Re: rpcd / acl.d problem
On 2024-03-02 19:50, Jo-Philipp Wich wrote: Hi. You need a double backslash to escape the backslash itself. "/usr/bin/find -L /dev -maxdepth 3 -type c -name lp\\[0-9\\]": ["exec"] ~ Jo No go. Still 403. Pretty sure I've tried all workable permutations in the js and JSON of escaping. Restarted rpcd and cleared browser cache between every new test. JSON: "/usr/bin/find -L /dev -maxdepth 3 -type c -name lp\\[0-9\\]": ["exec"] JS fs.exec_direct('/usr/bin/find', [ '-L', '/dev', '-maxdepth', '3', '-type', 'c', '-name', 'lp[0-9]' ])... 403 ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
rpcd / acl.d problem
Can this be fixed or is lib micro box the limitation? See jows commit for the current apex of permission strings: https://git.openwrt.org/?p=project/rpcd.git;a=commitdiff;h=aaa08366e6384d9933a405d1218b03c1b167f9e5 In https://github.com/openwrt/luci/pull/6907 I encountered a permissions problem. The command to permit is: /usr/bin/find -L /dev -maxdepth 3 -type c -name lp[0-9] That is, the find command needs a regex of lp[0-9], to find only the following: lp0 lp1 ... lp9 The find man page says: -name pattern True if the last component of the pathname being examined matches pattern. Special shell pattern matching characters (“[”, “]”, “*”, and “?”) may be used as part of pattern. These characters may be matched explicitly by escaping them with a backslash (“\”). The acl.d file expects a filter in the /root/usr/share/rpcd/acl.d/luci-*.json JSON, but it does not understand the literal command: "/usr/bin/find -L /dev -maxdepth 3 -type c -name lp[0-9]": ["exec"] causes 403. It anticipates lp0, lp1, ... in the command. "/usr/bin/find -L /dev -maxdepth 3 -type c -name lp\[0-9\]": ["exec"] Causes also 403 but the page does not even load. My JSON parser dislikes this also. So the workaround is to use the glob: * /usr/bin/find -L /dev -maxdepth 3 -type c -name lp* where the author of the above commit says: "(do not use glob *, as) This will prevent unwanted parameter injection." ¯\_(ツ)_/¯ ___ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel