Commit 797f83dd authored by Kirk Webb's avatar Kirk Webb

Add taint checks at various places to enforce node restrictions

A bit overdue, but here they are.

* Disallow image creation for any taint state on node/image
* Disallow console access for "blackbox" and "useronly" states
* Disallow node_admin for "blackbox" and "useronly" states

TB Admins are exempt from these restrictions.
parent a60cc3f7
...@@ -331,6 +331,11 @@ else { ...@@ -331,6 +331,11 @@ else {
" You do not have permission to create an image from $node\n"); " You do not have permission to create an image from $node\n");
} }
if ($node->IsTainted()) {
die("*** $0:\n".
" $node is tainted - image creation denied.\n");
}
# #
# We need the project id for test below. The target directory for the # We need the project id for test below. The target directory for the
# output file has to be the node project directory, since that is the # output file has to be the node project directory, since that is the
......
...@@ -164,11 +164,18 @@ else { ...@@ -164,11 +164,18 @@ else {
if (!$node->IsReserved()) { if (!$node->IsReserved()) {
die("*** $0:\n". die("*** $0:\n".
" Node $n is not reserved; reserve it first!\n"); " Node $n is not reserved; reserve it first!\n");
} }
if ($UID && !$this_user->IsAdmin() && if ($UID && !$this_user->IsAdmin()) {
! $node->AccessCheck($this_user, TB_NODEACCESS_LOADIMAGE)) { if (! $node->AccessCheck($this_user, TB_NODEACCESS_LOADIMAGE)) {
die("*** $0:\n". die("*** $0:\n".
" You are not allowed to put $node into admin mode!\n"); " You are not allowed to put $node into admin mode!\n");
}
if ($node->IsTainted("useronly") ||
$node->IsTainted("blackbox")) {
die("*** $0:\n".
" $node is running a restricted image. Admin mode ".
"not allowed!\n");
}
} }
push(@nodes, $node); push(@nodes, $node);
} }
......
...@@ -3623,6 +3623,20 @@ class node: ...@@ -3623,6 +3623,20 @@ class node:
RESPONSE_FORBIDDEN, RESPONSE_FORBIDDEN,
output=("You do not have permission to access: " output=("You do not have permission to access: "
+ argdict["node"])) + argdict["node"]))
tstates = DBQueryFatal("SELECT taint_states FROM nodes "
"WHERE node_id=%s AND taint_states "
"IS NOT NULL",
(argdict["node"],))
if len(tstates):
for taint in tstates[0][0].split(","):
if (taint in ("useronly","blackbox")):
return EmulabResponse(
RESPONSE_FORBIDDEN,
output=("Node is restricted - console access "
"forbidden: " + argdict["node"]))
pass pass
res = DBQueryFatal("SELECT server,portnum,keylen,keydata " res = DBQueryFatal("SELECT server,portnum,keylen,keydata "
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment