aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authoronefang2021-08-20 00:28:15 +1000
committeronefang2021-08-20 00:28:15 +1000
commit2ebb95d6d31132814e4392ffdc04bd17bb105176 (patch)
tree146d819bb8999eda4b54c42bed720bac6ce115cc
parentDefault rsync stull for the config file. (diff)
downloadopensim-SC-2ebb95d6d31132814e4392ffdc04bd17bb105176.zip
opensim-SC-2ebb95d6d31132814e4392ffdc04bd17bb105176.tar.gz
opensim-SC-2ebb95d6d31132814e4392ffdc04bd17bb105176.tar.bz2
opensim-SC-2ebb95d6d31132814e4392ffdc04bd17bb105176.tar.xz
Make sure permisions and files aor correct on sledjchisl startup.
-rw-r--r--src/sledjchisl/sledjchisl.c126
1 files changed, 73 insertions, 53 deletions
diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c
index e4c4359..d82b7e1 100644
--- a/src/sledjchisl/sledjchisl.c
+++ b/src/sledjchisl/sledjchisl.c
@@ -8141,22 +8141,6 @@ Deal with the user.
8141 sudo adduser --system --shell /bin/bash --group ${OS_USER} 8141 sudo adduser --system --shell /bin/bash --group ${OS_USER}
8142 sudo addgroup ${USER} ${OS_USER} 8142 sudo addgroup ${USER} ${OS_USER}
8143 8143
8144Create the /opt/opensim-SC directory structure.
8145 We do most of that below anyway.
8146 AssetFiles/data Think OpenSim creates all the sub directories itself?
8147 AssetFiles/tmp/spool Think OpenSim creates all the sub directories itself?
8148 bin
8149 config/config.ini (move that etc/config.ini later)
8150 etc
8151 tmp
8152 var/backups Copy examples/var/backups/*.IAR files, which are the newbie starter inventories.
8153 var/cache Think OpenSim creates all the sub directories itself?
8154 var/lib/db
8155 var/lib/users
8156 var/log
8157 var/run HAS to be setup correctly BEFORE we try to start up tmux.
8158 web // Fill it with default web stuff from current -> example..
8159
8160Copy the tmux config to user's homes. 8144Copy the tmux config to user's homes.
8161 8145
8162Copy this version of opensim-SC to /opt/opensim-SC, and make the current symlink to it. 8146Copy this version of opensim-SC to /opt/opensim-SC, and make the current symlink to it.
@@ -8164,32 +8148,6 @@ Copy this version of opensim-SC to /opt/opensim-SC, and make the current symlink
8164Copy correct config/config.ini to there. 8148Copy correct config/config.ini to there.
8165 Put new database credentials in config/config.ini 8149 Put new database credentials in config/config.ini
8166 8150
8167Make sure correct permissions are set everywhere.
8168 sudo chmod 600 ${OS_PATH}/config/*.ini
8169 sudo chmod 600 ${OS_PATH}/config/ROBUST/*.ini
8170 sudo chown -R ${OS_USER}:${OS_USER} ${OS_PATH}
8171 sudo chmod -R 775 ${OS_PATH}
8172 sudo chmod -R a-x ${OS_PATH}
8173 sudo chmod -R a+X ${OS_PATH}
8174 sudo chmod -R g+w ${OS_PATH}
8175 sudo chmod -R a+x ${OS_PATH}/current/*.sh
8176 sudo chmod -R a+x ${OS_PATH}/current/scripts/*.sh
8177 sudo chmod -R a+x ${OS_PATH}/current/scripts/install/*.sh
8178 sudo chmod a+x ${OS_PATH}/current/scripts/show-console
8179 sudo chmod a+x ${OS_PATH}/current/scripts/start-sim
8180
8181 sudo chmod ug+rwx ${OS_PATH}/config
8182 sudo chmod g+s ${OS_PATH}/config
8183 sudo chmod 600 ${OS_PATH}/config/*.ini
8184 sudo chmod 600 ${OS_PATH}/config/ROBUST/*.ini
8185 sudo chmod ug+rwx ${OS_PATH}/etc
8186 sudo chmod g+s ${OS_PATH}/etc
8187 sudo chmod a+x ${OS_PATH}/config/*.shini
8188
8189 chmod ug+rwx ${OS_PATH}/var/cache
8190 chmod o-rwx ${OS_PATH}/var/cache
8191 chmod g+s ${OS_PATH}/var/cache
8192
8193Build the OpenSim. 8151Build the OpenSim.
8194*/ 8152*/
8195 8153
@@ -8247,13 +8205,36 @@ Build the OpenSim.
8247 scTemp = xmprintf("%s%s/tmp", slsh, scRoot); 8205 scTemp = xmprintf("%s%s/tmp", slsh, scRoot);
8248 } 8206 }
8249 8207
8208// A bit chicken and egg here.
8209// We need to be the correct user to set the correct perms on the scRun directory
8210// But we wont be the correct user until we run tmux as that user.
