250 lines
6.9 KiB
Go
250 lines
6.9 KiB
Go
package security
|
|
|
|
import (
|
|
"fmt"
|
|
"os"
|
|
"os/exec"
|
|
"syscall"
|
|
|
|
"git.gostacks.org/iwasforcedtobehere/WiseTLP/autotlp/pkg/utils"
|
|
)
|
|
|
|
// PrivilegeManager handles privilege escalation and security operations
|
|
type PrivilegeManager struct {
|
|
logger *utils.Logger
|
|
}
|
|
|
|
// NewPrivilegeManager creates a new privilege manager
|
|
func NewPrivilegeManager(logger *utils.Logger) *PrivilegeManager {
|
|
return &PrivilegeManager{
|
|
logger: logger.WithComponent("security"),
|
|
}
|
|
}
|
|
|
|
// RequireRoot ensures the current operation has root privileges
|
|
func (pm *PrivilegeManager) RequireRoot(operation string) error {
|
|
if os.Geteuid() == 0 {
|
|
return nil
|
|
}
|
|
|
|
pm.logger.Info("Root privileges required", "operation", operation)
|
|
return fmt.Errorf("operation '%s' requires root privileges", operation)
|
|
}
|
|
|
|
// EscalateIfNeeded escalates privileges if not already running as root
|
|
func (pm *PrivilegeManager) EscalateIfNeeded(args []string, operation string) error {
|
|
if os.Geteuid() == 0 {
|
|
return nil
|
|
}
|
|
|
|
pm.logger.Info("Escalating privileges", "operation", operation)
|
|
|
|
// Check if sudo is available
|
|
if !utils.CommandExists("sudo") {
|
|
return fmt.Errorf("sudo is required for privilege escalation but not available")
|
|
}
|
|
|
|
// Inform user about privilege escalation
|
|
fmt.Printf("\nPrivilege escalation required for: %s\n", operation)
|
|
fmt.Println("This operation needs administrative privileges to:")
|
|
|
|
switch operation {
|
|
case "install_tlp":
|
|
fmt.Println("- Install TLP packages using system package manager")
|
|
fmt.Println("- Enable and start TLP systemd service")
|
|
fmt.Println("- Mask conflicting power management services")
|
|
case "apply_config":
|
|
fmt.Println("- Write TLP configuration to system directories")
|
|
fmt.Println("- Reload TLP service with new configuration")
|
|
case "system_info":
|
|
fmt.Println("- Access hardware information from system files")
|
|
fmt.Println("- Read power management settings")
|
|
default:
|
|
fmt.Printf("- Perform system operation: %s\n", operation)
|
|
}
|
|
|
|
if !utils.GetUserConfirmation("Continue with privilege escalation?") {
|
|
return fmt.Errorf("privilege escalation declined by user")
|
|
}
|
|
|
|
// Execute with sudo
|
|
return pm.executeSudo(args)
|
|
}
|
|
|
|
// executeSudo executes the current program with sudo
|
|
func (pm *PrivilegeManager) executeSudo(args []string) error {
|
|
// Get current executable path
|
|
executable, err := os.Executable()
|
|
if err != nil {
|
|
return fmt.Errorf("failed to get executable path: %w", err)
|
|
}
|
|
|
|
// Prepare sudo command
|
|
sudoArgs := append([]string{executable}, args...)
|
|
cmd := exec.Command("sudo", sudoArgs...)
