From 285ded67852fef8aa2aeec6f16d36bc593f121d5 Mon Sep 17 00:00:00 2001 From: rettenbe Date: Fri, 6 Mar 2009 15:13:21 +0000 Subject: [PATCH] changing file permissions of /var/log/gosa-si-client.log, /etc/ldap/ldap-shell.conf, /var/run/gosa-si-client.opts, /var/log/fai/..., /var/lib/gosa-si/*.db* git-svn-id: https://oss.gonicus.de/repositories/gosa/trunk@13507 594d385d-05f5-0310-b6e9-bd551577e9d8 --- gosa-si/client/events/corefunctions.pm | 804 +++++++++++++------------ gosa-si/gosa-si-client | 30 +- gosa-si/gosa-si-server | 37 +- gosa-si/modules/DBsqlite.pm | 2 + gosa-si/server/events/clMessages.pm | 8 +- 5 files changed, 452 insertions(+), 429 deletions(-) diff --git a/gosa-si/client/events/corefunctions.pm b/gosa-si/client/events/corefunctions.pm index 7e19a8b18..fea4ffece 100644 --- a/gosa-si/client/events/corefunctions.pm +++ b/gosa-si/client/events/corefunctions.pm @@ -1,414 +1,414 @@ -package corefunctions; -use Exporter; -@ISA = qw(Exporter); -my @events = ( - "get_events", - "registered", - 'new_syslog_config', - "new_ntp_config", - "new_ldap_config", - "new_key", - "generate_hw_digest", # no implementations - "detect_hardware", - "confirm_new_key", - "ping", - "import_events", # no implementations - ); -@EXPORT = @events; - -use strict; -use warnings; -use Data::Dumper; -use Fcntl; -use GOSA::GosaSupportDaemon; -use File::Basename; - -my ($ldap_enabled, $offline_enabled, $ldap_config, $pam_config, $nss_config, $fai_logpath); - -my $chrony_file = "/etc/chrony/chrony.conf"; -my $syslog_file = "/etc/syslog.conf"; - -my %cfg_defaults = ( - "client" => { - "ldap" => [\$ldap_enabled, 1], - "offline-ldap" => [\$offline_enabled, 0], - "ldap-config" => [\$ldap_config, "/etc/ldap/ldap.conf"], - "pam-config" => [\$pam_config, "/etc/pam_ldap.conf"], - "nss-config" => [\$nss_config, "/etc/libnss-ldap.conf"], - "fai-logpath" => [\$fai_logpath, "/var/log/fai/fai.log"], - }, -); - -BEGIN {} - -END {} - -### Start ###################################################################### - -&main::read_configfile($main::cfg_file, %cfg_defaults); - - -my $server_address = $main::server_address; -my $server_key = $main::server_key; -my $client_mac_address = $main::client_mac_address; - -sub write_to_file { - my ($string, $file) = @_; - my $error = 0; - - if( not defined $file || not -f $file ) { - &main::daemon_log("ERROR: $0: check '-f file' failed: $file", 1); - $error++; - } - if( not defined $string || 0 == length($string)) { - &main::daemon_log("ERROR: $0: empty string to write to file '$file'", 1); - $error++; - } - - if( $error == 0 ) { - - chomp($string); - - if( not -f $file ) { - open (FILE, "$file"); - close(FILE); - } - open(FILE, ">> $file") or &main::daemon_log("ERROR in corefunctions.pm: can not open '$file' to write '$string'", 1);; - print FILE $string."\n"; - close(FILE); - } - - return; -} - - -sub get_events { - return \@events; -} - -sub daemon_log { - my ($msg, $level) = @_ ; - &main::daemon_log($msg, $level); - return; -} - -sub registered { - my ($msg, $msg_hash) = @_ ; - - my $header = @{$msg_hash->{'header'}}[0]; - if( $header eq "registered" ) { - my $source = @{$msg_hash->{'source'}}[0]; - &main::daemon_log("INFO: registration at $source", 1); - $main::server_address = $source; - } - - # set globaly variable client_address - my $target = @{$msg_hash->{'target'}}[0]; - $main::client_address = $target; - - # set registration_flag to true - my $out_hash = &create_xml_hash("registered", $main::client_address, $main::server_address); - # Write the MAC address to file - if(stat($main::opts_file)) { - unlink($main::opts_file); - } - - my $opts_file_FH; - my $hostname= $main::client_dnsname; - $hostname =~ s/\..