use shell to execute command

DefGuard / gateway

Defguard gateway

Other

22 stars 3 forks source link

📖 Description

Close #133

🛠️ Dev Branch Merge Checklist:

Documentation

[x] If testing requires changes in the environment or deployment, please update the documentation (https://defguard.gitbook.io) first and attach the link to the documentation section in this pool request

[x] I have commented on my code, particularly in hard-to-understand areas

Testing

[x] I have prepared end-to-end tests for all new functionalities

[x] I have performed end-to-end tests manually and they work

[ x New and existing unit tests pass locally with my changes

Deployment

[x] If deployment is affected I have made corresponding/required changes to deployment (Docker, Kubernetes, one-line install)

🏚️ Main Branch Merge Checklist:

Testing

[x] I have merged my changes before to dev and the dev checklist is done

[x] I have tested all functionalities on the dev instance and they work

Documentation

[x] I have made corresponding changes to the user & admin documentation and added new features documentation with screenshots for users/admins

@laoshancun first of all, thank you very much for your contribution and effort, but the one command in pre/post up/down is by design - as defguard is built with highest security standards in mind.

If someone requires multiple commands to be executed, they can create a shell script which will define the acceptable and preferred shell to use and then execute all commands.

Why?

Each administrator has a preferred shell, and also in the script they can do other arrangements to control the environment.

Also what you have proposed - to launch the "sh" shell is not secured, as it's first sh shell from the path - that can be used for example to exploit the server on the gateway. And for that reason, we require the administrator to create a script in which **the shell is defined by the admin as well as accepted by the admin (can be full path, from env - but the admin accepts what it is).

So for that reason we can't merge this. Thank you again and hope you will understand our motivation.

DefGuard / gateway