Merge pull request #270 from matejak/remote_with_sudo

Implement possibility to scan by sudoers.

Author: matusmarhefka

doc/user_manual.adoc

@@ -363,6 +363,17 @@ files are not supported yet!
 .Selecting a remote machine for scanning
 image::scanning_remote_machine.png[align="center"]
 
+The remote user doesn't have to be a superuser - you can setup the remote
+`/etc/sudoers` file (using `visudo`) to enable the paswordless sudo for that particular user,
+and you check the "user is sudoer" checkbox.
+
+For example, if the scanning user is `oscap-user`, that would involve putting
+
+   oscap-user ALL=(root) NOPASSWD: /usr/bin/oscap xccdf eval *
+
+user specification into the `sudoers` file, or into a separate file
+that is included by `sudoers` s.a. `/etc/sudoers.d/99-oscap-user`.
+
 === Enable Online Remediation (optional)
 
 ****

include/OscapScannerRemoteSsh.h

@@ -31,17 +31,24 @@ class OscapScannerRemoteSsh : public OscapScannerBase
     Q_OBJECT
 
     public:
-        static void splitTarget(const QString& in, QString& target, unsigned short& port);
+        static void splitTarget(const QString& in, QString& target, unsigned short& port, bool& userIsSudoer);
 
         OscapScannerRemoteSsh();
         virtual ~OscapScannerRemoteSsh();
 
+        bool getUserIsSudoer() const;
+        void setUserIsSudoer(bool userIsSudoer);
         virtual void setTarget(const QString& target);
         virtual void setSession(ScanningSession* session);
 
         virtual QStringList getCommandLineArgs() const;
         virtual void evaluate();
 
+    protected:
+
+       virtual void selectError(MessageType& kind, const QString& message);
+       virtual void processError(QString& message);
+
     private:
         void ensureConnected();
 
@@ -57,6 +64,7 @@ class OscapScannerRemoteSsh : public OscapScannerBase
         void removeRemoteDirectory(const QString& path, const QString& desc);
 
         SshConnection mSshConnection;
+        bool mUserIsSudoer;
 };
 
 #endif

include/RemoteMachineComboBox.h

@@ -44,9 +44,10 @@ class RemoteMachineComboBox : public QWidget
 
         void setRecentMachineCount(unsigned int count);
         unsigned int getRecentMachineCount() const;
+        bool userIsSudoer() const;
 
     public slots:
-        void notifyTargetUsed(const QString& target);
+        void notifyTargetUsed(const QString& target, bool userIsSudoer);
         void clearHistory();
 
     protected slots:
@@ -65,6 +66,7 @@ class RemoteMachineComboBox : public QWidget
 
         QStringList mRecentTargets;
         QComboBox* mRecentComboBox;
+        QCheckBox* mUserIsSudoer;
 };
 
 #endif

src/MainWindow.cpp

@@ -678,6 +678,7 @@ void MainWindow::scanAsync(ScannerMode scannerMode)
     // In the OscapScannerRemoteSsh class the port will be parsed out again...
     const QString target = mUI.localMachineRadioButton->isChecked() ?
         "localhost" : mUI.remoteMachineDetails->getTarget();
+    const bool userIsSudoer = mUI.remoteMachineDetails->userIsSudoer();
 
     bool fetchRemoteResources = mUI.fetchRemoteResourcesCheckbox->isChecked();
     try
@@ -689,7 +690,10 @@ void MainWindow::scanAsync(ScannerMode scannerMode)
             if (target == "localhost")
                 mScanner = new OscapScannerLocal();
             else
+            {
                 mScanner = new OscapScannerRemoteSsh();
+                ((OscapScannerRemoteSsh *)mScanner)->setUserIsSudoer(userIsSudoer);
+            }
 
             mScanner->setTarget(target);
 
@@ -759,7 +763,10 @@ void MainWindow::scanAsync(ScannerMode scannerMode)
     );
 
     if (target != "localhost")
-        mUI.remoteMachineDetails->notifyTargetUsed(mScanner->getTarget());
+    {
+        bool userIsSudoer = ((OscapScannerRemoteSsh *)mScanner)->getUserIsSudoer();
+        mUI.remoteMachineDetails->notifyTargetUsed(mScanner->getTarget(), userIsSudoer);
+    }
 
     mScanThread->start();
 }

src/OscapScannerRemoteSsh.cpp

@@ -37,15 +37,16 @@ extern "C"
 
 OscapScannerRemoteSsh::OscapScannerRemoteSsh():
     OscapScannerBase(),
-    mSshConnection(this)
+    mSshConnection(this),
+    mUserIsSudoer(false)
 {
     mSshConnection.setCancelRequestSource(&mCancelRequested);
 }
 
 OscapScannerRemoteSsh::~OscapScannerRemoteSsh()
 {}
 
-void OscapScannerRemoteSsh::splitTarget(const QString& in, QString& target, unsigned short& port)
+void OscapScannerRemoteSsh::splitTarget(const QString& in, QString& target, unsigned short& port, bool& userIsSudoer)
 {
     // NB: We dodge a bullet here because the editor will always pass a port
     //     as the last component. A lot of checking and parsing does not need
@@ -55,10 +56,19 @@ void OscapScannerRemoteSsh::splitTarget(const QString& in, QString& target, unsi
     //     being there and always being the last component.
 
