rs

package module
v0.4.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 10, 2021 License: MIT Imports: 18 Imported by: 2

README

rs - package rs provides a resource system which enforces unix style access control.

Documentation

Overview

Package rs provides a resource system which enforces unix style access control.

Resources are stored as nugo.Nodes and can either have a []byte slice as source or implement the Executable interface. Using the Save and Load syscalls, structs are gob encoded and decoded to an access controlled resource.

Anonymous account has uid,gid 0,0 whereas the Root account 1,1.

Example (DefaultResourceSystem) 
sys := NewSystem()
asRoot := Root.Use(sys)
asRoot.Fexec(os.Stdout, "/bin/ls -R -l /")

Output:

d--xrwxr-xr-x 1 1 /bin
----rwxr-xr-x 1 1 /bin/chmod
----rwxr-xr-x 1 1 /bin/chown
---xrwxr-xr-x 1 1 /bin/ls
----rwxr-xr-x 1 1 /bin/mkacc
----rwxr-xr-x 1 1 /bin/mkdir
----rwxr-xr-x 1 1 /bin/secure
d---rwxr-xr-x 1 1 /etc
d---rwxr-xr-x 1 1 /etc/accounts
----rw-r--r-- 1 1 /etc/accounts/anonymous
----rw-r--r-- 1 1 /etc/accounts/root
d---rwxr-xr-x 1 1 /etc/groups
----rw-r--r-- 1 1 /etc/groups/anonymous
----rw-r--r-- 1 1 /etc/groups/root
drwxrwxrwxrwx 1 1 /tmp
Example (ExportSystem)

When exporting a system each node is serialized using base64 encoding of the content, if any. 

sys := NewSystem()
sys.Export(os.Stdout)

Output:

4026532845 1 1 /
3758097389 1 1 /bin
3758096877 1 1 /etc
3758096877 1 1 /etc/accounts
1610613156 1 1 /etc/accounts/anonymous Mv+DAwEBB0FjY291bnQB/4QAAQMBBE5hbWUBDAABA1VJRAEEAAEGR3JvdXBzAf+GAAAAE/+FAgEBBVtdaW50Af+GAAEEAAAR/4QBCWFub255bW91cwIB
1610613156 1 1 /etc/accounts/root Mv+DAwEBB0FjY291bnQB/4QAAQMBBE5hbWUBDAABA1VJRAEEAAEGR3JvdXBzAf+GAAAAE/+FAgEBBVtdaW50Af+GAAEEAAAO/4QBBHJvb3QBAgEB
3758096877 1 1 /etc/groups
1610613156 1 1 /etc/groups/anonymous JP+BAwEBBWdyb3VwAf+CAAECAQROYW1lAQwAAQNHSUQBBAAAAA7/ggEJYW5vbnltb3Vz
1610613156 1 1 /etc/groups/root JP+BAwEBBWdyb3VwAf+CAAECAQROYW1lAQwAAQNHSUQBBAAAAAv/ggEEcm9vdAEC
3758100479 1 1 /tmp
Example (SaveAndLoadResource) 
sys := NewSystem()
asRoot := Root.Use(sys)
asRoot.Exec("/bin/mkdir /tmp/aliens")
filename := "/tmp/aliens/green.gob"
asRoot.Save(filename, &Alien{Name: "Mr Green"})
var alien Alien
asRoot.Load(&alien, filename)
fmt.Printf("%#v", alien)

Output:

rs.Alien{Name:"Mr Green"}

Index

Examples

Constants

View Source 
const (
	OpRead operation = 1 << (32 - 1 - iota)
	OpWrite
	OpExec
)

Variables

View Source 
var (
	Anonymous = NewAccount("anonymous", 0)
	Root      = NewAccount("root", 1)
)
View Source 
var ErrPermissionDenied = errors.New("permission denied")

Functions

func Chmod 

func Chmod(cmd *Cmd) error

Chmod command sets mode of a resource.

Example 
asRoot := Root.Use(NewSystem())
asRoot.Exec("/bin/mkdir /tmp/a")
asRoot.Fexec(os.Stdout, "/bin/ls -l /tmp") // before
asRoot.Exec("/bin/chmod -m 01755 /tmp/a")
asRoot.Fexec(os.Stdout, "/bin/ls -l /tmp") // after

Output:

d---rwxr-xr-x 1 1 a
d--xrwxr-xr-x 1 1 a
Example (Help) 
asRoot := Root.Use(NewSystem())
asRoot.Fexec(os.Stdout, "/bin/chmod -h")

Output:

Usage of chmod:
  -m uint
    	mode

func Ls 

func Ls(cmd *Cmd) error

Ls lists resources

Example 
Anonymous.Use(NewSystem()).Fexec(os.Stdout, "/bin/ls /")

Output:

bin
etc
tmp
Example (Help) 
asRoot := Root.Use(NewSystem())
asRoot.Fexec(os.Stdout, "/bin/ls -h")

Output:

Usage of ls:
  -R	recursive
  -json
    	write json
  -json-name string
    	result name of resources, if empty written as array
  -l	use a long listing format
Example (LongListFormat) 
Anonymous.Use(NewSystem()).Fexec(os.Stdout, "/bin/ls -l /")

Output:

d--xrwxr-xr-x 1 1 bin
d---rwxr-xr-x 1 1 etc
drwxrwxrwxrwx 1 1 tmp

func Mkacc 

func Mkacc(cmd *Cmd) error

Mkacc creates an account.

