ACL for calling a remote lua script with command-line arguments

liubotsvetkov · April 22, 2020, 10:39am

Hello everyone,

I'm in big need of help and I will appreciate if you could help me.
I am trying to define an ACL so I can remotely execute a Lua script using Ubus over HTTP. I don't want to put a wild card but to give access only to a specific file.

"file": {
"lua script_path.lua": [ "exec" ]
}

The problem is that I want to pass command-line arguments to the script which are not known in advance, so I cannot define them in the ACL. I tried to do something like:

"file": {
"lua script_path.lua *": ["exec"]
}

However, it didn't work. and it's saying 'access to command denied by acl'.
Is there a way to give ACL access to a command with 2 strings as command-line arguments, whose values are not known in advance?

Thank you!

jow · April 22, 2020, 12:12pm

Using the wildcard should work. Make sure your ACL rules contain absolute paths anywhere as relative path locations are undefined when invoking remote scripts.

Means your ACL needs to look like this:

"file": {
    "/usr/bin/lua /full/path/to/script_path.lua *": [ "exec" ]
}

Furthermore, depending on if you want to use LuCI.fs.exec_direct() or LuCI.fs.exec(), you'll also need an ACL granting access to the corresponding procedure itself (cgi-io for exec_direct(), ubus/file for exec():

"cgi-io": [ "exec" ],
"file": {
    "/usr/bin/lua /full/path/to/script_path.lua *": [ "exec" ]
},
"ubus": {
    "file": [ "exec" ]
}

Finally make sure that your client side code uses the proper full paths as well:

fs.exec('/usr/bin/lua', [ '/full/path/to/script_path.lua', 'foo', 'bar' ]).then(function(res) {
    console.debug(res.code, res.stdout, res.stderr);
});

fs.exec_direct('/usr/bin/lua', [ '/full/path/to/script_path.lua', 'foo', 'bar' ]).then(function(output) {
    console.debug(output);
});

system · May 2, 2020, 12:12pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.