ovh · speed47 · Mar 5, 2025 · Mar 4, 2025 · Mar 4, 2025
diff --git a/.github/workflows/tests_basic.yml b/.github/workflows/tests_basic.yml
@@ -5,7 +5,7 @@ on: [push, pull_request]
 jobs:
     test:
         name: perlcritic, perltidy, shellcheck, doc
-        runs-on: ubuntu-20.04
+        runs-on: ubuntu-24.04
         timeout-minutes: 10
         steps:
         - uses: actions/checkout@v4

diff --git a/bin/admin/check-consistency.pl b/bin/admin/check-consistency.pl
@@ -18,14 +18,14 @@
 # generate a uniq prefix based on caller's lineno and caller's caller's lineno, useful to grep or grep -v
 sub _prefix { return uc(unpack('H*', pack('S', (caller(1))[2])) . unpack('H*', pack('S', (caller(2))[2]))) . ": "; }
 
-sub info { print $_[0] . "\n"; return 1; }
-sub _wrn { $bad++; print colored(_prefix() . $_[0], "blue") . "\n"; return 1; } ## no critic (ProhibitUnusedPrivateSubroutine)
+sub info  { print $_[0] . "\n"; return 1; }
+sub _wrn  { $bad++; print colored(_prefix() . $_[0], "blue") . "\n";     return 1; }    ## no critic (ProhibitUnusedPrivateSubroutine)
 sub _err  { $bad++; print colored(_prefix() . $_[0], "red") . "\n";      return 1; }
 sub _crit { $bad++; print colored(_prefix() . $_[0], "bold red") . "\n"; return 1; }
 
 # Linux and BSD don't always have the same account names for UID/GID 0
-my ($UID0) = (qx{getent passwd 0})[0] =~ /^([^:]+)/;                            ## no critic (ProhibitBacktickOperators)
-my ($GID0) = (qx{getent group 0})[0] =~ /^([^:]+)/;                             ## no critic (ProhibitBacktickOperators)
+my ($UID0)  = (qx{getent passwd 0})[0] =~ /^([^:]+)/;                                   ## no critic (ProhibitBacktickOperators)
+my ($GID0)  = (qx{getent group 0})[0]  =~ /^([^:]+)/;                                   ## no critic (ProhibitBacktickOperators)
 my $islinux = (($^O =~ /linux/i)         ? 1 : 0);
 my $hasacls = (($^O =~ /linux|freebsd/i) ? 1 : 0);
 
@@ -175,7 +175,7 @@
     $ALL_FILES{$_} = 1;
 }
 while (my $homedir = glob '/home/*') {
-    -d $homedir or next;
+    -d $homedir          or next;
     -d "$homedir/ttyrec" or next;
     next if $homedir eq '/home/proxyhttp';
     next if $homedir eq '/home/healthcheck';
@@ -284,7 +284,7 @@ sub check_file_rights {
     }
 
     if (!$hasacls) {
-        my ($modes, $owner, $group) = (qx{ls -ld $file})[0] =~ m{(\S+)\s+\d+\s+(\S+)\s+(\S+)}; ## no critic (ProhibitBacktickOperators)
+        my ($modes, $owner, $group) = (qx{ls -ld $file})[0] =~ m{(\S+)\s+\d+\s+(\S+)\s+(\S+)};    ## no critic (ProhibitBacktickOperators)
         if ($modes ne $expectedmodes) { $ok = 0; _err "on $file got $modes wanted $expectedmodes"; }
         if ($owner ne $expectedowner) { $ok = 0; _err "on $file got $owner wanted $expectedowner"; }
         if ($group ne $expectedgroup) { $ok = 0; _err "on $file got $group wanted $expectedgroup"; }
@@ -437,7 +437,7 @@ sub check_file_rights {
     "/home/allowkeeper",
     [
         "# file: /home/allowkeeper", "# owner: allowkeeper", "# group: allowkeeper", "user::rwx",
-        "group::r-x",                "other::r-x",
+        "group::r-x", "other::r-x",
     ],
     "drwxr-xr-x",
     "allowkeeper",

diff --git a/bin/admin/check_uid_gid_collisions.pl b/bin/admin/check_uid_gid_collisions.pl
@@ -250,10 +250,10 @@ sub handle_list {
                     push @cmds,
                       sprintf("find \$fslist -xdev -ignore_readdir_race -%s %d -ls -exec %s %d '{}' +",
                         lc($idtype), $master_id, $ch, $new_local_id);
-                    push @cmds, sprintf("pkill -%s %s && sleep 1", $type eq 'pw' ? 'U' : 'G', $local_name);
-                    push @cmds, sprintf("usermod  --uid %d %s", $new_local_id, $local_name) if $type eq 'pw';
-                    push @cmds, sprintf("groupmod --gid %d %s", $new_local_id, $local_name) if $type eq 'gr';
-                    push @grepcmds, sprintf("pgrep -%s %s", $type eq 'pw' ? 'U' : 'G', $local_name);
+                    push @cmds,     sprintf("pkill -%s %s && sleep 1", $type eq 'pw' ? 'U' : 'G', $local_name);
+                    push @cmds,     sprintf("usermod  --uid %d %s",    $new_local_id, $local_name) if $type eq 'pw';
+                    push @cmds,     sprintf("groupmod --gid %d %s",    $new_local_id, $local_name) if $type eq 'gr';
+                    push @grepcmds, sprintf("pgrep -%s %s",            $type eq 'pw' ? 'U' : 'G', $local_name);
                     # and we ask our caller to call us again as we've changed the local ID for this account or group
                     say "-> okay, offsetting local UID $master_id to $new_local_id";
                     return 0;
@@ -287,10 +287,10 @@ sub handle_list {
                     push @cmds,
                       sprintf("find \$fslist -xdev -ignore_readdir_race -%s %d -ls -exec %s %d '{}' +",
                         lc($idtype), $local_id, $ch, $master_id);
-                    push @cmds, sprintf("pkill -%s %s && sleep 1", $type eq 'pw' ? 'U' : 'G', $master_name);
-                    push @cmds, sprintf("usermod  --uid %d %s", $master_id, $master_name) if $type eq 'pw';
-                    push @cmds, sprintf("groupmod --gid %d %s", $master_id, $master_name) if $type eq 'gr';
-                    push @grepcmds, sprintf("pgrep -%s %s", $type eq 'pw' ? 'U' : 'G', $master_name);
+                    push @cmds,     sprintf("pkill -%s %s && sleep 1", $type eq 'pw' ? 'U' : 'G', $master_name);
+                    push @cmds,     sprintf("usermod  --uid %d %s",    $master_id, $master_name) if $type eq 'pw';
+                    push @cmds,     sprintf("groupmod --gid %d %s",    $master_id, $master_name) if $type eq 'gr';
+                    push @grepcmds, sprintf("pgrep -%s %s",            $type eq 'pw' ? 'U' : 'G', $master_name);
                     say "-> okay, setting local $idtype of $master_name to $master_id instead of $local_id";
                     # and we ask our caller to call us again as we've changed the local ID for this account or group
                     return 0;

diff --git a/bin/admin/osh-sync-watcher.sh b/bin/admin/osh-sync-watcher.sh
@@ -111,7 +111,7 @@ do
                 _log "... got event, syncing in 3 secs!"
                 sleep 3
         else
-                _warn "... got weird return value $? (maxfiles=$maxfiles); sleeping a bit..."
+                _warn "... got weird return value $ret (maxfiles=$maxfiles); sleeping a bit..."
                 sleep "$timeout"
         fi
         # sanity check myself before

diff --git a/bin/admin/setup-gpg.sh b/bin/admin/setup-gpg.sh
@@ -197,5 +197,3 @@ case "$1" in
     "") do_usage; exit 0;;
     *) echo "Unknown command '$1'" >&2; echo; do_usage; exit 1;;
 esac
-
-exit 0
diff --git a/bin/cron/osh-cleanup-guest-key-access.pl b/bin/cron/osh-cleanup-guest-key-access.pl
@@ -148,10 +148,10 @@ sub print_usage {
             # remove account from group
             my @command = qw{ /usr/bin/env perl -T };
             push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupSetRole';
-            push @command, '--type', 'guest';
-            push @command, '--group', $group;
+            push @command, '--type',    'guest';
+            push @command, '--group',   $group;
             push @command, '--account', $account;
-            push @command, '--action', 'del';
+            push @command, '--action',  'del';
             $fnret = OVH::Bastion::helper(cmd => \@command);
 