     // FIXME: Ideally, this should split from the right side and stop after one split
-    QStringList split = in.split(':');
+    userIsSudoer = false;
+    QStringList sudoerSplit = in.split(' ');
+    if (sudoerSplit.size() > 1)
+    {
+        if (sudoerSplit.at(1) == "sudo")
+	{
+	    userIsSudoer = true;
+	}
+    }
+    QStringList hostPortSplit = sudoerSplit.at(0).split(':');
 
-    const QString portString = split.back();
-    split.removeLast();
+    const QString portString = hostPortSplit.back();
+    hostPortSplit.removeLast();
 
     {
         bool status = false;
@@ -68,25 +78,37 @@ void OscapScannerRemoteSsh::splitTarget(const QString& in, QString& target, unsi
         port = status ? portCandidate : 22;
     }
 
-    target = split.join(":");
+    target = hostPortSplit.join(":");
 }
 
 void OscapScannerRemoteSsh::setTarget(const QString& target)
 {
-    OscapScannerBase::setTarget(target);
+    QStringList sudoerSplit = target.split(' ');
+    OscapScannerBase::setTarget(sudoerSplit.at(0));
 
     if (mSshConnection.isConnected())
         mSshConnection.disconnect();
 
     QString cleanTarget;
     unsigned short port;
+    bool userIsSudoer;
 
-    splitTarget(target, cleanTarget, port);
+    splitTarget(target, cleanTarget, port, userIsSudoer);
 
     mSshConnection.setTarget(cleanTarget);
     mSshConnection.setPort(port);
 }
 
+bool OscapScannerRemoteSsh::getUserIsSudoer() const
+{
+    return mUserIsSudoer;
+}
+
+void OscapScannerRemoteSsh::setUserIsSudoer(bool userIsSudoer)
+{
+    mUserIsSudoer = userIsSudoer;
+}
+
 void OscapScannerRemoteSsh::setSession(ScanningSession* session)
 {
     OscapScannerBase::setSession(session);
@@ -99,6 +121,10 @@ void OscapScannerRemoteSsh::setSession(ScanningSession* session)
 QStringList OscapScannerRemoteSsh::getCommandLineArgs() const
 {
     QStringList args("oscap-ssh");
+    if (mUserIsSudoer)
+    {
+	    args.append("--sudo");
+    }
     args.append(mSshConnection.getTarget());
     args.append(QString::number(mSshConnection.getPort()));
 
@@ -235,28 +261,34 @@ void OscapScannerRemoteSsh::evaluate()
 
     if (mScannerMode == SM_OFFLINE_REMEDIATION)
     {
-        args = buildOfflineRemediationArgs(inputFile,
+        args.append(buildOfflineRemediationArgs(inputFile,
                 resultFile,
                 reportFile,
-                arfFile);
+                arfFile));
     }
     else
     {
-        args = buildEvaluationArgs(inputFile,
+        args.append(buildEvaluationArgs(inputFile,
                 tailoringFile,
                 resultFile,
                 reportFile,
                 arfFile,
-                mScannerMode == SM_SCAN_ONLINE_REMEDIATION);
+                mScannerMode == SM_SCAN_ONLINE_REMEDIATION));
     }
 
     const QString sshCmd = args.join(" ");
 
     emit infoMessage(QObject::tr("Starting the remote process..."));
 
     QProcess process(this);
+    QString sudo;
+    if (mUserIsSudoer)
+    {
+	    // tell sudo not to bother to read password from the terminal
+	    sudo = " sudo -n";
+    }
 
-    process.start(SCAP_WORKBENCH_LOCAL_SSH_PATH, baseArgs + QStringList(QString("cd '%1'; " SCAP_WORKBENCH_REMOTE_OSCAP_PATH " %2").arg(workingDir).arg(sshCmd)));
+    process.start(SCAP_WORKBENCH_LOCAL_SSH_PATH, baseArgs + QStringList(QString("cd '%1';" "%2 " SCAP_WORKBENCH_REMOTE_OSCAP_PATH " %3").arg(workingDir).arg(sudo).arg(sshCmd)));
     process.waitForStarted();
 
     if (process.state() != QProcess::Running)
@@ -328,6 +360,31 @@ void OscapScannerRemoteSsh::evaluate()
     signalCompletion(mCancelRequested);
 }
 
