Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add config variable supybot.commands.allowShell. #1301

Merged
merged 2 commits into from
Sep 24, 2017
Merged

Add config variable supybot.commands.allowShell. #1301

merged 2 commits into from
Sep 24, 2017

Conversation

progval
Copy link
Owner

@progval progval commented Sep 17, 2017
edited
Loading

This PR add a new configuration variable, named supybot.commands.allowShell, whose help:

Allows this bot's owner user to use commands
that grants them shell access. This commands exists in case you want to
prevent MITM from the IRC network itself (vulnerable IRCd or IRCops)
from gaining shell access to the bot's server by impersonating the owner.
Setting this to False also disables plugins and commands that can be
used to indirectly gain shell access.

When set to False, its effects are the following:

  • Config plugin:
    • Prevent changes to supybot.commands.allowShell, so it cannot be re-enabled by an attacker
    • Prevent changes to variables in supybot.directories.plugins, so an attacker able to upload files on the server (eg. a web app / CMS) cannot load arbitrary code
    • Prevent changes to other variables in supybot.directories, so an attacker cannot write arbitrary files
    • Disable @export so an attacker cannot write arbitrary files
  • Debug: disable most commands
  • Karma: disable @dump and @load, to prevent writing and reading arbitrary files
  • PluginDownloader: disable @install to prevent installing plugins from third-party repositories, which may be vulnerable (intentionally or not)
  • Unix: disable @call and @shell

Note that when supybot.commands.allowShell is True it can be set to False via IRC, but if it is False, it may only be changed by editing the .conf file.

This variable defaults to True, which preserves the behavior of Limnoria before this PR.
The rational for this default is to have PluginDownloader usable by default, because installing plugins is hard for beginners.

This variable is not network-specific on purpose. There are many ways to run a command from a network in the context of another network (@network.command, Scheduler, ...), and I wouldn't trust myself to write code preventing all of these.

Any question or remark?

@IotaSpencer
Copy link
Contributor

I see no problems with these changes, and all code seems sound, everything checks out, will run a test bot to see that each of these works correctly with no exceptions.

jlu5
jlu5 reviewed Sep 24, 2017
View reviewed changes
src/conf.py Outdated
# Make sure it is always blacklisted from the Config plugin.
registerGlobalValue(supybot.commands, 'allowShell',
registry.Boolean(True, _("""Allows this bot's owner user to use commands
that grants them shell access. This commands exists in case you want to
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/This commands/This config option/ ?

Copy link
Owner Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indeed. Fixed.

@progval progval merged commit 4f6a5e7 into testing Sep 24, 2017
@jlu5 jlu5 deleted the disallow-shell branch September 29, 2017 23:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jlu5 jlu5 jlu5 left review comments

Assignees
No one assigned
Labels
Help wanted security/DoS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@progval @IotaSpencer @jlu5