From 3027bed4016b9d3d0d0d0aec7e39619c6e108022 Mon Sep 17 00:00:00 2001 From: Xavier Guimard Date: Mon, 1 Nov 2010 10:14:54 +0000 Subject: [PATCH] lmConfigEditor is no longer launchable as root --- build/lemonldap-ng/Makefile | 16 +++++- .../example/scripts/lmConfigEditor | 57 ++++++++++++------- 2 files changed, 50 insertions(+), 23 deletions(-) diff --git a/build/lemonldap-ng/Makefile b/build/lemonldap-ng/Makefile index 349488c4c..0b3bd620d 100644 --- a/build/lemonldap-ng/Makefile +++ b/build/lemonldap-ng/Makefile @@ -224,6 +224,16 @@ install_bin: install_conf_dir ${SRCCOMMONDIR}/scripts/lmMigrateConfFiles2ini \ ${SRCMANAGERDIR}/example/scripts/lmConfigEditor \ $(RBINDIR) + @if [ ! "$(APACHEUSER)" ]; then \ + $(PERL) -i -pe 's#__APACHEUSER__#nobody#g;' $(RBINDIR)/lmConfigEditor; \ + else \ + $(PERL) -i -pe 's#__APACHEUSER__#$(APACHEUSER)#g;' $(RBINDIR)/lmConfigEditor; \ + fi + @if [ ! "$(APACHEGROUP)" ]; then \ + $(PERL) -i -pe 's#__APACHEGROUP__#nobody#g;' $(RBINDIR)/lmConfigEditor; \ + else \ + $(PERL) -i -pe 's#__APACHEGROUP__#$(APACHEGROUP)#g;' $(RBINDIR)/lmConfigEditor; \ + fi @chmod +x $(RBINDIR)/* # @@ -327,7 +337,7 @@ install_portal_site: install_conf_dir # Cron files @cp --remove-destination lemonldap-ng-portal/example/scripts/purgeCentralCache.cron.d $(RCRONDIR)/lemonldap-ng-portal @if [ ! "$(APACHEUSER)" ]; then \ - $(PERL) -i -pe 's#__APACHEUSER__#root#g;' $(RCRONDIR)/lemonldap-ng-portal; \ + $(PERL) -i -pe 's#__APACHEUSER__#nobody#g;' $(RCRONDIR)/lemonldap-ng-portal; \ else \ $(PERL) -i -pe 's#__APACHEUSER__#$(APACHEUSER)#g;' $(RCRONDIR)/lemonldap-ng-portal; \ fi @@ -344,7 +354,7 @@ install_handler_site: install_conf_dir @cp --remove-destination ${SRCHANDLERDIR}/example/MyUpdateCookieHandler.pm ${RHANDLERDIR} @cp --remove-destination lemonldap-ng-handler/example/scripts/purgeLocalCache.cron.d $(RCRONDIR)/lemonldap-ng-handler @if [ ! "$(APACHEUSER)" ]; then \ - $(PERL) -i -pe 's#__APACHEUSER__#root#g;' $(RCRONDIR)/lemonldap-ng-handler; \ + $(PERL) -i -pe 's#__APACHEUSER__#nobody#g;' $(RCRONDIR)/lemonldap-ng-handler; \ else \ $(PERL) -i -pe 's#__APACHEUSER__#$(APACHEUSER)#g;' $(RCRONDIR)/lemonldap-ng-handler; \ fi @@ -576,6 +586,7 @@ debian-diff: @$(DIFF) lemonldap-ng-manager/lib/Lemonldap/NG/Manager.pm $(DIFFPREFIX)/usr/share/perl5/Lemonldap/NG/Manager.pm ||true @$(DIFF) lemonldap-ng-manager/example/index.pl $(DIFFPREFIX)/var/lib/lemonldap-ng/manager/index.pl ||true @$(DIFF) lemonldap-ng-manager/example/sessions.pl $(DIFFPREFIX)/var/lib/lemonldap-ng/manager/sessions.pl ||true + @$(DIFF) lemonldap-ng-manager/example/scripts/lmConfigEditor $(DIFFPREFIX)/usr/share/lemonldap-ng/bin/lmConfigEditor ||true @for i in $(MANAGERSKINS); do \ $(DIFF) -x 'jquery*' lemonldap-ng-manager/example/skins/$$i $(DIFFPREFIX)/usr/share/lemonldap-ng/manager-skins/$$i; \ done ||true @@ -607,6 +618,7 @@ default-diff: @$(DIFF) lemonldap-ng-manager/example/skins $(LMPREFIX)/htdocs/manager/skins ||true @$(DIFF) lemonldap-ng-manager/example/index.pl $(LMPREFIX)/htdocs/manager/index.pl ||true @$(DIFF) lemonldap-ng-manager/example/sessions.pl $(LMPREFIX)/htdocs/manager/sessions.pl ||true + @$(DIFF) lemonldap-ng-manager/example/scripts/lmConfigEditor $(LMPREFIX)/bin/lmConfigEditor ||true tidy: clean find lemon*/ -type f \( -name '*.pm' -or -name '*.pl' -or -name '*.t' \) -print -exec perltidy -b {} \; diff --git a/modules/lemonldap-ng-manager/example/scripts/lmConfigEditor b/modules/lemonldap-ng-manager/example/scripts/lmConfigEditor index 86bff4be0..b9d7dedf9 100644 --- a/modules/lemonldap-ng-manager/example/scripts/lmConfigEditor +++ b/modules/lemonldap-ng-manager/example/scripts/lmConfigEditor @@ -3,17 +3,32 @@ use Lemonldap::NG::Common::Conf; use Lemonldap::NG::Common::Conf::Constants; use Data::Dumper; +use POSIX; use strict; -our $refFile = `mktemp`; +our $refFile = `mktemp`; our $editFile = `mktemp`; chomp $refFile; chomp $editFile; +eval { + POSIX::setgid( ( getgrnam('__APACHEUSER__') )[2] ); + POSIX::setuid( ( getpwnam('__APACHEGROUP__') )[2] ); + print STDERR "Running as $>\n"; +}; + +if ( $> == 0 ) { + print STDERR + "$0 must not be launched as root since local cache can be corrupted\n" + . "Continue (y/N)? "; + my $res = ; + exit 1 unless ( $res =~ /^y/i ); +} + my $conf = Lemonldap::NG::Common::Conf->new(); -open F1, ">$refFile" or quit($!); +open F1, ">$refFile" or quit($!); open F2, ">$editFile" or quit($!); my $tmp = $conf->getConf(); delete $tmp->{reVHosts}; @@ -26,36 +41,36 @@ close F2; system "editor $editFile"; -if(`diff $refFile $editFile`) { +if (`diff $refFile $editFile`) { my $VAR1; my $buf; open F1, $editFile; - while() { + while () { $buf .= $_; } eval $buf; - quit($@) if($@); + quit($@) if ($@); my $res = $conf->saveConf($VAR1); - if( $res > 0) { + if ( $res > 0 ) { print STDERR "Configuration $res saved\n"; } else { print STDERR "Configuration was not saved:\n "; - if( $res == CONFIG_WAS_CHANGED ) { - print STDERR "Configuration has changed\n"; - } - elsif( $res == DATABASE_LOCKED ) { - print STDERR "Configuration database is or can nor be locked\n"; - } - elsif( $res == UPLOAD_DENIED ) { - print STDERR "You're not authorized to save this configuration\n"; - } - elsif( $res == SYNTAX_ERROR ) { - print STDERR "Syntax error in your configuration\n"; - } - elsif( $res == UNKNOWN_ERROR ) { - print STDERR "Unknown error\n"; - } + if ( $res == CONFIG_WAS_CHANGED ) { + print STDERR "Configuration has changed\n"; + } + elsif ( $res == DATABASE_LOCKED ) { + print STDERR "Configuration database is or can nor be locked\n"; + } + elsif ( $res == UPLOAD_DENIED ) { + print STDERR "You're not authorized to save this configuration\n"; + } + elsif ( $res == SYNTAX_ERROR ) { + print STDERR "Syntax error in your configuration\n"; + } + elsif ( $res == UNKNOWN_ERROR ) { + print STDERR "Unknown error\n"; + } } } else {