+void OscapScannerRemoteSsh::selectError(MessageType& kind, const QString& message)
+{
+    OscapScannerBase::selectError(kind, message);
+    if (mUserIsSudoer)
+    {
+        if (message.contains(QRegExp("^sudo:")))
+        {
+            kind = MSG_ERROR;
+        }
+    }
+
+}
+
+void OscapScannerRemoteSsh::processError(QString& message)
+{
+    OscapScannerBase::processError(message);
+    if (mUserIsSudoer && message.contains(QRegExp("^sudo:")))
+    {
+        message.replace(QRegExp("^sudo:"), "Error invoking sudo on the host:");
+        message += ".\nOnly passwordless sudo setup on the remote host is supported by scap-workbench.";
+        message += " \nTo configure a non-privileged user oscap-user to run only the oscap binary as root, "
+		"add this User Specification to your sudoers file: oscap-user ALL=(root) NOPASSWD: /usr/bin/oscap xccdf eval *";
+    }
+}
+
 void OscapScannerRemoteSsh::ensureConnected()
 {
     if (mSshConnection.isConnected())

src/RemoteMachineComboBox.cpp

@@ -30,7 +30,7 @@ RemoteMachineComboBox::RemoteMachineComboBox(QWidget* parent):
 
 #if (QT_VERSION >= QT_VERSION_CHECK(4, 7, 0))
     // placeholder text is only supported in Qt 4.7 onwards
-    mUI.host->setPlaceholderText(QObject::tr("username@hostname"));
+    mUI.host->setPlaceholderText(QObject::tr("username@hostname [sudo]"));
 #endif
 
     mQSettings = new QSettings(this);
@@ -41,6 +41,8 @@ RemoteMachineComboBox::RemoteMachineComboBox(QWidget* parent):
         this, SLOT(updateHostPort(int))
     );
 
+    mUserIsSudoer = mUI.userIsSudoer;
+
     setRecentMachineCount(5);
     syncFromQSettings();
 
@@ -51,6 +53,11 @@ RemoteMachineComboBox::~RemoteMachineComboBox()
     delete mQSettings;
 }
 
+bool RemoteMachineComboBox::userIsSudoer() const
+{
+    return mUserIsSudoer->isChecked();
+}
+
 QString RemoteMachineComboBox::getTarget() const
 {
     return QString("%1:%2").arg(mUI.host->text()).arg(mUI.port->value());
@@ -70,11 +77,12 @@ unsigned int RemoteMachineComboBox::getRecentMachineCount() const
     return mRecentTargets.size();
 }
 
-void RemoteMachineComboBox::notifyTargetUsed(const QString& target)
+void RemoteMachineComboBox::notifyTargetUsed(const QString& target, bool userIsSudoer)
 {
     QString host;
     unsigned short port;
-    OscapScannerRemoteSsh::splitTarget(target, host, port);
+    bool placeholder;
+    OscapScannerRemoteSsh::splitTarget(target, host, port, placeholder);
 
     // skip invalid suggestions
     if (host.isEmpty() || port == 0)
@@ -83,7 +91,8 @@ void RemoteMachineComboBox::notifyTargetUsed(const QString& target)
     const unsigned int machineCount = getRecentMachineCount();
 
     // this moves target to the beginning of the list if it was in the list already
-    mRecentTargets.prepend(target);
+    QString targetWithSudo = target + (userIsSudoer ? " sudo" : "");
+    mRecentTargets.prepend(targetWithSudo);
     mRecentTargets.removeDuplicates();
 
     setRecentMachineCount(machineCount);
@@ -99,6 +108,7 @@ void RemoteMachineComboBox::clearHistory()
 {
     mUI.host->setText("");
     mUI.port->setValue(22);
+    mUI.userIsSudoer->setChecked(false);
 
     const unsigned int machineCount = getRecentMachineCount();
     mRecentTargets.clear();
@@ -160,6 +170,7 @@ void RemoteMachineComboBox::updateHostPort(int index)
     {
         mUI.host->setText("");
         mUI.port->setValue(22);
+        mUI.userIsSudoer->setChecked(false);
         return;
     }
 
@@ -172,10 +183,11 @@ void RemoteMachineComboBox::updateHostPort(int index)
 
     QString host;
     unsigned short port;
+    bool userIsSudoer;
 
-    OscapScannerRemoteSsh::splitTarget(target, host, port);
+    OscapScannerRemoteSsh::splitTarget(target, host, port, userIsSudoer);
 
     mUI.host->setText(host);
     mUI.port->setValue(port);
-
+    mUI.userIsSudoer->setChecked(userIsSudoer);
 }