8211// The path to sledjchisl.socket needs to be readable by the www-data group. So the FCGI socket will work.
8212// AND it needs to be group sticky on opensimsc group. So the tmux socket will work.
8213// Put both in scRun, and make it other readable?
8214// No idea of the SECURITY HOLE that might cause.
8215 if(!qfile_exist(scRun))
8216 {
8217 W("Creating the proper %s directory.", scRun);
8218 if (shellMeFail("sudo -Hu %s mkdir -p %s", scUser, scRun))
8219 {
8220 C("Can't make the %s directory.", scRun);
8221 goto finished;
8222 }
8223 else
8224 {
8225 if (shellMeFail("sudo -Hu %s chmod 2755 %s", scUser, scRun))
8226 {
8227 C("Can't set proper permissions for the %s directory.", scRun);
8228 goto finished;
8229 }
8230 }
8231 }
8250 8232
8251 if (!isWeb) 8233 if (!isWeb)
8252 { 8234 {
8253//////////////////////////////////////////////////////////////////////////////////////////////////// 8235////////////////////////////////////////////////////////////////////////////////////////////////////
8254// Figure out what and where we are. 8236// Figure out what and where we are.
8255//////////////////////////////////////////////////////////////////////////////////////////////////// 8237////////////////////////////////////////////////////////////////////////////////////////////////////
8256// TODO - still a bit chicken and egg here about the tmux socket and reading configs from scEtc /.sledjChisl.conf.lua
8257 I("Outputting to a terminal, not a web server."); 8238 I("Outputting to a terminal, not a web server.");
8258 // Check if we are already running inside the proper tmux server. 8239 // Check if we are already running inside the proper tmux server.
8259 char *eTMUX = getenv("TMUX"); 8240 char *eTMUX = getenv("TMUX");
@@ -8329,6 +8310,9 @@ Build the OpenSim.
8329//////////////////////////////////////////////////////////////////////////////////////////////////// 8310////////////////////////////////////////////////////////////////////////////////////////////////////
8330// Sort out directories, part 2 8311// Sort out directories, part 2
8331//////////////////////////////////////////////////////////////////////////////////////////////////// 8312////////////////////////////////////////////////////////////////////////////////////////////////////
8313
8314// TODO - only do this if in start mode.
8315
8332 // Doing this here coz at this point we should be the correct user. 8316 // Doing this here coz at this point we should be the correct user.
8333 /* From man 7 inode - 8317 /* From man 7 inode -
8334 S_ISUID 04000 set-user-ID bit 8318 S_ISUID 04000 set-user-ID bit
@@ -8362,17 +8346,7 @@ Build the OpenSim.
8362 if ((! qfile_exist(scEtc)) && (! qfile_mkdir(scEtc, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scEtc); 8346 if ((! qfile_exist(scEtc)) && (! qfile_mkdir(scEtc, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scEtc);
8363 if ((! qfile_exist(scLib)) && (! qfile_mkdir(scLib, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLib); 8347 if ((! qfile_exist(scLib)) && (! qfile_mkdir(scLib, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLib);
8364 if ((! qfile_exist(scBackup)) && (! qfile_mkdir(scBackup, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scBackup); 8348 if ((! qfile_exist(scBackup)) && (! qfile_mkdir(scBackup, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scBackup);
8365// TODO - the path to sledjchisl.socket needs to be readable by the www-data group. So the FCGI socket will work.
8366// AND it needs to be group sticky on opensimsc group. So the tmux socket will work.
8367// So currently scCache is www-data readable, and scRun is group sticky.
8368// Our big problem here is that opensimsc can't set group on it's own directories to www-data if it's not in that group.
8369// And that's the only reason we need access to that group.
8370// Put both in scRun, and make it other readable?
8371// No idea of the SECURITY HOLE that might cause.
8372// DAMMIT! chicken and egg, scRun has to exist before tmux runs, so it can create the socket in there,
8373// but we can't create it until tmux runs.
8374 if ((! qfile_exist(scCache)) && (! qfile_mkdir(scCache, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scCache); 8349 if ((! qfile_exist(scCache)) && (! qfile_mkdir(scCache, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scCache);
8375// if ((! qfile_exist(scRun)) && (! qfile_mkdir(scRun, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH | S_ISGID, true))) C("Unable to create path %s", scRun);
8376 if ((! qfile_exist(scData)) && (! qfile_mkdir(scData, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scData); 8350 if ((! qfile_exist(scData)) && (! qfile_mkdir(scData, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scData);
8377 if ((! qfile_exist(scLog)) && (! qfile_mkdir(scLog, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLog); 8351 if ((! qfile_exist(scLog)) && (! qfile_mkdir(scLog, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLog);
8378 if ((! qfile_exist(scTemp)) && (! qfile_mkdir(scTemp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scTemp); 8352 if ((! qfile_exist(scTemp)) && (! qfile_mkdir(scTemp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scTemp);
@@ -8382,6 +8356,52 @@ Build the OpenSim.
