aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
-rw-r--r--src/sledjchisl/sledjchisl.c75
1 files changed, 55 insertions, 20 deletions
diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c
index 850a0c7..05e35a9 100644
--- a/src/sledjchisl/sledjchisl.c
+++ b/src/sledjchisl/sledjchisl.c
@@ -7652,24 +7652,57 @@ jit library is loaded or the JIT compiler will not be activated.
7652// Sort out directories, part 2 7652// Sort out directories, part 2
7653//////////////////////////////////////////////////////////////////////////////////////////////////// 7653////////////////////////////////////////////////////////////////////////////////////////////////////
7654 // Doing this here coz at this point we should be the correct user. 7654 // Doing this here coz at this point we should be the correct user.
7655 I("Making directories in %s.", scRoot); 7655 /* From man 7 inode -
7656 if ((! qfile_exist(scBin)) && (! qfile_mkdir(scBin, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scBin); 7656 S_ISUID 04000 set-user-ID bit
7657 if ((! qfile_exist(scEtc)) && (! qfile_mkdir(scEtc, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scEtc); 7657 S_ISGID 02000 set-group-ID bit (see below)
7658 if ((! qfile_exist(scLib)) && (! qfile_mkdir(scLib, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLib); 7658 S_ISVTX 01000 sticky bit (see below)
7659 if ((! qfile_exist(scRun)) && (! qfile_mkdir(scRun, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IWGRP | S_IXGRP | S_ISGID, true))) C("Unable to create path %s", scRun); 7659
7660 if ((! qfile_exist(scBackup)) && (! qfile_mkdir(scBackup, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scBackup); 7660 S_IRWXU 00700 owner has read, write, and execute permission
7661// TODO - the path to scCache/sledjchisl.socket needs to be readable by the www-data group. So the FCGI socket will work. 7661 S_IRUSR 00400 owner has read permission
7662// AND it needs to be group sticky on opensimsc group. So the tmux socket will work. 7662 S_IWUSR 00200 owner has write permission
7663 S_IXUSR 00100 owner has execute permission
7664
7665 S_IRWXG 00070 group has read, write, and execute permission
7666 S_IRGRP 00040 group has read permission
7667 S_IWGRP 00020 group has write permission
7668 S_IXGRP 00010 group has execute permission
7669
7670 S_IRWXO 00007 others (not in group) have read, write, and execute permission
7671 S_IROTH 00004 others have read permission
7672 S_IWOTH 00002 others have write permission
7673 S_IXOTH 00001 others have execute permission
7674
7675 The set-group-ID bit (S_ISGID) has several special uses. For a directory, it indicates that BSD semantics is to be used for that directory: files created there inherit their group
7676 ID from the directory, not from the effective group ID of the creating process, and directories created there will also get the S_ISGID bit set. For a file that does not have the
7677 group execution bit (S_IXGRP) set, the set-group-ID bit indicates mandatory file/record locking.
7678
7679 The sticky bit (S_ISVTX) on a directory means that a file in that directory can be renamed or deleted only by the owner of the file, by the owner of the directory,
7680 and by a privileged process
7681 */
7682 V("Making directories in %s.", scRoot);
7683 if ((! qfile_exist(scBin)) && (! qfile_mkdir(scBin, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scBin);
7684 if ((! qfile_exist(scEtc)) && (! qfile_mkdir(scEtc, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scEtc);
7685 if ((! qfile_exist(scLib)) && (! qfile_mkdir(scLib, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLib);
7686 if ((! qfile_exist(scBackup)) && (! qfile_mkdir(scBackup, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scBackup);
7687// TODO - the path to sledjchisl.socket needs to be readable by the www-data group. So the FCGI socket will work.
7688// AND it needs to be group sticky on opensimsc group. So the tmux socket will work.
7663// So currently scCache is www-data readable, and scRun is group sticky. 7689// So currently scCache is www-data readable, and scRun is group sticky.
7664 if ((! qfile_exist(scCache)) && (! qfile_mkdir(scCache, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scCache); 7690// Our big problem here is that opensimsc can't set group on it's own directories to www-data if it's not in that group.
7665 if ((! qfile_exist(scData)) && (! qfile_mkdir(scData, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scData); 7691// And that's the only reason we need access to that group.
7666 if ((! qfile_exist(scLog)) && (! qfile_mkdir(scLog, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLog); 7692// Put both in scRun, and make it other readable?
7667 if ((! qfile_exist(scTemp)) && (! qfile_mkdir(scTemp, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scTemp); 7693// No idea of the SECURITY HOLE that might cause.
7694// DAMMIT! chicken and egg, scRun has to exist before tmux runs, so it can create the socket in there,
7695// but we can't create it until tmux runs.
7696 if ((! qfile_exist(scCache)) && (! qfile_mkdir(scCache, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scCache);
7697// if ((! qfile_exist(scRun)) && (! qfile_mkdir(scRun, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH | S_ISGID, true))) C("Unable to create path %s", scRun);
7698 if ((! qfile_exist(scData)) && (! qfile_mkdir(scData, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scData);
7699 if ((! qfile_exist(scLog)) && (! qfile_mkdir(scLog, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLog);
7700 if ((! qfile_exist(scTemp)) && (! qfile_mkdir(scTemp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scTemp);
7668 tmp = xmprintf("%s/sessions", scCache); 7701 tmp = xmprintf("%s/sessions", scCache);
7669 if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp); 7702 if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp);
7670 free(tmp); 7703 free(tmp);
7671 tmp = xmprintf("%s/users", scData); 7704 tmp = xmprintf("%s/users", scData);
7672 if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRUSR | S_IWUSR | S_IXUSR | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp); 7705 if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp);
7673 free(tmp); 7706 free(tmp);
7674 7707
7675 char *newPath = xmprintf("%s/current/bin/sledjchisl", scRoot); 7708 char *newPath = xmprintf("%s/current/bin/sledjchisl", scRoot);
@@ -7901,12 +7934,14 @@ jit library is loaded or the JIT compiler will not be activated.
7901 { 7934 {
7902 if (checkSimIsRunning("ROBUST") && (NULL == ourSims->target)) 7935 if (checkSimIsRunning("ROBUST") && (NULL == ourSims->target))
7903 { 7936 {
7904 // TODO - remove this once we handle the fcgi stuff ourselves. 7937 // TODO - remove this once we handle the fcgi stuff ourselves.
7905 I("Starting the web stuff."); 7938 I("Starting the web stuff.");
7906 char *c = xmprintf("spawn-fcgi -n -u %s -s %s/sledjchisl.socket -M 0660 -G www-data -- /usr/bin/valgrind --leak-check=full sledjchisl", 7939 // Make the FCGI socket world read / write, coz we can't set it to group www-data, since -G only works for root, and we ain't root.
7907 scUser, scCache, scRoot); 7940 // TODO - BIG SECURITY HOLE???
7908 sendTmuxCmd(Ttab, c); 7941 char *c = xmprintf("spawn-fcgi -n -u %s -s %s/sledjchisl.socket -M 0666 -G www-data -- /usr/bin/valgrind --leak-check=full sledjchisl",
7909 free(c); 7942 scUser, scRun, scRoot);
7943 sendTmuxCmd(Ttab, c);
7944 free(c);
7910 } 7945 }
7911 else 7946 else
7912 I("NOT Starting the web stuff."); 7947 I("NOT Starting the web stuff.");