*$//; - $hostname =~ tr/A-Z/a-z/; - open($opts_file_FH, ">$main::opts_file"); - print $opts_file_FH "MAC=\"$main::client_mac_address\"\n"; - print $opts_file_FH "IPADDRESS=\"$main::client_ip\"\n"; - print $opts_file_FH "HOSTNAME=\"$hostname\"\n"; - print $opts_file_FH "FQDN=\"$main::client_dnsname\"\n"; - if(defined(@{$msg_hash->{'ldap_available'}}) && - @{$msg_hash->{'ldap_available'}}[0] eq "true") { - print $opts_file_FH "LDAP_AVAILABLE=\"true\"\n"; - } - if(defined(@{$msg_hash->{'error'}})) { - my $errormsg= @{$msg_hash->{'error'}}[0]; - print $opts_file_FH "GOSA_SI_ERROR=\"$errormsg\"\n"; - &write_to_file($errormsg, $fai_logpath); - } - close($opts_file_FH); - - my $out_msg = &create_xml_string($out_hash); - return $out_msg; -} - -sub server_leaving { - my ($msg_hash) = @_ ; - my $source = @{$msg_hash->{'source'}}[0]; - my $header = @{$msg_hash->{'header'}}[0]; - - daemon_log("gosa-si-server $source is going down, cause registration procedure", 1); - $main::server_address = "none"; - $main::server_key = "none"; - - # reinitialization of default values in config file - &main::read_configfile; - - # registrated at new daemon - &main::register_at_server(); - - return; -} - - -## @method new_syslog_config -# Update or add syslog messages forwarding to specified syslog server. -# @param msg - STRING - xml message with tag server -# @param msg_hash - HASHREF - message information parsed into a hash -sub new_syslog_config { - my ($msg, $msg_hash) = @_ ; - - # Sanity check of incoming message - if ((not exists $msg_hash->{'server'}) || (not @{$msg_hash->{'server'}} == 1) ) { - &main::daemon_log("ERROR: 'new_syslog_config'-message does not contain a syslog server: $msg", 1); - return; - } - - # Fetch the new syslog server from incoming message - my $syslog_server = @{$msg_hash->{'server'}}[0]; - &main::daemon_log("INFO: found syslog server: ".join(", ", $syslog_server), 5); - my $found_server_flag = 0; - - # Sanity check of /etc/syslog.conf - if (not -f $syslog_file) { - &main::daemon_log("ERROR: file '$syslog_file' does not exist, cannot do syslog reconfiguration!", 1); - return; - } - - # Substitute existing server with new syslog server - open (FILE, "<$syslog_file"); - my @file = ; - close FILE; - my $syslog_server_line = "*.*\t@".$syslog_server."\n"; - foreach my $line (@file) { - if ($line =~ /^\*\.\*\s+@/) { - $line = $syslog_server_line; - $found_server_flag++; - } - } - - # Append new server if no old server configuration found - if (not $found_server_flag) { - push(@file, "\n#\n# syslog server configuration written by GOsa-si\n#\n"); - push(@file, $syslog_server_line); - } - - # Write changes to file and close it - open (FILE, "+>$syslog_file"); - print FILE join("", @file); - close FILE; - &main::daemon_log("INFO: wrote new configuration file: $syslog_file", 5); - - # Restart syslog deamon - my $res = qx(/etc/init.d/sysklogd restart); - &main::daemon_log("INFO: restart syslog daemon: $res", 5); - - return; -} - - -## @method new_ntp_config -# Updates the server options in /etc/chrony/chrony.conf and restarts the chrony service -# @param msg - STRING - xml message with tag server -# @param msg_hash - HASHREF - message information parsed into a hash -sub new_ntp_config { - my ($msg, $msg_hash) = @_ ; - - # Sanity check of incoming message - if ((not exists $msg_hash->{'server'}) || (not @{$msg_hash->{'server'}} >= 1) ) { - &main::daemon_log("ERROR: 'new_ntp_config'-message does not contain a ntp server: $msg", 1); - return; - } - - # Fetch the new ntp server from incoming message - my $ntp_servers = $msg_hash->{'server'}; - &main::daemon_log("INFO: found ntp server: ".join(", ", @$ntp_servers), 5); - my $ntp_servers_string = "server\t".join("\nserver\t", @$ntp_servers)."