diff options
author | onefang | 2021-08-20 00:28:15 +1000 |
---|---|---|
committer | onefang | 2021-08-20 00:28:15 +1000 |
commit | 2ebb95d6d31132814e4392ffdc04bd17bb105176 (patch) | |
tree | 146d819bb8999eda4b54c42bed720bac6ce115cc | |
parent | Default rsync stull for the config file. (diff) | |
download | opensim-SC-2ebb95d6d31132814e4392ffdc04bd17bb105176.zip opensim-SC-2ebb95d6d31132814e4392ffdc04bd17bb105176.tar.gz opensim-SC-2ebb95d6d31132814e4392ffdc04bd17bb105176.tar.bz2 opensim-SC-2ebb95d6d31132814e4392ffdc04bd17bb105176.tar.xz |
Make sure permisions and files aor correct on sledjchisl startup.
-rw-r--r-- | src/sledjchisl/sledjchisl.c | 126 |
1 files changed, 73 insertions, 53 deletions
diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c index e4c4359..d82b7e1 100644 --- a/src/sledjchisl/sledjchisl.c +++ b/src/sledjchisl/sledjchisl.c | |||
@@ -8141,22 +8141,6 @@ Deal with the user. | |||
8141 | sudo adduser --system --shell /bin/bash --group ${OS_USER} | 8141 | sudo adduser --system --shell /bin/bash --group ${OS_USER} |
8142 | sudo addgroup ${USER} ${OS_USER} | 8142 | sudo addgroup ${USER} ${OS_USER} |
8143 | 8143 | ||
8144 | Create the /opt/opensim-SC directory structure. | ||
8145 | We do most of that below anyway. | ||
8146 | AssetFiles/data Think OpenSim creates all the sub directories itself? | ||
8147 | AssetFiles/tmp/spool Think OpenSim creates all the sub directories itself? | ||
8148 | bin | ||
8149 | config/config.ini (move that etc/config.ini later) | ||
8150 | etc | ||
8151 | tmp | ||
8152 | var/backups Copy examples/var/backups/*.IAR files, which are the newbie starter inventories. | ||
8153 | var/cache Think OpenSim creates all the sub directories itself? | ||
8154 | var/lib/db | ||
8155 | var/lib/users | ||
8156 | var/log | ||
8157 | var/run HAS to be setup correctly BEFORE we try to start up tmux. | ||
8158 | web // Fill it with default web stuff from current -> example.. | ||
8159 | |||
8160 | Copy the tmux config to user's homes. | 8144 | Copy the tmux config to user's homes. |
8161 | 8145 | ||
8162 | Copy this version of opensim-SC to /opt/opensim-SC, and make the current symlink to it. | 8146 | Copy this version of opensim-SC to /opt/opensim-SC, and make the current symlink to it. |
@@ -8164,32 +8148,6 @@ Copy this version of opensim-SC to /opt/opensim-SC, and make the current symlink | |||
8164 | Copy correct config/config.ini to there. | 8148 | Copy correct config/config.ini to there. |
8165 | Put new database credentials in config/config.ini | 8149 | Put new database credentials in config/config.ini |
8166 | 8150 | ||
8167 | Make sure correct permissions are set everywhere. | ||
8168 | sudo chmod 600 ${OS_PATH}/config/*.ini | ||
8169 | sudo chmod 600 ${OS_PATH}/config/ROBUST/*.ini | ||
8170 | sudo chown -R ${OS_USER}:${OS_USER} ${OS_PATH} | ||
8171 | sudo chmod -R 775 ${OS_PATH} | ||
8172 | sudo chmod -R a-x ${OS_PATH} | ||
8173 | sudo chmod -R a+X ${OS_PATH} | ||
8174 | sudo chmod -R g+w ${OS_PATH} | ||
8175 | sudo chmod -R a+x ${OS_PATH}/current/*.sh | ||
8176 | sudo chmod -R a+x ${OS_PATH}/current/scripts/*.sh | ||
8177 | sudo chmod -R a+x ${OS_PATH}/current/scripts/install/*.sh | ||
8178 | sudo chmod a+x ${OS_PATH}/current/scripts/show-console | ||
8179 | sudo chmod a+x ${OS_PATH}/current/scripts/start-sim | ||
8180 | |||
8181 | sudo chmod ug+rwx ${OS_PATH}/config | ||
8182 | sudo chmod g+s ${OS_PATH}/config | ||
8183 | sudo chmod 600 ${OS_PATH}/config/*.ini | ||
8184 | sudo chmod 600 ${OS_PATH}/config/ROBUST/*.ini | ||
8185 | sudo chmod ug+rwx ${OS_PATH}/etc | ||
8186 | sudo chmod g+s ${OS_PATH}/etc | ||
8187 | sudo chmod a+x ${OS_PATH}/config/*.shini | ||
8188 | |||
8189 | chmod ug+rwx ${OS_PATH}/var/cache | ||
