Tree - source-git/scap-workbench

source-git / scap-workbench

Files

Commit: df0183263d9c06f81ff715dbe4e90566b2b1345c

Blob Blame History Raw

 #!/bin/bash
# Copyright 2014 Red Hat Inc., Durham, North Carolina.
# All Rights Reserved.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
set -u -o pipefail
 
trap "" SIGHUP SIGINT
 
# pkexec writes a message to stderr when user dismisses it, we always skip 1 line.
# if user did not dismiss it we should print a dummy line to stderr so that nothing
# valuable gets skipped
echo "Dummy text" 1>&2
 
wrapper_uid=$1
shift
wrapper_gid=$1
shift
 
real_uid=`id -u`
real_gid=`id -g`
 
TEMP_DIR=`mktemp -d`
 
args=("$@")
 
# We have to rewrite result targets to a priv temp dir. We will later
# chown that dir to the target uid:gid and copy things where they belong
# using permissions of that user ONLY!
for i in $(seq 0 `expr $# - 1`); do
    let j=i+1
 
    case "${args[i]}" in
    ("--results")
        TARGET_RESULTS_XCCDF="${args[j]}"
        args[j]="$TEMP_DIR/results-xccdf.xml"
      ;;
    ("--results-arf")
        TARGET_RESULTS_ARF="${args[j]}"
        args[j]="$TEMP_DIR/results-arf.xml"
      ;;
    ("--report")
        TARGET_REPORT="${args[j]}"
        args[j]="$TEMP_DIR/report.html"
      ;;
    *)
      ;;
    esac
done
 
LOCAL_OSCAP="oscap"
 
pushd "$TEMP_DIR" > /dev/null
$LOCAL_OSCAP "${args[@]}" &
PID=$!
RET=1
 
while kill -0 $PID 2> /dev/null; do
    # check if the stdin is still available but return in one second
    read -t 1 dummy
    ret=$?
    if [ 0 -lt $ret -a $ret -lt 128 ]; then
        # If read failed & it was not due to timeout --> parents are gone.
        kill -s SIGTERM $PID 2> /dev/null
        break
    fi
done
 
wait $PID
RET=$?
 
popd > /dev/null
 
function chown_copy
{
    local what="$1"
    local where="$2"
 
    [ ! -f "$what" ] || cp "$what" "$where"
 
    # chown only required if wrapper_{uid,gid} differs from real_{uid,gid}
    if [ $wrapper_uid -ne $real_uid ] || [ $wrapper_gid -ne $real_gid ]; then
        chown $wrapper_uid:$wrapper_gid "$where"
    fi
}
 
chown_copy "$TEMP_DIR/results-xccdf.xml" "$TARGET_RESULTS_XCCDF"
chown_copy "$TEMP_DIR/results-arf.xml" "$TARGET_RESULTS_ARF"
chown_copy "$TEMP_DIR/report.html" "$TARGET_REPORT"
 
rm -r "$TEMP_DIR"
 
exit $RET

	#!/bin/bash

	# Copyright 2014 Red Hat Inc., Durham, North Carolina.
	# All Rights Reserved.
	#
	# This program is free software: you can redistribute it and/or modify
	# it under the terms of the GNU General Public License as published by
	# the Free Software Foundation, either version 3 of the License, or
	# (at your option) any later version.
	#
	# This program is distributed in the hope that it will be useful,
	# but WITHOUT ANY WARRANTY; without even the implied warranty of
	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	# GNU General Public License for more details.
	#
	# You should have received a copy of the GNU General Public License
	# along with this program. If not, see <http://www.gnu.org/licenses/>.

	set -u -o pipefail

	trap "" SIGHUP SIGINT

	# pkexec writes a message to stderr when user dismisses it, we always skip 1 line.
	# if user did not dismiss it we should print a dummy line to stderr so that nothing
	# valuable gets skipped
	echo "Dummy text" 1>&2

	wrapper_uid=$1
	shift
	wrapper_gid=$1
	shift

	real_uid=`id -u`
	real_gid=`id -g`

	TEMP_DIR=`mktemp -d`

	args=("$@")

	# We have to rewrite result targets to a priv temp dir. We will later
	# chown that dir to the target uid:gid and copy things where they belong
	# using permissions of that user ONLY!
	for i in $(seq 0 `expr $# - 1`); do
	let j=i+1

	case "${args[i]}" in
	("--results")
	TARGET_RESULTS_XCCDF="${args[j]}"
	args[j]="$TEMP_DIR/results-xccdf.xml"
	;;
	("--results-arf")
	TARGET_RESULTS_ARF="${args[j]}"
	args[j]="$TEMP_DIR/results-arf.xml"
	;;
	("--report")
	TARGET_REPORT="${args[j]}"
	args[j]="$TEMP_DIR/report.html"
	;;
	*)
	;;
	esac
	done

	LOCAL_OSCAP="oscap"

	pushd "$TEMP_DIR" > /dev/null
	$LOCAL_OSCAP "${args[@]}" &
	PID=$!
	RET=1

	while kill -0 $PID 2> /dev/null; do
	# check if the stdin is still available but return in one second
	read -t 1 dummy
	ret=$?
	if [ 0 -lt $ret -a $ret -lt 128 ]; then
	# If read failed & it was not due to timeout --> parents are gone.
	kill -s SIGTERM $PID 2> /dev/null
	break
	fi
	done

	wait $PID
	RET=$?

	popd > /dev/null

	function chown_copy
	{
	local what="$1"
	local where="$2"

	[ ! -f "$what" ] \|\| cp "$what" "$where"

	# chown only required if wrapper_{uid,gid} differs from real_{uid,gid}
	if [ $wrapper_uid -ne $real_uid ] \|\| [ $wrapper_gid -ne $real_gid ]; then
	chown $wrapper_uid:$wrapper_gid "$where"
	fi
	}

	chown_copy "$TEMP_DIR/results-xccdf.xml" "$TARGET_RESULTS_XCCDF"
	chown_copy "$TEMP_DIR/results-arf.xml" "$TARGET_RESULTS_ARF"
	chown_copy "$TEMP_DIR/report.html" "$TARGET_REPORT"

	rm -r "$TEMP_DIR"

	exit $RET

source-git / scap-workbench

Source Code

Files