             if (!$fnret) {

diff --git a/bin/cron/osh-encrypt-rsync.pl b/bin/cron/osh-encrypt-rsync.pl
@@ -41,7 +41,7 @@ sub gpg_sign {
     my %params = @_;
     my @cmd    = qw{ gpg --batch --trust-model always --sign --passphrase-fd 0 };
     push @cmd, qw{ --pinentry-mode loopback } if is_new_gpg();
-    push @cmd, "-v" if $verbose >= 2;
+    push @cmd, "-v"                           if $verbose >= 2;
     push @cmd, '--local-user', $params{'signkey'}, '--output', '-', $params{'infile'};
 
     my $outfile;

diff --git a/bin/dev/shell-check.sh b/bin/dev/shell-check.sh
@@ -19,7 +19,8 @@ cd "$basedir" || exit 254
 if [ "${1:-system}" = system ]; then
     unset dockertag
 elif [ "$1" = docker ]; then
-    dockertag=v0.8.0
+    # this is the version shipped with Ubuntu 24.04
+    dockertag=v0.9.0
 else
     dockertag="$1"
 fi

diff --git a/bin/helper/osh-accountCreate b/bin/helper/osh-accountCreate
@@ -7,7 +7,7 @@
 
 #>HEADER
 use common::sense;
-use Getopt::Long qw(:config no_auto_abbrev no_ignore_case);
+use Getopt::Long  qw(:config no_auto_abbrev no_ignore_case);
 use Sys::Hostname ();
 use JSON;
 use POSIX ();
@@ -28,12 +28,12 @@ my (
 eval {
     local $SIG{__WARN__} = sub { push @optwarns, shift };
     $result = GetOptions(
-        "force-key-from=s"    => sub { $forceKeyFrom    //= $_[1] },    # only to be used by the install script
-        "type=s"              => sub { $type            //= $_[1] },
-        "from=s"              => sub { $realmFrom       //= $_[1] },
-        "uid=s"               => sub { $uid             //= $_[1] },
-        "account=s"           => sub { $account         //= $_[1] },
-        "always-active"       => sub { $alwaysActive    //= $_[1] },
+        "force-key-from=s"    => sub { $forceKeyFrom //= $_[1] },    # only to be used by the install script
+        "type=s"              => sub { $type         //= $_[1] },
+        "from=s"              => sub { $realmFrom    //= $_[1] },
+        "uid=s"               => sub { $uid          //= $_[1] },
+        "account=s"           => sub { $account      //= $_[1] },
+        "always-active"       => sub { $alwaysActive //= $_[1] },
         "pubKey=s"            => \@pubKeys,
         "comment=s"           => sub { $comment         //= $_[1] },
         'uid-auto'            => sub { $uidAuto         //= $_[1] },
@@ -87,11 +87,11 @@ $account = $fnret->value->{'account'};
 
 $fnret = OVH::Bastion::is_account_existing(account => $account);
 $fnret->is_err and HEXIT($fnret);
-$fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The account $account already exists");
+$fnret->is_ok  and HEXIT('KO_ALREADY_EXISTING', msg => "The account $account already exists");
 
 $fnret = OVH::Bastion::is_group_existing(group => $account);
 $fnret->is_err and HEXIT($fnret);
-$fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The group $account already exists");
+$fnret->is_ok  and HEXIT('KO_ALREADY_EXISTING', msg => "The group $account already exists");
 
 if ($type eq 'realm') {
     $account = "realm_$account";
@@ -100,11 +100,11 @@ if ($type eq 'realm') {
 
     $fnret = OVH::Bastion::is_account_existing(account => $account, accountType => "realm");
     $fnret->is_err and HEXIT($fnret);
-    $fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The realm $account already exists");
+    $fnret->is_ok  and HEXIT('KO_ALREADY_EXISTING', msg => "The realm $account already exists");
 