8190 | chmod o-rwx ${OS_PATH}/var/cache | ||
8191 | chmod g+s ${OS_PATH}/var/cache | ||
8192 | |||
8193 | Build the OpenSim. | 8151 | Build the OpenSim. |
8194 | */ | 8152 | */ |
8195 | 8153 | ||
@@ -8247,13 +8205,36 @@ Build the OpenSim. | |||
8247 | scTemp = xmprintf("%s%s/tmp", slsh, scRoot); | 8205 | scTemp = xmprintf("%s%s/tmp", slsh, scRoot); |
8248 | } | 8206 | } |
8249 | 8207 | ||
8208 | // A bit chicken and egg here. | ||
8209 | // We need to be the correct user to set the correct perms on the scRun directory | ||
8210 | // But we wont be the correct user until we run tmux as that user. | ||
8211 | // The path to sledjchisl.socket needs to be readable by the www-data group. So the FCGI socket will work. | ||
8212 | // AND it needs to be group sticky on opensimsc group. So the tmux socket will work. | ||
8213 | // Put both in scRun, and make it other readable? | ||
8214 | // No idea of the SECURITY HOLE that might cause. | ||
8215 | if(!qfile_exist(scRun)) | ||
8216 | { | ||
8217 | W("Creating the proper %s directory.", scRun); | ||
8218 | if (shellMeFail("sudo -Hu %s mkdir -p %s", scUser, scRun)) | ||
8219 | { | ||
8220 | C("Can't make the %s directory.", scRun); | ||
8221 | goto finished; | ||
8222 | } | ||
8223 | else | ||
8224 | { | ||
8225 | if (shellMeFail("sudo -Hu %s chmod 2755 %s", scUser, scRun)) | ||
8226 | { | ||
8227 | C("Can't set proper permissions for the %s directory.", scRun); | ||
8228 | goto finished; | ||
8229 | } | ||
8230 | } | ||
8231 | } | ||
8250 | 8232 | ||
8251 | if (!isWeb) | 8233 | if (!isWeb) |
8252 | { | 8234 | { |
8253 | //////////////////////////////////////////////////////////////////////////////////////////////////// | 8235 | //////////////////////////////////////////////////////////////////////////////////////////////////// |
8254 | // Figure out what and where we are. | 8236 | // Figure out what and where we are. |
8255 | //////////////////////////////////////////////////////////////////////////////////////////////////// | 8237 | //////////////////////////////////////////////////////////////////////////////////////////////////// |
8256 | // TODO - still a bit chicken and egg here about the tmux socket and reading configs from scEtc /.sledjChisl.conf.lua | ||
8257 | I("Outputting to a terminal, not a web server."); | 8238 | I("Outputting to a terminal, not a web server."); |
8258 | // Check if we are already running inside the proper tmux server. | 8239 | // Check if we are already running inside the proper tmux server. |
8259 | char *eTMUX = getenv("TMUX"); | 8240 | char *eTMUX = getenv("TMUX"); |
@@ -8329,6 +8310,9 @@ Build the OpenSim. | |||
8329 | //////////////////////////////////////////////////////////////////////////////////////////////////// | 8310 | //////////////////////////////////////////////////////////////////////////////////////////////////// |
8330 | // Sort out directories, part 2 | 8311 | // Sort out directories, part 2 |
8331 | //////////////////////////////////////////////////////////////////////////////////////////////////// | 8312 | //////////////////////////////////////////////////////////////////////////////////////////////////// |
8313 | |||
8314 | // TODO - only do this if in start mode. | ||
8315 | |||
8332 | // Doing this here coz at this point we should be the correct user. | 8316 | // Doing this here coz at this point we should be the correct user. |
8333 | /* From man 7 inode - | 8317 | /* From man 7 inode - |
8334 | S_ISUID 04000 set-user-ID bit | 8318 | S_ISUID 04000 set-user-ID bit |
@@ -8362,17 +8346,7 @@ Build the OpenSim. | |||
8362 | if ((! qfile_exist(scEtc)) && (! qfile_mkdir(scEtc, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scEtc); | 8346 | if ((! qfile_exist(scEtc)) && (! qfile_mkdir(scEtc, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scEtc); |
