From 2ebb95d6d31132814e4392ffdc04bd17bb105176 Mon Sep 17 00:00:00 2001 From: onefang Date: Fri, 20 Aug 2021 00:28:15 +1000 Subject: Make sure permisions and files aor correct on sledjchisl startup. --- src/sledjchisl/sledjchisl.c | 126 +++++++++++++++++++++++++------------------- 1 file changed, 73 insertions(+), 53 deletions(-) (limited to 'src/sledjchisl') diff --git a/src/sledjchisl/sledjchisl.c b/src/sledjchisl/sledjchisl.c index e4c4359..d82b7e1 100644 --- a/src/sledjchisl/sledjchisl.c +++ b/src/sledjchisl/sledjchisl.c @@ -8141,22 +8141,6 @@ Deal with the user. sudo adduser --system --shell /bin/bash --group ${OS_USER} sudo addgroup ${USER} ${OS_USER} -Create the /opt/opensim-SC directory structure. - We do most of that below anyway. - AssetFiles/data Think OpenSim creates all the sub directories itself? - AssetFiles/tmp/spool Think OpenSim creates all the sub directories itself? - bin - config/config.ini (move that etc/config.ini later) - etc - tmp - var/backups Copy examples/var/backups/*.IAR files, which are the newbie starter inventories. - var/cache Think OpenSim creates all the sub directories itself? - var/lib/db - var/lib/users - var/log - var/run HAS to be setup correctly BEFORE we try to start up tmux. - web // Fill it with default web stuff from current -> example.. - Copy the tmux config to user's homes. Copy this version of opensim-SC to /opt/opensim-SC, and make the current symlink to it. @@ -8164,32 +8148,6 @@ Copy this version of opensim-SC to /opt/opensim-SC, and make the current symlink Copy correct config/config.ini to there. Put new database credentials in config/config.ini -Make sure correct permissions are set everywhere. - sudo chmod 600 ${OS_PATH}/config/*.ini - sudo chmod 600 ${OS_PATH}/config/ROBUST/*.ini - sudo chown -R ${OS_USER}:${OS_USER} ${OS_PATH} - sudo chmod -R 775 ${OS_PATH} - sudo chmod -R a-x ${OS_PATH} - sudo chmod -R a+X ${OS_PATH} - sudo chmod -R g+w ${OS_PATH} - sudo chmod -R a+x ${OS_PATH}/current/*.sh - sudo chmod -R a+x ${OS_PATH}/current/scripts/*.sh - sudo chmod -R a+x ${OS_PATH}/current/scripts/install/*.sh - sudo chmod a+x ${OS_PATH}/current/scripts/show-console - sudo chmod a+x ${OS_PATH}/current/scripts/start-sim - - sudo chmod ug+rwx ${OS_PATH}/config - sudo chmod g+s ${OS_PATH}/config - sudo chmod 600 ${OS_PATH}/config/*.ini - sudo chmod 600 ${OS_PATH}/config/ROBUST/*.ini - sudo chmod ug+rwx ${OS_PATH}/etc - sudo chmod g+s ${OS_PATH}/etc - sudo chmod a+x ${OS_PATH}/config/*.shini - - chmod ug+rwx ${OS_PATH}/var/cache - chmod o-rwx ${OS_PATH}/var/cache - chmod g+s ${OS_PATH}/var/cache - Build the OpenSim. */ @@ -8247,13 +8205,36 @@ Build the OpenSim. scTemp = xmprintf("%s%s/tmp", slsh, scRoot); } +// A bit chicken and egg here. +// We need to be the correct user to set the correct perms on the scRun directory +// But we wont be the correct user until we run tmux as that user. +// The path to sledjchisl.socket needs to be readable by the www-data group. So the FCGI socket will work. +// AND it needs to be group sticky on opensimsc group. So the tmux socket will work. +// Put both in scRun, and make it other readable? +// No idea of the SECURITY HOLE that might cause. + if(!qfile_exist(scRun)) + { + W("Creating the proper %s directory.", scRun); + if (shellMeFail("sudo -Hu %s mkdir -p %s", scUser, scRun)) + { + C("Can't make the %s directory.", scRun); + goto finished; + } + else + { + if (shellMeFail("sudo -Hu %s chmod 2755 %s", scUser, scRun)) + { + C("Can't set proper permissions for the %s directory.", scRun); + goto finished; + } + } + } if (!isWeb) { //////////////////////////////////////////////////////////////////////////////////////////////////// // Figure out what and where we are. //////////////////////////////////////////////////////////////////////////////////////////////////// -// TODO - still a bit chicken and egg here about the tmux socket and reading configs from scEtc /.sledjChisl.conf.lua I("Outputting to a terminal, not a web server."); // Check if we are already running inside the proper tmux server. char *eTMUX = getenv("TMUX"); @@ -8329,6 +8310,9 @@ Build the OpenSim. //////////////////////////////////////////////////////////////////////////////////////////////////// // Sort out directories, part 2 //////////////////////////////////////////////////////////////////////////////////////////////////// + +// TODO - only do this if in start mode. + // Doing this here coz at this point we should be the correct user. /* From man 7 inode - S_ISUID 04000 set-user-ID bit @@ -8362,17 +8346,7 @@ Build the OpenSim. if ((! qfile_exist(scEtc)) && (! qfile_mkdir(scEtc, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scEtc); if ((! qfile_exist(scLib)) && (! qfile_mkdir(scLib, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLib); if ((! qfile_exist(scBackup)) && (! qfile_mkdir(scBackup, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scBackup); -// TODO - the path to sledjchisl.socket needs to be readable by the www-data group. So the FCGI socket will work. -// AND it needs to be group sticky on opensimsc group. So the tmux socket will work. -// So currently scCache is www-data readable, and scRun is group sticky. -// Our big problem here is that opensimsc can't