\n"; - my $found_server_flag = 0; - - # Sanity check of /etc/chrony/chrony.conf - if (not -f $chrony_file) { - &main::daemon_log("ERROR: file '$chrony_file' does not exist, cannot do ntp reconfiguration!", 1); - return; - } - - # Substitute existing server with new ntp server - open (FILE, "<$chrony_file"); - my @file = ; - close FILE; - my @new_file; - foreach my $line (@file) { - if ($line =~ /^server\s+/) { - if ($found_server_flag) { - $line =~ s/^server\s+[\S]+\s+$//; - } else { - $line =~ s/^server\s+[\S]+\s+$/$ntp_servers_string/; - } - $found_server_flag++; - } - push(@new_file, $line); - } + package corefunctions; + use Exporter; + @ISA = qw(Exporter); + my @events = ( + "get_events", + "registered", + 'new_syslog_config', + "new_ntp_config", + "new_ldap_config", + "new_key", + "generate_hw_digest", # no implementations + "detect_hardware", + "confirm_new_key", + "ping", + "import_events", # no implementations + ); + @EXPORT = @events; + + use strict; + use warnings; + use Data::Dumper; + use Fcntl; + use GOSA::GosaSupportDaemon; + use File::Basename; + + my ($ldap_enabled, $offline_enabled, $ldap_config, $pam_config, $nss_config, $fai_logpath); + + my $chrony_file = "/etc/chrony/chrony.conf"; + my $syslog_file = "/etc/syslog.conf"; + + my %cfg_defaults = ( + "client" => { + "ldap" => [\$ldap_enabled, 1], + "offline-ldap" => [\$offline_enabled, 0], + "ldap-config" => [\$ldap_config, "/etc/ldap/ldap.conf"], + "pam-config" => [\$pam_config, "/etc/pam_ldap.conf"], + "nss-config" => [\$nss_config, "/etc/libnss-ldap.conf"], + "fai-logpath" => [\$fai_logpath, "/var/log/fai/fai.log"], + }, + ); + + BEGIN {} + + END {} + + ### Start ###################################################################### + + &main::read_configfile($main::cfg_file, %cfg_defaults); + + + my $server_address = $main::server_address; + my $server_key = $main::server_key; + my $client_mac_address = $main::client_mac_address; + + sub write_to_file { + my ($string, $file) = @_; + my $error = 0; + + if( not defined $file || not -f $file ) { + &main::daemon_log("ERROR: $0: check '-f file' failed: $file", 1); + $error++; + } + if( not defined $string || 0 == length($string)) { + &main::daemon_log("ERROR: $0: empty string to write to file '$file'", 1); + $error++; + } + + if( $error == 0 ) { + + chomp($string); + + if( not -f $file ) { + open (FILE, "$file"); + close(FILE); + } + open(FILE, ">> $file") or &main::daemon_log("ERROR in corefunctions.pm: can not open '$file' to write '$string'", 1);; + print FILE $string."\n"; + close(FILE); + } + + return; + } - # Append new server if no old server configuration found - if (not $found_server_flag) { - push(@new_file, "\n# ntp server configuration written by GOsa-si\n"); - push(@new_file, $ntp_servers_string); - } - # Write changes to file and close it - open (FILE, ">$chrony_file"); - print FILE join("", @new_file); - close FILE; - &main::daemon_log("INFO: wrote new configuration file: $chrony_file", 5); + sub get_events { + return \@events; + } - # Restart chrony deamon - my $res = qx(/etc/init.d/chrony force-reload); - &main::daemon_log("INFO: restart chrony daemon: $res", 5); + sub daemon_log { + my ($msg, $level) = @_ ; + &main::daemon_log($msg, $level); + return; + } - return; -} + sub registered { + my ($msg, $msg_hash) = @_ ; + + my $header = @{$msg_hash->{'header'}}[0]; + if( $header eq "registered" ) { + my $source = @{$msg_hash->{'source'}}[0]; + &main::daemon_log("INFO: registration at $source", 1); + $main::server_address = $source; + } + + # set globaly variable client_address + my $target = @{$msg_hash->{'target'}}[0]; + $main::client_address = $target; + + # set registration_flag to true + my $out_hash = &create_xml_hash("registered", $main::client_address, $main::server_address); + # Write the MAC address to file + if(stat($main::opts_file)) { + unlink($main::opts_file); + } + + my $opts_file_FH; + my $hostname= $main::client_dnsname; + $hostname =~ s/\..