[secure-mode] Prevent users from attaching db files.

Prevent the users from attaching an external db file which they may not have ownership of. The current authorizer method is hooked in only when the LNAVSECURE variable is set. This is done deliberately, since the method will be called on every sqlite query and I did not want to incur a performance hit. If the scope of this authorizer increases, we should consider passing in the lnav_data as pUserData and do the checks inside the authorizer itself.
8 years ago · e6c87678e9
parent 834fea5f73
commit e6c87678e9
4 changed files with 102 additions and 0 deletions
--- a/src/lnav.cc
+++ b/src/lnav.cc
@ -2476,6 +2476,13 @@ int main(int argc, char *argv[])
        fprintf(stderr, "error: unable to create sqlite memory database\n");
        exit(EXIT_FAILURE);
    }
+    else if (lnav_data.ld_flags & LNF_SECURE_MODE) {
+        if ((sqlite3_set_authorizer(lnav_data.ld_db.in(),
+                                    sqlite_authorizer, NULL)) != SQLITE_OK) {
+            fprintf(stderr, "error: unable to attach sqlite authorizer\n");
+            exit(EXIT_FAILURE);
+        }
+    }

    /* If we statically linked against an ncurses library that had a non-
     * standard path to the terminfo database, we need to set this variable
--- a/src/sql_util.cc
+++ b/src/sql_util.cc
@ -713,3 +713,30 @@ void sqlite_close_wrapper(void *mem)
 {
    sqlite3_close((sqlite3 *)mem);
 }
+
+int sqlite_authorizer(void *pUserData, int action_code, const char *detail1,
+                      const char *detail2, const char *detail3,
+                      const char *detail4)
+{
+    if (action_code == SQLITE_ATTACH)
+    {
+        /* Check to see that the filename is not NULL */
+        if (detail1 != NULL) {
+            string fileName(detail1);
+
+            /* A temporary database is fine. */
+            if (fileName.length()) {
+                 /* In-memory databases are fine.
+                 */
+                if (fileName.compare(":memory:") == 0 ||
+                    fileName.find("file::memory:") == 0 ||
+                    fileName.find("?mode=memory") != string::npos ||
+                    fileName.find("&mode=memory") != string::npos) {
+                    return SQLITE_OK;
+                }
+                return SQLITE_DENY;
+            }
+        }
+    }
+    return SQLITE_OK;
+}
--- a/src/sql_util.hh
+++ b/src/sql_util.hh
@ -87,4 +87,7 @@ int guess_type_from_pcre(const std::string &pattern, const char **collator);
 /* XXX figure out how to do this with the template */
 void sqlite_close_wrapper(void *mem);

+int sqlite_authorizer(void* pUserData, int action_code, const char *detail1,
+                      const char *detail2, const char *detail3,
+                      const char *detail4);
 #endif
--- a/test/test_sql.sh
+++ b/test/test_sql.sh
@ -686,6 +686,71 @@ id first_name last_name age
 1 Lem        Hewitt     35
 EOF

+# Test to see if we can attach a database in LNAVSECURE mode.
+export LNAVSECURE=1
+
+run_test ${lnav_test} -n \
+    -c ";attach database 'simple-db.db' as 'db'" \
+    empty
+
+check_error_output "LNAVSECURE mode bypassed" <<EOF
+error: not authorized
+EOF
+
+run_test ${lnav_test} -n \
+    -c ";attach database ':memdb:' as 'db'" \
+    empty
+
+check_error_output "LNAVSECURE mode bypassed (':' adorned)" <<EOF
+error: not authorized
+EOF
+
+run_test ${lnav_test} -n \
+    -c ";attach database '/tmp/memdb' as 'db'" \
+    empty
+
+check_error_output "LNAVSECURE mode bypassed (filepath)" <<EOF
+error: not authorized
+EOF
+
+run_test ${lnav_test} -n \
+    -c ";attach database 'file:memdb?cache=shared' as 'db'" \
+    empty
+
+check_error_output "LNAVSECURE mode bypassed (URI)" <<EOF
+error: not authorized
+EOF
+
+run_test ${lnav_test} -n \
+    -c ";attach database '' as 'db'" \
+    empty
+
+check_error_output "Failed to create a temporary db in LNAVSECURE mode" <<EOF
+EOF
+
+run_test ${lnav_test} -n \
+    -c ";attach database ':memory:' as 'db'" \
+    empty
+
+check_error_output "Failed to create an in-memory db in LNAVSECURE mode" <<EOF
+EOF
+
+run_test ${lnav_test} -n \
+    -c ";attach database 'file:memdb?mode=memory' as 'db'" \
+    empty
+
+check_error_output "Failed to create a in-memory db (URI) in LNAVSECURE mode" <<EOF
+EOF
+
+run_test ${lnav_test} -n \
+    -c ";attach database 'file:memdb?cache=shared&mode=memory' as 'db'" \
+    empty
+
+check_error_output "Failed to create a in-memory db (URI2) in LNAVSECURE mode" <<EOF
+EOF
+
+unset LNAVSECURE
+

 touch -t 201503240923 ${test_dir}/logfile_syslog_with_access_log.0
 run_test ${lnav_test} -n \