8382 tmp = xmprintf("%s/users", scData); 8356 tmp = xmprintf("%s/users", scData);
8383 if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp); 8357 if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp);
8384 free(tmp); 8358 free(tmp);
8359 tmp = xmprintf("%s/db", scData);
8360 if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp);
8361 free(tmp);
8362
8363/* TODO - tighten up security.
8364Make sure correct permissions are set everywhere.
8365 sudo chown -R ${OS_USER}:${OS_USER} ${OS_PATH}
8366
8367Create the /opt/opensim-SC directory structure.
8368 AssetFiles/data Think OpenSim creates all the sub directories itself?
8369 AssetFiles/tmp/spool Think OpenSim creates all the sub directories itself?
8370 config/config.ini (move that etc/config.ini later)
8371. var/backups Copy examples/var/backups/*.IAR files, which are the newbie starter inventories.
8372. var/cache Think OpenSim creates all the sub directories itself?
8373. var/run HAS to be setup correctly BEFORE we try to start up tmux.
8374 web // Fill it with default web stuff from current -> example..
8375
8376*/
8377 I("Securing directories and files in %s.", scRoot);
8378 if (shellMeFail("chmod u=rw,go= %s/config/*.ini", scRoot)) C("Can't set proper permissions for %s/config*.ini", scRoot);
8379 if (shellMeFail("chmod u=rw,go= %s/config/ROBUST/*.ini", scRoot)) C("Can't set proper permissions for %s/config/ROBUST/*.ini", scRoot);
8380 if (shellMeFail("chmod u=rw,go= %s/.sledjChisl.conf.lua", scEtc)) C("Can't set proper permissions for %s/.sledjChisl.conf.lua", scEtc);
8381 if (shellMeFail("chmod ug+rw %s/config", scRoot)) C("Can't set proper permissions for %s/config", scRoot);
8382 if (shellMeFail("chmod g+s %s/config", scRoot)) C("Can't set proper permissions for %s/config", scRoot);
8383 if (shellMeFail("chmod u=rw,go= %s/config/*.ini", scRoot)) C("Can't set proper permissions for %s/config/*.ini", scRoot);
8384 if (shellMeFail("chmod u=rw,go= %s/config/ROBUST/*.ini", scRoot)) C("Can't set proper permissions for %s/configROBUST/*.ini", scRoot);
8385
8386 if (shellMeFail("chmod ug=rwx,o= %s/AssetFiles", scRoot)) C("Can't set proper permissions for %s/AssetFiles", scRoot);
8387 if (shellMeFail("chmod -fR ug=rw,o=,a+X %s", scBackup)) C("Can't set proper permissions for %s", scBackup);
8388 if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scBin)) C("Can't set proper permissions for %s", scBin);
8389 if (shellMeFail("chmod -fR ug=rw,o=,a+X %s", scCache)) C("Can't set proper permissions for %s", scCache);
8390 if (shellMeFail("chmod ug=rwx,o= %s", scCache)) C("Can't set proper permissions for %s", scCache);
8391 if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scData)) C("Can't set proper permissions for %s", scData);
8392 if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scEtc)) C("Can't set proper permissions for %s", scEtc);
8393 if (shellMeFail("chmod u=rw,go= %s/.sledjChisl.conf.lua", scEtc)) C("Can't set proper permissions for %s/.sledjChisl.conf.lua", scEtc);
8394 if (shellMeFail("chmod g+s %s", scEtc)) C("Can't set proper permissions for %s", scEtc);
8395 if (shellMeFail("chmod a+x %s/*.shini", scEtc)) C("Can't set proper permissions for %s/*.shini", scEtc);
8396 if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scLib)) C("Can't set proper permissions for %s", scLib);
8397 if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scLog)) C("Can't set proper permissions for %s", scLog);
8398 if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scTemp)) C("Can't set proper permissions for %s", scTemp);
8399
8400// if (shellMeFail("chmod -R a+x %s/current/*.sh", scRoot)) C("Can't set proper permissions for %s/current/*.sh", scRoot);
8401// if (shellMeFail("chmod -R a+x %s/current/scripts/*.sh", scRoot)) C("Can't set proper permissions for %s/current/scripts/*.sh", scRoot);
8402// if (shellMeFail("chmod -R a+x %s/current/scripts/install/*.sh", scRoot)) C("Can't set proper permissions for %s/current/scripts/install/*.sh", scRoot);
8403// if (shellMeFail("chmod a+x %s/current/scripts/show-console", scRoot)) C("Can't set proper permissions for %s/current/scripts/show-console", scRoot);
8404// if (shellMeFail("chmod a+x %s/current/scripts/start-sim", scRoot)) C("Can't set proper permissions for %s/current/scripts/start-sim", scRoot);
8385 8405
8386 char *newPath = xmprintf("%s/current/bin/sledjchisl", scRoot); 8406 char *newPath = xmprintf("%s/current/bin/sledjchisl", scRoot);
8387 tmp = xmprintf("%s/sledjchisl", scBin); 8407 tmp = xmprintf("%s/sledjchisl", scBin);