Merge pull request #1418 from DominiqueDevinci/contrib_sce

Fix #528 - Eval SCE script when /tmp is in mode noexec

Author: jan-cerny

src/SCE/sce_engine.c

@@ -362,6 +362,7 @@ xccdf_test_result_type_t sce_engine_eval_rule(struct xccdf_policy *policy, const
 {
 	struct sce_parameters* parameters = (struct sce_parameters*)usr;
 	const char* xccdf_directory = parameters->xccdf_directory;
+	bool use_sce_wrapper = false; // use osca-run-sce-script ?
 
 	char* tmp_href = oscap_sprintf("%s/%s", xccdf_directory, href);
 
@@ -381,27 +382,26 @@ xccdf_test_result_type_t sce_engine_eval_rule(struct xccdf_policy *policy, const
 
 	if (access(tmp_href, F_OK | X_OK))
 	{
-		// again, only to provide helpful error message
-		oscap_seterr(OSCAP_EFAMILY_SCE, "SCE has found script file '%s' at '%s' "
-				"but it isn't executable!", href, tmp_href);
-		free(tmp_href);
-		return XCCDF_RESULT_ERROR;
+		// use the sce wrapper if it's not possible to acquire +x rights
+		use_sce_wrapper = true;
+		dI("%s isn't executable, oscap-run-sce-script will be used.", tmp_href);
 	}
 
 	// all the result codes are shifted by 100, because otherwise syntax errors in scripts
 	// or even their nonexistence would cause XCCDF_RESULT_PASS to be the result
 
-	char* argvp[1 + 1] = {
+	char* argvp[3] = {
 		tmp_href,
-		NULL
+		tmp_href, // the second tmp_href is added in case we use the wrapper (oscap-run-sce-script)
+		NULL      // which need the path of the script to eval as first parameter.
 	};
 
 	// bound values in KEY=VALUE form, ready to be passed as environment variables
 	char ** env_values = malloc(10 * sizeof(char * ));
 	size_t env_value_count = 10;
 	const size_t index_of_first_env_value_not_compiled_in = 10;
 
-	env_values[0] = "PATH=/bin:/sbin:/usr/bin:/usr/sbin";
+	env_values[0] = "PATH=/bin:/sbin:/usr/bin:/usr/local/bin:/usr/sbin";
 
 	env_values[1] = "XCCDF_RESULT_PASS=101";
 	env_values[2] = "XCCDF_RESULT_FAIL=102";
@@ -539,7 +539,11 @@ xccdf_test_result_type_t sce_engine_eval_rule(struct xccdf_policy *policy, const
 #endif
 
 			// we are the child process
-			execve(tmp_href, argvp, env_values);
+
+			if(use_sce_wrapper)
+				execvpe("oscap-run-sce-script", argvp, env_values);
+			else
+				execve(tmp_href, argvp, env_values);
 
 			free_env_values(env_values, index_of_first_env_value_not_compiled_in, env_value_count);
 

utils/CMakeLists.txt

@@ -1,3 +1,7 @@
+install(PROGRAMS "oscap-run-sce-script"
+	DESTINATION ${CMAKE_INSTALL_BINDIR}
+)
+
 if(ENABLE_OSCAP_UTIL)
 	file(GLOB UTILS_SOURCES "*.c")
 	if(HAVE_GETOPT_H)

utils/oscap-run-sce-script

@@ -0,0 +1,24 @@
+#!/bin/bash
+#
+# Authors:
+#      Dominique Blaze <[email protected]>
+#
+# use by oscap for evaluate a SCE file when +x rights are missing
+
+if [ ! -z $1 ] && [ -f $1 ] 
+then
+	# file exists. first check if shebang is here 
+	
+	firstline=$(head -n1 $1)
+	if [ ${firstline:0:2} = "#!" ]
+	then  # it's a shebang
+		cmd=${firstline:2}  # remove the begin (#!)
+		cmd=${cmd##*( )}  # trim whitespaces
+		eval $cmd $1 > /dev/stdout
+	else  # no shebang, trying bash by default ...
+		/usr/bin/env bash $1 > /dev/stdout
+	fi
+	
+else
+	echo "Script file not found: $1" > /dev/stderr
+fi