*$//; + $hostname =~ tr/A-Z/a-z/; + sysopen($opts_file_FH, $main::opts_file, O_RDWR | O_CREAT | O_TRUNC , 0644); + print $opts_file_FH "MAC=\"$main::client_mac_address\"\n"; + print $opts_file_FH "IPADDRESS=\"$main::client_ip\"\n"; + print $opts_file_FH "HOSTNAME=\"$hostname\"\n"; + print $opts_file_FH "FQDN=\"$main::client_dnsname\"\n"; + if(defined(@{$msg_hash->{'ldap_available'}}) && + @{$msg_hash->{'ldap_available'}}[0] eq "true") { + print $opts_file_FH "LDAP_AVAILABLE=\"true\"\n"; + } + if(defined(@{$msg_hash->{'error'}})) { + my $errormsg= @{$msg_hash->{'error'}}[0]; + print $opts_file_FH "GOSA_SI_ERROR=\"$errormsg\"\n"; + &write_to_file($errormsg, $fai_logpath); + } + close($opts_file_FH); + + my $out_msg = &create_xml_string($out_hash); + return $out_msg; + } + sub server_leaving { + my ($msg_hash) = @_ ; + my $source = @{$msg_hash->{'source'}}[0]; + my $header = @{$msg_hash->{'header'}}[0]; + + daemon_log("gosa-si-server $source is going down, cause registration procedure", 1); + $main::server_address = "none"; + $main::server_key = "none"; + + # reinitialization of default values in config file + &main::read_configfile; + + # registrated at new daemon + &main::register_at_server(); + + return; + } -sub new_ldap_config { - my ($msg, $msg_hash) = @_ ; - if( $ldap_enabled != 1 ) { - return; - } + ## @method new_syslog_config + # Update or add syslog messages forwarding to specified syslog server. + # @param msg - STRING - xml message with tag server + # @param msg_hash - HASHREF - message information parsed into a hash + sub new_syslog_config { + my ($msg, $msg_hash) = @_ ; + + # Sanity check of incoming message + if ((not exists $msg_hash->{'server'}) || (not @{$msg_hash->{'server'}} == 1) ) { + &main::daemon_log("ERROR: 'new_syslog_config'-message does not contain a syslog server: $msg", 1); + return; + } + + # Fetch the new syslog server from incoming message + my $syslog_server = @{$msg_hash->{'server'}}[0]; + &main::daemon_log("INFO: found syslog server: ".join(", ", $syslog_server), 5); + my $found_server_flag = 0; + + # Sanity check of /etc/syslog.conf + if (not -f $syslog_file) { + &main::daemon_log("ERROR: file '$syslog_file' does not exist, cannot do syslog reconfiguration!", 1); + return; + } + + # Substitute existing server with new syslog server + open (FILE, "<$syslog_file"); + my @file = ; + close FILE; + my $syslog_server_line = "*.*\t@".$syslog_server."\n"; + foreach my $line (@file) { + if ($line =~ /^\*\.\*\s+@/) { + $line = $syslog_server_line; + $found_server_flag++; + } + } + + # Append new server if no old server configuration found + if (not $found_server_flag) { + push(@file, "\n#\n# syslog server configuration written by GOsa-si\n#\n"); + push(@file, $syslog_server_line); + } + + # Write changes to file and close it + open (FILE, "+>$syslog_file"); + print FILE join("", @file); + close FILE; + &main::daemon_log("INFO: wrote new configuration file: $syslog_file", 5); + + # Restart syslog deamon + my $res = qx(/etc/init.d/sysklogd restart); + &main::daemon_log("INFO: restart syslog daemon: $res", 5); + + return; + } - my $element; - my @ldap_uris; - my $ldap_base; - my @ldap_options; - my @pam_options; - my @nss_options; - my $goto_admin; - my $goto_secret; - my $admin_base= ""; - my $department= ""; - my $release= ""; - my $unit_tag; - - # Transform input into array - while ( my ($key, $value) = each(%$msg_hash) ) { - if ($key =~ /^(source|target|header)$/) { - next; - } - - foreach $element (@$value) { - if ($key =~ /^ldap_uri$/) { - push (@ldap_uris, $element); - next; - } - if ($key =~ /^ldap_base$/) { - $ldap_base= $element; - next; - } - if ($key =~ /^goto_admin$/) { - $goto_admin= $element; - next; - } - if ($key =~ /^goto_secret$/) { - $goto_secret= $element; - next; - } - if ($key =~ /^ldap_cfg$/) { - push (@ldap_options, "$element"); - next; - } - if ($key =~ /^pam_cfg$/) { - push (@pam_options, "$element"); - next; - } - if ($key =~ /^nss_cfg$/) { - push (@nss_options, "$element"); - next; - } - if ($key =~ /^admin_base$/) { - $admin_base= $element; - next; - } - if ($key =~ /^department$/) { - $department= $element; - next; - } - if ($key =~ /^unit_tag$/) { - $unit_tag= $element; - next; - } - if ($key =~ /^release$/) { - $release= $element; - next; - } - } - } - # Unit tagging enabled? - if (defined $unit_tag){ - push (@pam_options, "pam_filter gosaUnitTag=$unit_tag"); - push (@nss_options, "nss_base_passwd $admin_base?sub?gosaUnitTag=$unit_tag"); - push (@nss_options, "nss_base_group $admin_base?sub?gosaUnitTag=$unit_tag"); - } + ## @method new_ntp_config + # Updates the server options in /etc/chrony/chrony.conf and restarts the chrony service + # @param msg - STRING - xml message with tag server + # @param msg_hash - HASHREF - message information parsed into a hash + sub new_ntp_config { + my ($msg, $msg_hash) = @_ ; + + # Sanity check of incoming message + if ((not exists $msg_hash->{'server'}) || (not @{$msg_hash->{'server'}} >= 1) ) { + &main::daemon_log("ERROR: 'new_ntp_config'-message does not contain a ntp server: $msg", 1); + return; + } + + # Fetch the new ntp server from incoming message + my $ntp_servers = $msg_hash->{'server'}; + &main::daemon_log("INFO: found ntp server: ".join(", ", @$ntp_servers), 5); + my $ntp_servers_string = "server\t".join("\nserver\t", @$ntp_servers)."\n"; + my $found_server_flag = 0; + + # Sanity check of /etc/chrony/chrony.conf + if (not -f $chrony_file) { + &main::daemon_log("ERROR: file '$chrony_file' does not exist, cannot do ntp reconfiguration!", 1); + return; + } + + # Substitute existing server with new ntp server + open (FILE, "<$chrony_file"); + my @file = ; + close FILE; + my @new_file; + foreach my $line (@file) { + if ($line =~ /^server\s+/) { + if ($found_server_flag) { + $line =~ s/^server\s+[\S]+\s+$//; + } else { + $line =~ s/^server\s+[\S]+\s+$/$ntp_servers_string/; + } + $found_server_flag++; + } + push(@new_file, $line); + } + + # Append new server if no old server configuration found + if (not $found_server_flag) { + push(@new_file, "\n# ntp server configuration written by GOsa-si\n"); + push(@new_file, $ntp_servers_string); + } + + # Write changes to file and close it + open (FILE, ">$chrony_file"); + print FILE join("", @new_file); + close FILE; + &main::daemon_log("INFO: wrote new configuration file: $chrony_file", 5); + + # Restart chrony deamon + my $res = qx(/etc/init.d/chrony force-reload); + &main::daemon_log("INFO: restart chrony daemon: $res", 5); + + return; + } - # Setup ldap.conf - my $file1; - my $file2; - open(file1, "> $ldap_config"); - print file1 "# This file was automatically generated by gosa-si-client. Do not change.\n"; - print file1 "URI"; - foreach $element (@ldap_uris) { - print file1 " $element"; - } - print file1 "\nBASE $ldap_base\n"; - foreach $element (@ldap_options) { - print file1 "$element\n"; - } - close (file1); - daemon_log("wrote $ldap_config", 5); - - # Setup pam_ldap.conf / libnss-ldap.conf - open(file1, "> $pam_config"); - open(file2, "> $nss_config"); - print file1 "# This file was automatically generated by gosa-si-client. Do not change.\n"; - print file2 "# This file was automatically generated by gosa-si-client. Do not change.