2
0
mirror of https://github.com/xcat2/confluent.git synced 2026-07-18 00:16:50 +00:00

Lock down non-system users to not have open ended access

This commit is contained in:
Jarrod Johnson
2026-07-01 21:11:27 -04:00
parent 0106758ceb
commit ada4cb196d
+5 -2
View File
@@ -657,8 +657,11 @@ class InputFirmwareUpdate(ConfluentMessage):
value, curruser)
raise Exception(errstr)
except KeyError:
pass # We can't check ownership for confluent users without system users, as is the case in a prominent container usage,
# We must rely upon the banned paths to mitigate risk instead
# non-system backed user, restrict them to either web curated assets or identity images
if not (value.startswith('/var/lib/confluent/client_assets/') or value.startswith('/var/lib/confluent/private/identity_images')):
raise Exception(
'File transfer using non-system user {} is not supported for {}'.format(curruser, value))
checkedfiles.add(value)
self.filebynode[node] = value