|
|
|
|
// Preserve environment variables that might be needed
|
|
cmd.Env = os.Environ()
|
|
|
|
// Connect stdio
|
|
cmd.Stdin = os.Stdin
|
|
cmd.Stdout = os.Stdout
|
|
cmd.Stderr = os.Stderr
|
|
|
|
pm.logger.Info("Executing with sudo", "command", cmd.String())
|
|
|
|
// Execute the command
|
|
err = cmd.Run()
|
|
if err != nil {
|
|
if exitError, ok := err.(*exec.ExitError); ok {
|
|
// Get exit code from the elevated process
|
|
if status, ok := exitError.Sys().(syscall.WaitStatus); ok {
|
|
os.Exit(status.ExitStatus())
|
|
}
|
|
}
|
|
return fmt.Errorf("sudo execution failed: %w", err)
|
|
}
|
|
|
|
// If we reach here, the elevated process completed successfully
|
|
os.Exit(0)
|
|
return nil // This line will never be reached
|
|
}
|
|
|
|
// CheckSudoAccess verifies that the user can use sudo
|
|
func (pm *PrivilegeManager) CheckSudoAccess() error {
|
|
if os.Geteuid() == 0 {
|
|
return nil // Already root
|
|
}
|
|
|
|
if !utils.CommandExists("sudo") {
|
|
return fmt.Errorf("sudo command not available")
|
|
}
|
|
|
|
// Test sudo access with a harmless command
|
|
cmd := exec.Command("sudo", "-n", "true")
|
|
if err := cmd.Run(); err != nil {
|
|
// -n flag failed, user needs to authenticate
|
|
pm.logger.Debug("Sudo authentication required")
|
|
return nil // This is expected for most users
|
|
}
|
|
|
|
pm.logger.Debug("Sudo access confirmed without authentication")
|
|
return nil
|
|
}
|
|
|
|
// DropPrivileges drops root privileges if running as root
|
|
func (pm *PrivilegeManager) DropPrivileges() error {
|
|
if os.Geteuid() != 0 {
|
|
return nil // Not running as root
|
|
}
|
|
|
|
// Get the original user info from environment
|
|
sudoUID := os.Getenv("SUDO_UID")
|
|
sudoGID := os.Getenv("SUDO_GID")
|
|
|
|
if sudoUID == "" || sudoGID == "" {
|
|
pm.logger.Warn("Cannot drop privileges: SUDO_UID/SUDO_GID not set")
|
|
return nil // Don't fail, just log warning
|
|
}
|
|
|
|
pm.logger.Info("Dropping root privileges", "uid", sudoUID, "gid", sudoGID)
|
|
|
|
// This is a placeholder - actual privilege dropping requires careful handling
|
|
// and is typically done at the start of the program, not mid-execution
|
|
pm.logger.Debug("Privilege dropping not implemented for mid-execution")
|
|
|
|
return nil
|
|
}
|
|
|
|
// ValidateSystemAccess validates that the program has necessary system access
|
|
func (pm *PrivilegeManager) ValidateSystemAccess() error {
|
|
// Check read access to system information
|
|
systemPaths := []string{
|
|
"/proc/cpuinfo",
|
|
"/proc/meminfo",
|
|
"/sys/class/power_supply",
|
|
"/sys/devices/system/cpu",
|
|
}
|
|
|
|
for _, path := range systemPaths {
|
|
if utils.FileExists(path) {
|
|
// Try to read the file/directory
|
|
if file, err := os.Open(path); err != nil {
|
|
pm.logger.Warn("Limited access to system path", "path", path, "error", err)
|
|
} else {
|
|
file.Close()
|
|
}
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// SecureFilePermissions sets secure permissions on configuration files
|
|
func (pm *PrivilegeManager) SecureFilePermissions(filePath string) error {
|
|
// Set file permissions to be readable only by owner and group
|
|
if err := os.Chmod(filePath, 0640); err != nil {
|
|
return fmt.Errorf("failed to set secure permissions on %s: %w", filePath, err)
|
|
}
|
|
|
|
pm.logger.Debug("Set secure file permissions", "file", filePath, "mode", "0640")
|
|
return nil
|
|
}
|
|
|
|
// ValidateInput performs basic input validation for security
|
|
func ValidateInput(input string, maxLength int, allowedChars string) error {
|
|
if len(input) > maxLength {
|
|
return fmt.Errorf("input too long: %d characters (max %d)", len(input), maxLength)
|
|
}
|
|
|
|
if len(input) == 0 {
|
|
return fmt.Errorf("input cannot be empty")
|
|
}
|
|
|
|
// Basic validation against null bytes and control characters
|
|
for i, r := range input {
|
|
if r == 0 {
|
|
return fmt.Errorf("null byte at position %d", i)
|
|
}
|
|
if r < 32 && r != 9 && r != 10 && r != 13 { // Allow tab, LF, CR
|
|
return fmt.Errorf("control character at position %d", i)
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
// SanitizeFilePath sanitizes file paths to prevent directory traversal
|
|
func SanitizeFilePath(path string) (string, error) {
|
|
// Basic path validation
|
|
if path == "" {
|
|
return "", fmt.Errorf("empty path")
|
|
}
|
|
|
|
// Check for directory traversal attempts
|
|
if len(path) > 1 && (path[0] == '/' || path[1] == ':') {
|
|
// Absolute path - this might be intentional, so we allow it
|
|
// but log it for security awareness
|
|
}
|
|
|
|
// Check for dangerous patterns
|
|
dangerousPatterns := []string{
|
|
"../",
|
|
"..\\",
|
|
"./",
|
|
".\\",
|
|
}
|
|
|
|
for _, pattern := range dangerousPatterns {
|
|
if len(path) >= len(pattern) {
|
|
for i := 0; i <= len(path)-len(pattern); i++ {
|
|
if path[i:i+len(pattern)] == pattern {
|
|
return "", fmt.Errorf("potentially dangerous path pattern: %s", pattern)
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
return path, nil
|
|
}
|