments.patch . . .
diff --git a/utils/opcontrol b/utils/opcontrol
index b99757a..232052e 100644
@@ -68,7 +68,8 @@ guess_number_base()
# check value is a valid number
- guess_number_base $2
+ error_if_empty "$1" "$2"
+ guess_number_base "$2"
if test "$?" -eq 0 ; then
echo "Argument for $1, $2, is not a valid number." >&2
@@ -85,6 +86,16 @@ error_if_not_basename()
+ error_if_empty "$1" "$2"
+ if [[ ! "$2" =~ $arg_re ]] ; then
Is the above compatible with busybox?
+ echo "Argument for $1, $2, is not valid argument." >&2
+ exit 1
Paul D. Smith
The =~ match operator is a bash-ism and isn't available in any other shell that I'm aware of: certainly it's not available in basic POSIX shells like ash/hush/dash (busybox, ubuntu). FWIW, you can get the behavior you want in the patch below using a POSIX case statement and avoiding bash-specific match operators:
case $2 in
*[!-0-9a-zA-Z_:V,.]*) echo "Argument for $1, $2, is not valid argument." >&2; exit 1;;
(not tested 100%) That basically matches any word which has at least one character that is not a member of that class.
Looks like a number of the other patches also make use of =~. They look trivial to convert to case/esac statements.
The [[ ... ]] test operators are also not POSIX, IIRC. Please stick to using the standard [ ... ] versions. usually it doesn't make a difference.
The patches were tested with "busybox sh" on busybox 1.15.1 and that version of busybox appears to understand "[[ foo =~ bar ]]". So this code definitely fails to work on hush/dash shells?
dash doesn't support [[ ... ]]:
$ if [[ /tmp =~ /tmp ]]; then echo oooh; fi
dash: [[: not found
And what busybox sh supports depends entirely on (a) whether your busybox builds ash or hush, and (b) what optional features you enable in the busybox config. For example on my embedded systems busybox sh (ash) groks [[ ... ]] but not =~:
BusyBox v1.18.3 (2011-03-15 10:26:16 CDT) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# if [[ /tmp =~ /tmp ]]; then echo oooh; fi
[[: =~: unknown operand
This doesn't even begin to address the horror that is, for example, the Solaris /bin/sh but hopefully we can be pretty confident that oprofile doesn't need to be portable to Solaris :-).
Your best bet is to adhere to the standard by reading the text about things you're not sure of, and test with dash. I'm not aware of too many things that dash supports that are not supported by all other POSIX/Bourne-derived shells. I think redhat has a dash package available?
Updated for improved posix compliance
I reviewed 0001-Avoid-blindly-source-SETUP_FILE-with-.-PR3303383.patch and it looks fine. Will, you can go ahead and commit it, but could you please add comments for each case statement to indicate the meaning of the glob expressions (for easier maintenance). Thanks.
Will, I forgot to mention . . . please indent the each case statement as is the style for other case statements in opcontrol. Thanks.
Comments for 0002-Do-additional-checks-on-user-supplied-arguments.patch:
- For the --save option, the error_if_not_basename function is called. If the test fails, the error message printed is not helpful at all. Since this error_if_not_basename function is only used by the --save option (at this time), perhaps it would be best to integrate into the --save case statement and print a more meaningful message.
- There are a couple places where you have calls to error_if_invalid_arg, but have removed the call to error_if_empty. We still should fail if there is no value argument passed.
0003-Avoid-using-in-error_if_not_basename-to-improve-posi.patch looks fine. Please go ahead and commit it.