8363 | if ((! qfile_exist(scLib)) && (! qfile_mkdir(scLib, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLib); | 8347 | if ((! qfile_exist(scLib)) && (! qfile_mkdir(scLib, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLib); |
8364 | if ((! qfile_exist(scBackup)) && (! qfile_mkdir(scBackup, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scBackup); | 8348 | if ((! qfile_exist(scBackup)) && (! qfile_mkdir(scBackup, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scBackup); |
8365 | // TODO - the path to sledjchisl.socket needs to be readable by the www-data group. So the FCGI socket will work. | ||
8366 | // AND it needs to be group sticky on opensimsc group. So the tmux socket will work. | ||
8367 | // So currently scCache is www-data readable, and scRun is group sticky. | ||
8368 | // Our big problem here is that opensimsc can't set group on it's own directories to www-data if it's not in that group. | ||
8369 | // And that's the only reason we need access to that group. | ||
8370 | // Put both in scRun, and make it other readable? | ||
8371 | // No idea of the SECURITY HOLE that might cause. | ||
8372 | // DAMMIT! chicken and egg, scRun has to exist before tmux runs, so it can create the socket in there, | ||
8373 | // but we can't create it until tmux runs. | ||
8374 | if ((! qfile_exist(scCache)) && (! qfile_mkdir(scCache, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scCache); | 8349 | if ((! qfile_exist(scCache)) && (! qfile_mkdir(scCache, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scCache); |
8375 | // if ((! qfile_exist(scRun)) && (! qfile_mkdir(scRun, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH | S_ISGID, true))) C("Unable to create path %s", scRun); | ||
8376 | if ((! qfile_exist(scData)) && (! qfile_mkdir(scData, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scData); | 8350 | if ((! qfile_exist(scData)) && (! qfile_mkdir(scData, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scData); |
8377 | if ((! qfile_exist(scLog)) && (! qfile_mkdir(scLog, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLog); | 8351 | if ((! qfile_exist(scLog)) && (! qfile_mkdir(scLog, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLog); |
8378 | if ((! qfile_exist(scTemp)) && (! qfile_mkdir(scTemp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scTemp); | 8352 | if ((! qfile_exist(scTemp)) && (! qfile_mkdir(scTemp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scTemp); |
@@ -8382,6 +8356,52 @@ Build the OpenSim. | |||
8382 | tmp = xmprintf("%s/users", scData); | 8356 | tmp = xmprintf("%s/users", scData); |
8383 | if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp); | 8357 | if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp); |
8384 | free(tmp); | 8358 | free(tmp); |
8359 | tmp = xmprintf("%s/db", scData); | ||
8360 | if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp); | ||
8361 | free(tmp); | ||
8362 | |||
8363 | /* TODO - tighten up security. | ||
8364 | Make sure correct permissions are set everywhere. | ||
8365 | sudo chown -R ${OS_USER}:${OS_USER} ${OS_PATH} | ||
8366 | |||
8367 | Create the /opt/opensim-SC directory structure. | ||
8368 | AssetFiles/data Think OpenSim creates all the sub directories itself? | ||
8369 | AssetFiles/tmp/spool Think OpenSim creates all the sub directories itself? | ||
8370 | config/config.ini (move that etc/config.ini later) | ||
8371 | . var/backups Copy examples/var/backups/*.IAR files, which are the newbie starter inventories. | ||
8372 | . var/cache Think OpenSim creates all the sub directories itself? | ||
8373 | . var/run HAS to be setup correctly BEFORE we try to start up tmux. | ||