set group on it's own directories to www-data if it's not in that group. -// And that's the only reason we need access to that group. -// Put both in scRun, and make it other readable? -// No idea of the SECURITY HOLE that might cause. -// DAMMIT! chicken and egg, scRun has to exist before tmux runs, so it can create the socket in there, -// but we can't create it until tmux runs. if ((! qfile_exist(scCache)) && (! qfile_mkdir(scCache, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scCache); -// if ((! qfile_exist(scRun)) && (! qfile_mkdir(scRun, S_IRWXU | S_IRWXG | S_IROTH | S_IXOTH | S_ISGID, true))) C("Unable to create path %s", scRun); if ((! qfile_exist(scData)) && (! qfile_mkdir(scData, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scData); if ((! qfile_exist(scLog)) && (! qfile_mkdir(scLog, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scLog); if ((! qfile_exist(scTemp)) && (! qfile_mkdir(scTemp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", scTemp); @@ -8382,6 +8356,52 @@ Build the OpenSim. tmp = xmprintf("%s/users", scData); if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp); free(tmp); + tmp = xmprintf("%s/db", scData); + if ((! qfile_exist(tmp)) && (! qfile_mkdir(tmp, S_IRWXU | S_IRGRP | S_IXGRP, true))) C("Unable to create path %s", tmp); + free(tmp); + +/* TODO - tighten up security. +Make sure correct permissions are set everywhere. + sudo chown -R ${OS_USER}:${OS_USER} ${OS_PATH} + +Create the /opt/opensim-SC directory structure. + AssetFiles/data Think OpenSim creates all the sub directories itself? + AssetFiles/tmp/spool Think OpenSim creates all the sub directories itself? + config/config.ini (move that etc/config.ini later) +. var/backups Copy examples/var/backups/*.IAR files, which are the newbie starter inventories. +. var/cache Think OpenSim creates all the sub directories itself? +. var/run HAS to be setup correctly BEFORE we try to start up tmux. + web // Fill it with default web stuff from current -> example.. + +*/ + I("Securing directories and files in %s.", scRoot); + if (shellMeFail("chmod u=rw,go= %s/config/*.ini", scRoot)) C("Can't set proper permissions for %s/config*.ini", scRoot); + if (shellMeFail("chmod u=rw,go= %s/config/ROBUST/*.ini", scRoot)) C("Can't set proper permissions for %s/config/ROBUST/*.ini", scRoot); + if (shellMeFail("chmod u=rw,go= %s/.sledjChisl.conf.lua", scEtc)) C("Can't set proper permissions for %s/.sledjChisl.conf.lua", scEtc); + if (shellMeFail("chmod ug+rw %s/config", scRoot)) C("Can't set proper permissions for %s/config", scRoot); + if (shellMeFail("chmod g+s %s/config", scRoot)) C("Can't set proper permissions for %s/config", scRoot); + if (shellMeFail("chmod u=rw,go= %s/config/*.ini", scRoot)) C("Can't set proper permissions for %s/config/*.ini", scRoot); + if (shellMeFail("chmod u=rw,go= %s/config/ROBUST/*.ini", scRoot)) C("Can't set proper permissions for %s/configROBUST/*.ini", scRoot); + + if (shellMeFail("chmod ug=rwx,o= %s/AssetFiles", scRoot)) C("Can't set proper permissions for %s/AssetFiles", scRoot); + if (shellMeFail("chmod -fR ug=rw,o=,a+X %s", scBackup)) C("Can't set proper permissions for %s", scBackup); + if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scBin)) C("Can't set proper permissions for %s", scBin); + if (shellMeFail("chmod -fR ug=rw,o=,a+X %s", scCache)) C("Can't set proper permissions for %s", scCache); + if (shellMeFail("chmod ug=rwx,o= %s", scCache)) C("Can't set proper permissions for %s", scCache); + if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scData)) C("Can't set proper permissions for %s", scData); + if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scEtc)) C("Can't set proper permissions for %s", scEtc); + if (shellMeFail("chmod u=rw,go= %s/.sledjChisl.conf.lua", scEtc)) C("Can't set proper permissions for %s/.sledjChisl.conf.lua", scEtc); + if (shellMeFail("chmod g+s %s", scEtc)) C("Can't set proper permissions for %s", scEtc); + if (shellMeFail("chmod a+x %s/*.shini", scEtc)) C("Can't set proper permissions for %s/*.shini", scEtc); + if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scLib)) C("Can't set proper permissions for %s", scLib); + if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scLog)) C("Can't set proper permissions for %s", scLog); + if (shellMeFail("chmod -fR a=r,ug=rw,a+X %s", scTemp)) C("Can't set proper permissions for %s", scTemp); + +// if (shellMeFail("chmod -R a+x %s/current/*.sh", scRoot)) C("Can't set proper permissions for %s/current/*.sh", scRoot); +// if (shellMeFail("chmod -R a+x %s/current/scripts/*.sh", scRoot)) C("Can't set proper permissions for %s/current/scripts/*.sh", scRoot); +// if (shellMeFail("chmod -R a+x %s/current/scripts/install/*.sh", scRoot)) C("Can't set proper permissions for %s/current/scripts/install/*.sh", scRoot); +// if (shellMeFail("chmod a+x %s/current/scripts/show-console", scRoot)) C("Can't set proper permissions for %s/current/scripts/show-console", scRoot); +// if (shellMeFail("chmod a+x %s/current/scripts/start-sim", scRoot)) C("Can't set proper permissions for %s/current/scripts/start-sim", scRoot); char *newPath = xmprintf("%s/current/bin/sledjchisl", scRoot); tmp = xmprintf("%s/sledjchisl", scBin); -- cgit v1.1