Problem with exec shell_escape option
Brian Candler
b.candler at pobox.com
Wed Dec 21 19:42:42 CET 2016
I'm trying to get exec to pass a string as an argument without any shell
quoting, but not succeeding. This is with freeradius 3.0.12 under Ubuntu
16.04.
[Aside: what I'm actually trying to do is invoke an external change
password program using an exec expansion in local_cpw in rlm_mschap,
following the example given:
# local_cpw = "%{exec:/path/to/script %{mschap:User-Name}
%{MS-CHAP-New-Cleartext-Password}}"
But I'm finding that passwords with special characters are being mangled]
I can reproduce this using exec by itself. Here are 4 combinations:
shell_escape = {yes,no} and expansion argument quoted/not quoted.
# mods-available/exec - I left the original exec in there and added:
exec exec1 {
wait = yes
input_pairs = request
shell_escape = no
timeout = 10
}
exec exec2 {
wait = yes
input_pairs = request
shell_escape = yes
timeout = 10
}
# policy.d/testpolicy
testpolicy {
update request {
&Tmp-String-0 := " foo ' bar \" baz \\ qux "
&Tmp-String-1 := "%{exec1:/usr/local/bin/showarg %{Tmp-String-0}}"
&Tmp-String-2 := "%{exec1:/usr/local/bin/showarg '%{Tmp-String-0}'}"
&Tmp-String-3 := "%{exec2:/usr/local/bin/showarg %{Tmp-String-0}}"
&Tmp-String-4 := "%{exec2:/usr/local/bin/showarg '%{Tmp-String-0}'}"
}
}
# /usr/local/bin/showarg
#!/bin/sh
echo "Arg is <$1>" >>/tmp/exec.log
Results:
- 1 and 3 fail with "rad_expand_xlat: Invalid string passed as argument"
- 2 and 4 both apply shell quoting to the argument
# cat /tmp/exec.log
Arg is <\ foo\ \'\ bar\ "\ baz\ \ qux\ >
Arg is <\ foo\ \'\ bar\ "\ baz\ \ qux\ >
Debug output:
(0) policy testpolicy {
(0) update request {
(0) &Tmp-String-0 := " foo ' bar \" baz \\ qux "
(0) Executing: /usr/local/bin/showarg \ foo\ \'\ bar\ "\ baz\ \\
qux\ :
rad_expand_xlat: Invalid string passed as argument
invalid command line '/usr/local/bin/showarg \ foo\ \'\ bar\ "\ baz\ \\
qux\ '.
(0) EXPAND %{exec1:/usr/local/bin/showarg %{Tmp-String-0}}
(0) -->
(0) &Tmp-String-1 :=
(0) Executing: /usr/local/bin/showarg '\ foo\ \'\ bar\ "\ baz\
\\ qux\ ':
(0) Program returned code (0) and output ''
(0) EXPAND %{exec1:/usr/local/bin/showarg '%{Tmp-String-0}'}
(0) -->
(0) &Tmp-String-2 :=
(0) Executing: /usr/local/bin/showarg \ foo\ \'\ bar\ "\ baz\ \\
qux\ :
rad_expand_xlat: Invalid string passed as argument
invalid command line '/usr/local/bin/showarg \ foo\ \'\ bar\ "\ baz\ \\
qux\ '.
(0) EXPAND %{exec2:/usr/local/bin/showarg %{Tmp-String-0}}
(0) -->
(0) &Tmp-String-3 :=
(0) Executing: /usr/local/bin/showarg '\ foo\ \'\ bar\ "\ baz\
\\ qux\ ':
(0) Program returned code (0) and output ''
(0) EXPAND %{exec2:/usr/local/bin/showarg '%{Tmp-String-0}'}
(0) -->
(0) &Tmp-String-4 :=
(0) } # update request = noop
(0) } # policy testpolicy = noop
So it looks like the shell_escape setting isn't doing anything. What am
I missing?
Thanks,
Brian.
P.S. There is something else confusing. In raddb/mods-available/exec it
says:
# Execute external programs
#
# This module is useful only for 'xlat'. To use it,
# put 'exec' into the 'instantiate' section. You can then
# do dynamic translation of attributes like:
#
# Attribute-Name = `%{exec:/path/to/program args}`
However, I can see from the source that it has hooks for the various
module lifecycle stages; indeed, the sites-available/default config
invokes it in the accounting and post-auth stages:
# For Exec-Program and Exec-Program-Wait
exec
So is the comment that exec is "useful only for 'xlat'" incorrect?
I've checked the obvious places for documentation with no luck:
- http://wiki.freeradius.org/search?q=exec
- man rlm_exec (not found)
But in any case, it doesn't affect the main issue here, since local_cpw
has to use a string expansion anyway.
More information about the Freeradius-Users
mailing list