Example (Help) 
asRoot := Root.Use(NewSystem())
asRoot.Fexec(os.Stdout, "/bin/mkacc -h")

Output:

Usage of mkacc:
  -gid int
    	optional gid of the new account (default -1)
  -uid int
    	optional uid of the new account (default -1)

func Mkdir 

func Mkdir(cmd *Cmd) error

Mkdir creates directories

Example (Help) 
asRoot := Root.Use(NewSystem())
asRoot.Fexec(os.Stdout, "/bin/mkdir -h")

Output:

Usage of mkdir:
  -m uint
    	mode for new directory (default 493)

func NodeExporter added in v0.3.0 

func NodeExporter(writer io.Writer) nugo.Visitor

NodeExporter writes each node with it's content as base64 encoded string

func Secure added in v0.2.0 

func Secure(cmd *Cmd) error

Secure command manages credentials in /etc/credentials

Example 
asRoot := Root.Use(NewSystem())
asRoot.Fexec(os.Stdout, "/bin/secure -h")

Output:

Usage of secure:
  -a string
    	account name
  -c	check if secret is valid
  -s string
    	secret

Types

type Account 

type Account struct {
	Name string
	UID  int

	Groups []int
	// contains filtered or unexported fields
}

func NewAccount 

func NewAccount(Name string, uid int) *Account

NewAccount returns a new account with the given uid as both uid and group id.

func (*Account) Use 

func (me *Account) Use(sys *System) *Syscall

Use returns a Syscall struct for accessing the system.

type Chown added in v0.2.0 

type Chown struct{}
Example (Help) 
asRoot := Root.Use(NewSystem())
asRoot.Fexec(os.Stdout, "/bin/chown -h")

Output:

Usage: Chown OWNER ...paths

func (*Chown) Exec added in v0.2.0 

func (me *Chown) Exec(cmd *Cmd) error

func (*Chown) WriteUsage added in v0.2.0 

func (me *Chown) WriteUsage(w io.Writer)

type Cmd 

type Cmd struct {
	Abspath string // of the command
	Args    []string

	// Access to system with a specific account
	Sys *Syscall

	In  io.Reader
	Out io.Writer
}

func NewCmd 

func NewCmd(abspath string, args ...string) *Cmd

NewCmd returns a new command.

func (*Cmd) String 

func (me *Cmd) String() string

String returns the command with its arguments

type Credentials added in v0.2.0 

type Credentials struct {
	Secrets []*Secret
}

func NewCredentials added in v0.2.0 

func NewCredentials() *Credentials

func (*Credentials) AddSecret added in v0.2.0 

func (me *Credentials) AddSecret(s *Secret)

AddSecret

func (*Credentials) Check added in v0.2.0 

func (me *Credentials) Check(uid int, secret string) error

Check

type ExecFunc 

type ExecFunc func(*Cmd) error

func (ExecFunc) Exec 

func (me ExecFunc) Exec(cmd *Cmd) error

type Executable 

type Executable interface {
	Exec(*Cmd) error
}

type Group 

type Group struct {
	Name string
	// contains filtered or unexported fields
}

func (*Group) ReadFrom added in v0.2.0 

func (me *Group) ReadFrom(r io.Reader) (int64, error)

ReadFrom

func (*Group) WriteTo added in v0.2.0 

func (me *Group) WriteTo(w io.Writer) (int64, error)

WriteTo

type Mode 

type Mode nugo.NodeMode

type ResInfo 

type ResInfo struct {
	// contains filtered or unexported fields
}

ResInfo describes a resource and is returned by Stat

func (*ResInfo) IsDir 

func (me *ResInfo) IsDir() error

IsDir returns nil if the resource is a directory

func (*ResInfo) Name 

func (me *ResInfo) Name() string

Name returns the name of the file

type Resource 

type Resource struct {
	io.Reader
	// contains filtered or unexported fields
}

Resource wraps access to the underlying node

func (*Resource) Close 

func (me *Resource) Close() error

Close closes the resource. If resource is in write mode the written buffer is flushed.

func (*Resource) Read 

func (me *Resource) Read(b []byte) (int, error)

Read reads from the underlying source. Fails if not readable or resource is in write mode.

func (*Resource) Write 

func (me *Resource) Write(p []byte) (int, error)

Write writes to the resource. Is not flushed until closed.

type Secret added in v0.2.0 

type Secret struct {
	UID       int
	Encrypted []byte
}

type Syscall 

type Syscall struct {
	// contains filtered or unexported fields
}

func (*Syscall) AddAccount 

func (me *Syscall) AddAccount(acc *Account) error

AddAccount adds a new account to the system. Name and uid must be unique.

func (*Syscall) Create 

func (me *Syscall) Create(abspath string) (*Resource, error)

Create returns a new resource for writing. Fails if existing resource is directory. Caller must close resource.

