Salt: Feature request: blacklist/whitelist commands executed via cmd.run

http://docs.saltstack.com/ref/configuration/minion.html#user

You can add a user and give it any privileges you want - or deny everything you want; and you can configure salt-minion to run as this user.

El 04/12/13 15:51, Dmitry Malinovskiy escribió:

http://docs.saltstack.com/ref/configuration/minion.html#user

You can add a user and give it any privileges you want - or deny
everything you want; and you can configure salt-minion to run as this
user.

 It's a good tip, but a bit overkill. I wouldn't be able to do many 

things that need root privileges. My aim is just to filter out the most
dangerous commands, not to disallow salt to do any system changes.

 Thanks anyway,

Roberto Suárez Soto
Allenta Consulting http://www.allenta.com (+34 881 922 600)
ISO 9001, ISO 14001, ISO 27001, EMAS
http://www.allenta.com/certificaciones
Privacidad / Privacy
https://www.allenta.com/privacidad-del-correo-electronico

I think it's quite simple to create user salt and add this line to /etc/sudoers:

salt ALL = NOPASSWD: ALL, !/bin/rm -rf /, !/sbin/shutdown -r now

This allows to run everything without asking for password, except /bin/rm -rf / and /sbin/shutdown -r now.

Although this is doable on a system level, I think it would be useful to be able to define blacklisted/whitelisted commands for cmd.run. We could even incorporate it into client_acl, probably. Thanks for the request!

@basepi when will we have the ability to define blacklisted/whitelisted commands for cmd.run ? i mean through states or execution module

Unfortunately right now our primary focus is on fixing bugs, so I don't have an ETA for this feature.

@basepi I am trying to work on this feature, currently i have modified the run() function for cmd state module, result as you see
it will check the command echo "hello" not just echo if its whitelisted on the minion configuration or not

what do you think ?

@mostafahussein I think this would be a cool feature! What are you using for the minion opt for the whitelist? cmd_run_whitelist or something? We could also make it configurable via pillar/grains if we just use config.get to get the whitelist. It should also be off by default -- if the whitelist is empty or None, then it should allow all commands.

But yeah, I think you should probably submit a pull request!

@basepi i am getting the whitelist by calling config.get then matching the command that passed through cmd.run state module if its not there it return false as the screenshot above. It it was just one command for a demo. I will continue on this feature with more cases as possible.

Should I leave it as a whitelist where you allow specific commands only. Or make it as a blacklist where you will be able to block specific commands ?

Personally, I would love having both a blacklist and a whitelist. But if only one of them is possible, I'd prefer a whitelist.

I maybe able to make both black and white lists but what if you have a
command* that doesn't belong to any of these lists ? Should I consider it
blacklisted by default unless you want to run this command* through
cmd.run

*Note: by command i mean the whole line that include the command options
and arguments as in echo "foo" or rm -rf MyDir

If you have anyother cases feel free to share it with us and i will try to
achieve what i could ^_^

@mostafahussein yes, I'd consider everything blacklisted by default, unless explicitly added to the whitelist. Just make the whitelist optional for those who need to execute many different commands.

Thanks for your effort, by the way!

Hi all Its a good idea to be able to restrict it. I assume you mean if you have white list, its the only commands you can run. (some sort of pattern matching list).
If you have a blacklist you can run anything which does not match. If both files existed, then you would need to match on the whitelist, and not match on the blacklist.

Is there a link to the code? I was wondering whether the whitelist (or blacklist) required an exact match, or if it was a list of regex patterns.

Hello loren, unfortunately I haven't pushed the code to github yet, i will try to make it available as soon as possible.

and for your question yes currently it search for an exact match , i will try to make it support for regex patterns too so you can block a specific command without worring about the rest of the line , like if you want to block rm for example

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

Hi,
has been there any work on this?

Thank you for updating this issue. It is no longer marked as stale.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

If this issue is closed prematurely, please leave a comment and we will gladly reopen the issue.

I would like to upvote this.

Meanwhile, I take it a custom module is the way to go? Ref https://docs.saltstack.com/en/latest/ref/modules/