\n"; - print file1 "uri"; - print file2 "uri"; - foreach $element (@ldap_uris) { - print file1 " $element"; - print file2 " $element"; - } - print file1 "\nbase $ldap_base\n"; - print file2 "\nbase $ldap_base\n"; - foreach $element (@pam_options) { - print file1 "$element\n"; - } - foreach $element (@nss_options) { - print file2 "$element\n"; - } - close (file2); - daemon_log("wrote $nss_config", 5); - close (file1); - daemon_log("wrote $pam_config", 5); - - # Create goto.secrets if told so - for compatibility reasons - if (defined $goto_admin){ - open(file1, "> /etc/goto/secret"); - close(file1); - chown(0,0, "/etc/goto/secret"); - chmod(0600, "/etc/goto/secret"); - open(file1, "> /etc/goto/secret"); - print file1 "GOTOADMIN=\"$goto_admin\"\nGOTOSECRET=\"$goto_secret\"\n"; - close(file1); - daemon_log("wrote /etc/goto/secret", 5); - } - # Write shell based config - my $cfg_name= "/etc/ldap/ldap-shell.conf"; + sub new_ldap_config { + my ($msg, $msg_hash) = @_ ; + + if( $ldap_enabled != 1 ) { + return; + } + + my $element; + my @ldap_uris; + my $ldap_base; + my @ldap_options; + my @pam_options; + my @nss_options; + my $goto_admin; + my $goto_secret; + my $admin_base= ""; + my $department= ""; + my $release= ""; + my $unit_tag; + + # Transform input into array + while ( my ($key, $value) = each(%$msg_hash) ) { + if ($key =~ /^(source|target|header)$/) { + next; + } + + foreach $element (@$value) { + if ($key =~ /^ldap_uri$/) { + push (@ldap_uris, $element); + next; + } + if ($key =~ /^ldap_base$/) { + $ldap_base= $element; + next; + } + if ($key =~ /^goto_admin$/) { + $goto_admin= $element; + next; + } + if ($key =~ /^goto_secret$/) { + $goto_secret= $element; + next; + } + if ($key =~ /^ldap_cfg$/) { + push (@ldap_options, "$element"); + next; + } + if ($key =~ /^pam_cfg$/) { + push (@pam_options, "$element"); + next; + } + if ($key =~ /^nss_cfg$/) { + push (@nss_options, "$element"); + next; + } + if ($key =~ /^admin_base$/) { + $admin_base= $element; + next; + } + if ($key =~ /^department$/) { + $department= $element; + next; + } + if ($key =~ /^unit_tag$/) { + $unit_tag= $element; + next; + } + if ($key =~ /^release$/) { + $release= $element; + next; + } + } + } + + # Unit tagging enabled? + if (defined $unit_tag){ + push (@pam_options, "pam_filter gosaUnitTag=$unit_tag"); + push (@nss_options, "nss_base_passwd $admin_base?sub?gosaUnitTag=$unit_tag"); + push (@nss_options, "nss_base_group $admin_base?sub?gosaUnitTag=$unit_tag"); + } + + # Setup ldap.conf + my $file1; + my $file2; + open(file1, "> $ldap_config"); + print file1 "# This file was automatically generated by gosa-si-client. Do not change.\n"; + print file1 "URI"; + foreach $element (@ldap_uris) { + print file1 " $element"; + } + print file1 "\nBASE $ldap_base\n"; + foreach $element (@ldap_options) { + print file1 "$element\n"; + } + close (file1); + daemon_log("wrote $ldap_config", 5); + + # Setup pam_ldap.conf / libnss-ldap.conf + open(file1, "> $pam_config"); + open(file2, "> $nss_config"); + print file1 "# This file was automatically generated by gosa-si-client. Do not change.\n"; + print file2 "# This file was automatically generated by gosa-si-client. Do not change.\n"; + print file1 "uri"; + print file2 "uri"; + foreach $element (@ldap_uris) { + print file1 " $element"; + print file2 " $element"; + } + print file1 "\nbase $ldap_base\n"; + print file2 "\nbase $ldap_base\n"; + foreach $element (@pam_options) { + print file1 "$element\n"; + } + foreach $element (@nss_options) { + print file2 "$element\n"; + } + close (file2); + daemon_log("wrote $nss_config", 5); + close (file1); + daemon_log("wrote $pam_config", 5); + + # Create goto.secrets if told so - for compatibility reasons + if (defined $goto_admin){ + open(file1, "> /etc/goto/secret"); + close(file1); + chown(0,0, "/etc/goto/secret"); + chmod(0600, "/etc/goto/secret"); + open(file1, "> /etc/goto/secret"); + print file1 "GOTOADMIN=\"$goto_admin\"\nGOTOSECRET=\"$goto_secret\"\n"; + close(file1); + daemon_log("wrote /etc/goto/secret", 5); + } + + # Write shell based config + my $cfg_name= "/etc/ldap/ldap-shell.conf"; # Get first LDAP server my $ldap_server= $ldap_uris[0]; @@ -444,6 +444,10 @@ sub new_ldap_config { daemon_log("wrote $cfg_name", 5); } + # Set permissions and ownership structure of + chown(0, 0, $cfg_name); + chmod(0600, $cfg_name); + return; } diff --git a/gosa-si/gosa-si-client b/gosa-si/gosa-si-client index 94b7c66f1..cf352ac42 100755 --- a/gosa-si/gosa-si-client +++ b/gosa-si/gosa-si-client @@ -38,6 +38,7 @@ use MIME::Base64; use XML::Simple; use File::Basename; use File::Spec; +use Fcntl; # Workaround: need pure perl to make it work with UTF-8 :-( $XML::Simple::PREFERRED_PARSER= "XML::SAX::PurePerl"; @@ -51,6 +52,7 @@ use lib "/usr/lib/gosa-si/client/events"; my (%cfg_defaults, $foreground, $verbose, $pid_file, $procid, $pid, $log_file, $fai_logpath); my ($server_ip, $server_port, $server_timeout, $server_domain, $server_key_lifetime); my ($client_port, $ldap_enabled, $ldap_config, $pam_config, $nss_config); +my ($root_uid, $adm_gid); my $xml; my $event_hash; my $default_server_key; @@ -234,11 +236,17 @@ sub daemon_log { if(not defined $msg) { return } if(not defined $level) { $level = 1 } if(defined $log_file){ - open(LOG_HANDLE, ">>$log_file"); - if(not defined open( LOG_HANDLE, ">>$log_file" )) { - print STDERR "cannot open $log_file: $!"; - return - } + my $open_log_fh = sysopen(LOG_HANDLE, $log_file, O_WRONLY | O_CREAT | O_APPEND , 0440); + if(not $open_log_fh) { + print STDERR "cannot open $log_file: $!"; + return; + } + # check owner and group of log_file and update settings if necessary + my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat($log_file); + if((not $uid eq $root_uid) || (not $gid eq $adm_gid)) { + chown($root_uid, $adm_gid, $log_file); + } + chomp($msg); if($level <= $verbose){ my ($seconds, $minutes, $hours, $monthday, $month, @@ -1121,12 +1129,12 @@ if ($client_headURL =~ /\/tag\// || $client_status = "developmental" ; } -# Prepare log file -my $root_uid = getpwnam('root'); -my $adm_gid = getgrnam('adm'); -chmod(0640, $log_file); -chown($root_uid, $adm_gid, $log_file); - +# Determine root uid and adm gid, used for creating log files +$root_uid = getpwnam('root'); +$adm_gid = getgrnam('adm'); +if(not defined $adm_gid){ + $adm_gid = getgrnam('root'); +} daemon_log(" ", 1); daemon_log("$prg started!", 1); diff --git a/gosa-si/gosa-si-server b/gosa-si/gosa-si-server index 3864ad237..8043358cc 100755 --- a/gosa-si/gosa-si-server +++ b/gosa-si/gosa-si-server @@ -324,11 +324,17 @@ sub daemon_log { if(not defined $msg) { return } if(not defined $level) { $level = 1 } if(defined $log_file){ - open(LOG_HANDLE, ">>$log_file"); - if(not defined open( LOG_HANDLE, ">>$log_file" )) { + my $open_log_fh = sysopen(LOG_HANDLE, $log_file, O_WRONLY | O_CREAT | O_APPEND , 0440); + if(not $open_log_fh) { print STDERR "cannot open $log_file: $!"; - return + return; + } + # check owner and group of log_file and update settings if necessary + my ($dev, $ino, $mode, $nlink, $uid, $gid, $rdev, $size, $atime, $mtime, $ctime, $blksize, $blocks) = stat($log_file); + if((not $uid eq $root_uid) || (not $gid eq $adm_gid)) { + chown($root_uid, $adm_gid, $log_file); } + chomp($msg); #$msg =~s/\n//g; # no newlines are allowed in log messages, this is important for later log parsing if($level <= $verbose){ @@ -3238,11 +3244,12 @@ if ($server_headURL =~ /\/tag\// || } else { $server_status = "developmental" ; } - -# Prepare log file +# Prepare log file and set permissions $root_uid = getpwnam('root'); $adm_gid = getgrnam('adm'); -chmod(0640, $log_file); +open(FH, ">>$log_file"); +close