func (*Syscall) Exec 

func (me *Syscall) Exec(cli string) error

Exec splits the cli on whitespace and executes the first as absolute path and the rest as arguments

func (*Syscall) Execf added in v0.3.0 

func (me *Syscall) Execf(format string, v ...interface{}) error

Execf formats command line and calls Exec

func (*Syscall) Fexec 

func (me *Syscall) Fexec(w io.Writer, cli string) error

Fexec creates and executes a new command and directs the output to the given writer.

func (*Syscall) Install 

func (me *Syscall) Install(abspath string, cmd Executable, mode nugo.NodeMode,
) (*ResInfo, error)

Install resource at the absolute path

func (*Syscall) Load 

func (me *Syscall) Load(res interface{}, abspath string) error

Load loads the resource from abspath. If res implements io.ReaderFrom that is used otherwise gob.Decoded.

func (*Syscall) LoadAccount added in v0.2.0 

func (me *Syscall) LoadAccount(acc *Account, Name string) error

LoadAccount

func (*Syscall) LoadGroup added in v0.2.0 

func (me *Syscall) LoadGroup(group *Group, Name string) error

func (*Syscall) Mkdir 

func (me *Syscall) Mkdir(abspath string, mode Mode) (*ResInfo, error)

Mkdir creates the absolute path whith a given mode where the parent must exist.

func (*Syscall) NextGID added in v0.2.0 

func (me *Syscall) NextGID() int

NextGID returns potential next group id.

func (*Syscall) NextUID added in v0.2.0 

func (me *Syscall) NextUID() int

NextUID returns potential next user id.

func (*Syscall) Open 

func (me *Syscall) Open(abspath string) (*Resource, error)

Open resource for reading. Underlying source must be string or []byte. If resource is open for writing this call blocks.

func (*Syscall) RemoveAll 

func (me *Syscall) RemoveAll(abspath string) error

RemoveAll

func (*Syscall) Run added in v0.2.0 

func (me *Syscall) Run(cmd *Cmd) error

Run executes the given command. Fails if e.g. resource is not Executable. All exec calls are audited if system has an auditer configured.

func (*Syscall) Save 

func (me *Syscall) Save(abspath string, src interface{}) error

Save saves src to the given abspath. Overwrites existing resource. If src implements io.WriterTo interface that is used otherwise it's gob encoded.

func (*Syscall) SaveAs 

func (me *Syscall) SaveAs(abspath string, src interface{}) error

SaveAs save src to the given abspath. Fails if abspath already exists.

func (*Syscall) SetAuditer added in v0.4.1 

func (me *Syscall) SetAuditer(v fox.Logger)

SetAuditer sets the auditer to use. nil disables audit.

func (*Syscall) SetGroup added in v0.2.0 

func (me *Syscall) SetGroup(abspath string, gid int) error

SetGroup

func (*Syscall) SetMode 

func (me *Syscall) SetMode(abspath string, mode Mode) error

SetMode sets the mode of abspath if the caller is the owner or Root. Only permissions bits can be set for now.

func (*Syscall) SetOwner added in v0.2.0 

func (me *Syscall) SetOwner(abspath string, uid int) error

SetOwner

func (*Syscall) Stat 

func (me *Syscall) Stat(abspath string) (*ResInfo, error)

Stat returns the node of the abspath if account is allowed to reach it, ie. all nodes up to it must have execute flags set.

Example 
sys := Anonymous.Use(NewSystem())
_, err := sys.Stat("/etc/accounts/root")
fmt.Println(err)

Output:

Stat /etc/accounts/root uid:0: d---rwxr-xr-x 1 1 accounts exec denied

type System 

type System struct {
	Accounts []*Account
	Groups   []*Group
	// contains filtered or unexported fields
}

func NewSystem 

func NewSystem() *System

NewSystem returns a system with installed resources resembling a unix filesystem.

func (*System) Export added in v0.3.0 

func (me *System) Export(w io.Writer) error

Export

func (*System) Import added in v0.4.0 

func (me *System) Import(abspath string, r io.Reader) error

Import imports resources to the system from the given reader to the abspath.

func (*System) LastModified added in v0.3.0 

func (me *System) LastModified() time.Time

LastModified returns last time resources state was modified.

func (*System) NextGID 

func (me *System) NextGID() int

NextGID returns next available gid

func (*System) NextUID 

func (me *System) NextUID() int

NextUID returns next available uid

func (*System) SetAuditer 

func (me *System) SetAuditer(auditer fox.Logger) *System

SetAuditer sets the auditer for Syscall.Exec calls

type Visitor 

type Visitor func(child *ResInfo, abspath string, w *nugo.Walker)

Visitor is called during a walk with a specific node and the absolute path to that node. Use the given Walker to stop if needed.

type Walker 

type Walker struct {
	// contains filtered or unexported fields
}

func NewWalker 

func NewWalker(sys *Syscall) *Walker

func (*Walker) SetRecursive 

func (me *Walker) SetRecursive(r bool)

SetRecursive

func (*Walker) Walk 

func (me *Walker) Walk(res *ResInfo, fn Visitor) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.