     $fnret = OVH::Bastion::is_group_existing(group => $account);
     $fnret->is_err and HEXIT($fnret);
-    $fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The group $account already exists");
+    $fnret->is_ok  and HEXIT('KO_ALREADY_EXISTING', msg => "The group $account already exists");
 }
 
 #<PARAMS:ACCOUNT
@@ -328,10 +328,10 @@ if (ref $config->{'accountCreateDefaultPersonalAccesses'} eq 'ARRAY' && $type eq
         next unless $ip;
         my @command = qw{ sudo -n -u allowkeeper -- };
         push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-accountModifyPersonalAccess';
-        push @command, '--target', 'any';
-        push @command, '--action', 'add';
+        push @command, '--target',  'any';
+        push @command, '--action',  'add';
         push @command, '--account', $account;
-        push @command, '--ip', $ip;
+        push @command, '--ip',      $ip;
 
         if ($user) {
             push @command, '--user', ($user eq 'ACCOUNT' ? $account : $user);
@@ -348,7 +348,7 @@ my %metadata      = (
     by              => $self,
     bastion_version => $OVH::Bastion::VERSION,
     datetime_utc    => POSIX::strftime("%a %Y-%m-%d %H:%M:%S UTC", gmtime($creation_time)),
-    datetime_local  => POSIX::strftime("%a %Y-%m-%d %H:%M:%S %Z", localtime($creation_time)),
+    datetime_local  => POSIX::strftime("%a %Y-%m-%d %H:%M:%S %Z",  localtime($creation_time)),
     timestamp       => $creation_time,
     comment         => $comment,
 );
@@ -485,15 +485,15 @@ OVH::Bastion::syslogFormatted(
     severity => 'info',
     type     => 'account',
     fields   => [
-        ['action',      'create'],
-        ['account',     $account],
-        ['account_uid', $uid],
-        ['public_key',  @vettedKeys ? $vettedKeys[0] : undef],
+        ['action',        'create'],
+        ['account',       $account],
+        ['account_uid',   $uid],
+        ['public_key',    @vettedKeys ? $vettedKeys[0] : undef],
         ['always_active', ($alwaysActive ? 'true' : 'false')],
         ['uid_auto',      ($uidAuto      ? 'true' : 'false')],
         ['osh_only',      ($oshOnly      ? 'true' : 'false')],
         ['immutable_key', ($immutableKey ? 'true' : 'false')],
-        ['comment', $comment],
+        ['comment',       $comment],
     ]
 );
 

diff --git a/bin/helper/osh-accountGetPasswordInfo b/bin/helper/osh-accountGetPasswordInfo
@@ -7,7 +7,7 @@
 
 #>HEADER
 use common::sense;
-use Getopt::Long qw(:config no_auto_abbrev no_ignore_case);
+use Getopt::Long  qw(:config no_auto_abbrev no_ignore_case);
 use Sys::Hostname ();
 
 use File::Basename;

diff --git a/bin/helper/osh-groupAddServer b/bin/helper/osh-groupAddServer
@@ -23,12 +23,12 @@ my ($group, $user, $ip, $port, $action, $force, $forcePassword, $forceKey, $ttl,
 eval {
     local $SIG{__WARN__} = sub { push @optwarns, shift };
     $result = GetOptions(
-        "group=s"  => sub { $group  //= $_[1] },    # ignore subsequent --group on cmdline (anti-sudoers-override)
-        "user=s"   => sub { $user   //= $_[1] },
-        "ip=s"     => sub { $ip     //= $_[1] },
-        "port=i"   => sub { $port   //= $_[1] },
-        "action=s" => sub { $action //= $_[1] },
-        "force"    => sub { $force  //= $_[1] },
+        "group=s"          => sub { $group         //= $_[1] },    # ignore subsequent --group on cmdline (anti-sudoers-override)
+        "user=s"           => sub { $user          //= $_[1] },
+        "ip=s"             => sub { $ip            //= $_[1] },
+        "port=i"           => sub { $port          //= $_[1] },
+        "action=s"         => sub { $action        //= $_[1] },
+        "force"            => sub { $force         //= $_[1] },
         "force-password=s" => sub { $forcePassword //= $_[1] },
         "force-key=s"      => sub { $forceKey      //= $_[1] },
         "ttl=i"            => sub { $ttl           //= $_[1] },

diff --git a/bin/helper/osh-groupCreate b/bin/helper/osh-groupCreate
@@ -114,7 +114,7 @@ foreach my $test ($group, "$group-gatekeeper", "$group-owner") {
 