FH; +chmod(0440, $log_file); chown($root_uid, $adm_gid, $log_file); chown($root_uid, $adm_gid, "/var/lib/gosa-si"); @@ -3293,56 +3300,56 @@ daemon_log($server_status_hash->{$server_status}.": $server_revision", 1); # connect to gosa-si job queue unlink($job_queue_file_name); ## just for debugging $job_db = GOSA::DBsqlite->new($job_queue_file_name); - chmod(0660, $job_queue_file_name); + chmod(0640, $job_queue_file_name); chown($root_uid, $adm_gid, $job_queue_file_name); # connect to known_clients_db unlink($known_clients_file_name); ## just for debugging $known_clients_db = GOSA::DBsqlite->new($known_clients_file_name); - chmod(0660, $known_clients_file_name); + chmod(0640, $known_clients_file_name); chown($root_uid, $adm_gid, $known_clients_file_name); # connect to foreign_clients_db unlink($foreign_clients_file_name); $foreign_clients_db = GOSA::DBsqlite->new($foreign_clients_file_name); - chmod(0660, $foreign_clients_file_name); + chmod(0640, $foreign_clients_file_name); chown($root_uid, $adm_gid, $foreign_clients_file_name); # connect to known_server_db unlink($known_server_file_name); $known_server_db = GOSA::DBsqlite->new($known_server_file_name); - chmod(0660, $known_server_file_name); + chmod(0640, $known_server_file_name); chown($root_uid, $adm_gid, $known_server_file_name); # connect to login_usr_db unlink($login_users_file_name); $login_users_db = GOSA::DBsqlite->new($login_users_file_name); - chmod(0660, $login_users_file_name); + chmod(0640, $login_users_file_name); chown($root_uid, $adm_gid, $login_users_file_name); # connect to fai_server_db unlink($fai_server_file_name); $fai_server_db = GOSA::DBsqlite->new($fai_server_file_name); - chmod(0660, $fai_server_file_name); + chmod(0640, $fai_server_file_name); chown($root_uid, $adm_gid, $fai_server_file_name); # connect to fai_release_db unlink($fai_release_file_name); $fai_release_db = GOSA::DBsqlite->new($fai_release_file_name); - chmod(0660, $fai_release_file_name); + chmod(0640, $fai_release_file_name); chown($root_uid, $adm_gid, $fai_release_file_name); # connect to packages_list_db #unlink($packages_list_file_name); unlink($packages_list_under_construction); $packages_list_db = GOSA::DBsqlite->new($packages_list_file_name); - chmod(0660, $packages_list_file_name); + chmod(0640, $packages_list_file_name); chown($root_uid, $adm_gid, $packages_list_file_name); # connect to messaging_db unlink($messaging_file_name); $messaging_db = GOSA::DBsqlite->new($messaging_file_name); - chmod(0660, $messaging_file_name); + chmod(0640, $messaging_file_name); chown($root_uid, $adm_gid, $messaging_file_name); } } diff --git a/gosa-si/modules/DBsqlite.pm b/gosa-si/modules/DBsqlite.pm index c9ebc440f..375111658 100644 --- a/gosa-si/modules/DBsqlite.pm +++ b/gosa-si/modules/DBsqlite.pm @@ -43,6 +43,8 @@ sub lock { open($self->{db_lock_handle}, ">>".($self->{db_lock})) unless ref $self->{db_lock_handle}; flock($self->{db_lock_handle},LOCK_EX); seek($self->{db_lock_handle}, 0, 2); + chown($main::root_uid, $main::adm_gid, $self->{db_lock_handle}); + chmod(0640, $self->{db_lock_handle}); } diff --git a/gosa-si/server/events/clMessages.pm b/gosa-si/server/events/clMessages.pm index 0d3344db5..8e2301738 100644 --- a/gosa-si/server/events/clMessages.pm +++ b/gosa-si/server/events/clMessages.pm @@ -101,9 +101,11 @@ sub save_fai_log { my ($log_file, $log_string) = split(":", $log); my $client_fai_log_file = File::Spec->catfile( $client_fai_log_dir, $log_file); - open(my $LOG_FILE, ">$client_fai_log_file"); - print $LOG_FILE &decode_base64($log_string); - close($LOG_FILE); + open(my $LOG_FILE, ">$client_fai_log_file"); + print $LOG_FILE &decode_base64($log_string); + close($LOG_FILE); + chown($main::root_uid, $main::adm_gid, $client_fai_log_file); + chmod(0440, $client_fai_log_file); } return; -- 2.30.2