Reduced code reuse for lockdown method #62
Conversation
|
I meant something more along the lines of defining methods that perform actions, such as: def disable_sshd():
sp.run whateverAnd then calling that in the lockdown and interactive sequences instead of the literal |
| @@ -295,48 +298,48 @@ def lockdown_procedure(): | |||
| print_confirmation("Set secure configuration without user interaction.") | |||
|
|
|||
| # Get sudo priv | |||
| sp.run("sudo -E -v", shell=True, stdout=sp.PIPE) | |||
| run_command("sudo -E -v") | |||
There was a problem hiding this comment.
Careful... You lost a shell=True on this line that's really important.
There was a problem hiding this comment.
Hey, I explicitly didn’t want to invoke the shell through shell=True to avoid shell injection vulnerability. I tried it out through the interpreter and run_command("sudo -E -v") executes. Please let me know if I am misunderstanding the shell=True argument. Also, I'll try and define methods to perform actions.
There was a problem hiding this comment.
I explicitly didn’t want to invoke the shell through shell=True to avoid shell injection vulnerability.
I don't think there is a way to exploit this particular shell=True since there's no user input besides the sudo password. You're right to be careful though.
Take a look at the example here: https://docs.python.org/2/library/subprocess.html#frequently-used-arguments
I remember not being able to get it to work without that shell=True but it has been a very long time since I sat down with this code. I'll find some time to mess with it soon.
| run_command("sudo launchctl load /System/Library/LaunchDaemons/com.apple.alf.agent.plist") | ||
| run_command("sudo launchctl load /System/Library/LaunchAgents/com.apple.alf.useragent.plist") | ||
| run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on") | ||
| run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setloggingmode on") | ||
| run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on") | ||
| run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsigned off") | ||
| run_command("sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setallowsignedapp off") | ||
| run_command("sudo pkill -HUP socketfilterfw") |
There was a problem hiding this comment.
This refactor looks good to me. Strings in favor of lists.
| sp.run(['sudo', '/usr/libexec/ApplicationFirewall/socketfilterfw', '--setallowsigned', 'off'], stdout=sp.PIPE) | ||
| sp.run(['sudo', '/usr/libexec/ApplicationFirewall/socketfilterfw', '--setallowsignedapp', 'off'], stdout=sp.PIPE) | ||
| sp.run(['sudo defaults write /Library/Preferences/SystemConfiguration/com.apple.captive.control Active -bool false'], stdout=sp.PIPE) | ||
| run_command("sudo spctl --master-enable") |
| run_command("defaults write com.apple.screensaver askForPasswordDelay -int 0") | ||
| run_command("defaults write NSGlobalDomain AppleShowAllExtensions -bool true") | ||
| run_command("defaults write NSGlobalDomain NSDocumentSaveNewDocumentsToCloud -bool false") | ||
| run_command("defaults write com.apple.finder AppleShowAllFiles -boolean true") |
#61 I tried to clean up a little bit, let me know if this is what you had in mind. I can make more changes if required.