 $fnret = OVH::Bastion::is_account_existing(account => $group);
 $fnret->is_err and HEXIT($fnret);
-$fnret->is_ok and HEXIT('KO_ALREADY_EXISTING', msg => "The account $group already exists");
+$fnret->is_ok  and HEXIT('KO_ALREADY_EXISTING', msg => "The account $group already exists");
 
 #<PARAMS:GROUP
 
@@ -180,7 +180,7 @@ OVH::Bastion::touch_file("/home/$group/allowed.ip");
 osh_info("Adjusting permissions...");
 my $bigX = (OVH::Bastion::is_linux() ? 'X' : 'x');
 foreach my $command (
-    ['chown', '-R',               "$group:$group",            "/home/$group"],
+    ['chown', '-R',               "$group:$group", "/home/$group"],
     ['chgrp', "$group-aclkeeper", "/home/$group/allowed.ip"],
     ['chmod', '-R',               "o-rwx,g=r$bigX,u=rw$bigX", "/home/$group"],
     ['chmod', '0664',             "/home/$group/allowed.ip"],

diff --git a/bin/helper/osh-groupDelete b/bin/helper/osh-groupDelete
@@ -175,7 +175,7 @@ $fnret or HEXIT($fnret);
 my $dh;
 if (opendir($dh, "/home/allowkeeper")) {
     while (my $dir = readdir($dh)) {
-        $dir =~ /^\./ and next;
+        $dir =~ /^\./                 and next;
         $dir !~ /^([a-zA-Z0-9._-]+)$/ and next;
         $dir = "/home/allowkeeper/$1";    # and untaint
         -d $dir or next;

diff --git a/bin/plugin/admin/adminSudo b/bin/plugin/admin/adminSudo
@@ -53,9 +53,9 @@ push @cmd, '-c';
 
 my $stringified;
 $stringified = " --osh $sudoCmd" if $sudoCmd;
-$stringified .= " --host $host" if $host;
-$stringified .= " --port $port" if $port;
-$stringified .= " --user $user" if $user;
+$stringified .= " --host $host"                     if $host;
+$stringified .= " --port $port"                     if $port;
+$stringified .= " --user $user"                     if $user;
 $stringified .= " " . join(" ", @$remainingOptions) if ($remainingOptions and @$remainingOptions);
 
 push @cmd, $stringified;
@@ -67,8 +67,8 @@ OVH::Bastion::syslogFormatted(
         ['type',    'admin-sudo'],
         ['account', $self],
         ['sudo-as', $sudoAs],
-        ['plugin', ($sudoCmd ? $sudoCmd : 'ssh')],
-        ['params', $stringified]
+        ['plugin',  ($sudoCmd ? $sudoCmd : 'ssh')],
+        ['params',  $stringified]
     ]
 );
 

diff --git a/bin/plugin/group-aclkeeper/groupAddServer b/bin/plugin/group-aclkeeper/groupAddServer
@@ -164,11 +164,11 @@ push @command, ($group, '--', '/usr/bin/env', 'perl', '-T', $OVH::Bastion::BASEP
 push @command, '--group',          $group;
 push @command, '--action',         'add';
 push @command, '--ip',             $ip;
-push @command, '--user',           $user if $user;
-push @command, '--port',           $port if $port;
-push @command, '--force-key',      $forceKey if $forceKey;
+push @command, '--user',           $user          if $user;
+push @command, '--port',           $port          if $port;
+push @command, '--force-key',      $forceKey      if $forceKey;
 push @command, '--force-password', $forcePassword if $forcePassword;
-push @command, '--ttl',            $ttl if $ttl;
-push @command, '--comment',        $comment if $comment;
+push @command, '--ttl',            $ttl           if $ttl;
+push @command, '--comment',        $comment       if $comment;
 