8374 | web // Fill it with default web stuff from current -> example.. | ||
8375 | |||
8376 | */ | ||
8377 | I("Securing directories and files in %s.", scRoot); | ||
8378 | if (shellMeFail("chmod u=rw,go= %s/config/*.ini", scRoot)) C("Can't set proper permissions for %s/config*.ini", scRoot); | ||
8379 | if (shellMeFail("chmod u=rw,go= %s/config/ROBUST/*.ini", scRoot)) C("Can't set proper permissions for %s/config/ROBUST/*.ini", scRoot); | ||
8380 | if (shellMeFail("chmod u=rw,go= %s/.sledjChisl.conf.lua", scEtc)) C("Can't set proper permissions for %s/.sledjChisl.conf.lua", scEtc); | ||
8381 | if (shellMeFail("chmod ug+rw %s/config", scRoot)) C("Can't set proper permissions for %s/config", scRoot); | ||
8382 | if (shellMeFail("chmod g+s %s/config", scRoot)) C("Can't set proper permissions for %s/config", scRoot); | ||
8383 | if (shellMeFail("chmod u=rw,go= %s/config/*.ini", scRoot)) C("Can't set proper permissions for %s/config/*.ini", scRoot); | ||
8384 | if (shellMeFail("chmod u=rw,go= %s/config/ROBUST/*.ini", scRoot)) C("Can't set proper permissions for %s/configROBUST/*.ini", scRoot); | ||
8385 | |||
8386 | if (shellMeFail("chmod ug=rwx,o= %s/AssetFiles", scRoot)) C("Can't set proper permissions for %s/AssetFiles", scRoot); | ||
8387 | if (shellMeFail("chmod -fR ug=rw,o=,a+X %s", scBackup)) C("Can't set proper permissions for %s", scBackup); | ||
8388 | if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scBin)) C("Can't set proper permissions for %s", scBin); | ||
8389 | if (shellMeFail("chmod -fR ug=rw,o=,a+X %s", scCache)) C("Can't set proper permissions for %s", scCache); | ||
8390 | if (shellMeFail("chmod ug=rwx,o= %s", scCache)) C("Can't set proper permissions for %s", scCache); | ||
8391 | if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scData)) C("Can't set proper permissions for %s", scData); | ||
8392 | if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scEtc)) C("Can't set proper permissions for %s", scEtc); | ||
8393 | if (shellMeFail("chmod u=rw,go= %s/.sledjChisl.conf.lua", scEtc)) C("Can't set proper permissions for %s/.sledjChisl.conf.lua", scEtc); | ||
8394 | if (shellMeFail("chmod g+s %s", scEtc)) C("Can't set proper permissions for %s", scEtc); | ||
8395 | if (shellMeFail("chmod a+x %s/*.shini", scEtc)) C("Can't set proper permissions for %s/*.shini", scEtc); | ||
8396 | if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scLib)) C("Can't set proper permissions for %s", scLib); | ||
8397 | if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scLog)) C("Can't set proper permissions for %s", scLog); | ||
8398 | if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scTemp)) C("Can't set proper permissions for %s", scTemp); | ||
8399 | |||
8400 | // if (shellMeFail("chmod -R a+x %s/current/*.sh", scRoot)) C("Can't set proper permissions for %s/current/*.sh", scRoot); | ||
8401 | // if (shellMeFail("chmod -R a+x %s/current/scripts/*.sh", scRoot)) C("Can't set proper permissions for %s/current/scripts/*.sh", scRoot); | ||
8402 | // if (shellMeFail("chmod -R a+x %s/current/scripts/install/*.sh", scRoot)) C("Can't set proper permissions for %s/current/scripts/install/*.sh", scRoot); | ||
8403 | // if (shellMeFail("chmod a+x %s/current/scripts/show-console", scRoot)) C("Can't set proper permissions for %s/current/scripts/show-console", scRoot); | ||
8404 | // if (shellMeFail("chmod a+x %s/current/scripts/start-sim", scRoot)) C("Can't set proper permissions for %s/current/scripts/start-sim", scRoot); | ||
8385 | 8405 | ||
8386 | char *newPath = xmprintf("%s/current/bin/sledjchisl", scRoot); | 8406 | char *newPath = xmprintf("%s/current/bin/sledjchisl", scRoot); |
8387 | tmp = xmprintf("%s/sledjchisl", scBin); | 8407 | tmp = xmprintf("%s/sledjchisl", scBin); |