 osh_exit OVH::Bastion::helper(cmd => \@command);
diff --git a/bin/plugin/group-owner/groupGenerateEgressKey b/bin/plugin/group-owner/groupGenerateEgressKey
@@ -75,8 +75,8 @@ if ($encrypted) {
 my @command = qw{ sudo -n -u root -- /usr/bin/env perl -T };
 push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupGenerateEgressKey';
 push @command, '--group', $group;
-push @command, '--algo', $algo;
-push @command, '--size', $size;
+push @command, '--algo',  $algo;
+push @command, '--size',  $size;
 push @command, '--encrypted' if $encrypted;
 
 $fnret = OVH::Bastion::helper(cmd => \@command, stdin_str => $passphrase);

diff --git a/bin/plugin/group-owner/groupModify b/bin/plugin/group-owner/groupModify
@@ -85,9 +85,9 @@ my @command = qw{ sudo -n -u };
 push @command, $group;
 push @command, qw{ -- /usr/bin/env perl -T };
 push @command, $OVH::Bastion::BASEPATH . '/bin/helper/osh-groupModify';
-push @command, '--group', $group;
-push @command, '--mfa-required', $mfaRequired if $mfaRequired;
-push @command, '--guest-ttl-limit', $ttl if defined $ttl;
+push @command, '--group',             $group;
+push @command, '--mfa-required',      $mfaRequired     if $mfaRequired;
+push @command, '--guest-ttl-limit',   $ttl             if defined $ttl;
 push @command, '--idle-lock-timeout', $idleLockTimeout if defined $idleLockTimeout;
 push @command, '--idle-kill-timeout', $idleKillTimeout if defined $idleKillTimeout;
 

diff --git a/bin/plugin/open/help b/bin/plugin/open/help
@@ -50,7 +50,7 @@ my @knownPlugins = (
           [qw{ accountListIngressKeys accountResetIngressKeys accountMFAResetPassword accountMFAResetTOTP }],
         'manage accounts egress credentials (bastion->server)' =>
           [qw{ accountListEgressKeys accountGeneratePassword accountListPasswords }],
-        'manage access to restricted commands' => [qw{ accountGrantCommand accountRevokeCommand }],
+        'manage access to restricted commands'       => [qw{ accountGrantCommand accountRevokeCommand }],
         'manage another account accesses to servers' =>
           [qw{ accountListAccesses accountAddPersonalAccess accountDelPersonalAccess whoHasAccessTo }],
         'review past sessions' => [qw{ accountListSessions globalListSessions }],
@@ -63,7 +63,7 @@ my @knownPlugins = (
         ],
         'egress passwords commands'             => [qw{ groupListPasswords groupGeneratePassword groupDelPassword }],
         'gatekeeper commands to manage members' => [qw{ groupAddMember groupDelMember }],
-        'gatekeeper commands to manage guests' =>
+        'gatekeeper commands to manage guests'  =>
           [qw{ groupListGuestAccesses groupAddGuestAccess groupDelGuestAccess }],
         'aclkeeper commands to manage group servers' => [qw{ groupAddServer groupDelServer }],
     ],

diff --git a/bin/plugin/open/rsync b/bin/plugin/open/rsync
@@ -77,8 +77,8 @@ if (not $ip) {
     osh_exit 'ERR_HOST_NOT_FOUND', "Sorry, couldn't resolve the host you specified ('$host'), aborting.";
 }
 
-$port ||= 22;      # rsync uses 22 if not specified, so we need to test access to that port and not any port (aka undef)
-$user ||= $self;   # same for user
+$port ||= 22;       # rsync uses 22 if not specified, so we need to test access to that port and not any port (aka undef)
+$user ||= $self;    # same for user
 
 $fnret = OVH::Bastion::Plugin::otherProtocol::has_protocol_access(
     account  => $self,
-Original file line number
+Diff line change
@@ Expand Up / @@ -197,5 +197,3 @@ case "$1" in @@
         "") do_usage; exit 0;;
         *) echo "Unknown command '$1'" >&2; echo; do_usage; exit 1;;
     esac
-    exit 0