From e81a1fc79d0b0f8707d55cd853b3094402b12f1c Mon Sep 17 00:00:00 2001 From: Tony Murray Date: Tue, 18 Sep 2018 14:58:47 -0500 Subject: [PATCH] Updated file permissions check for validate (#9218) Always post generic full fix commands. Use chmod instead of setfacl in case the filesystem doesn't support acls. DO NOT DELETE THIS TEXT #### Please note > Please read this information carefully. You can run `./scripts/pre-commit.php` to check your code before submitting. - [x] Have you followed our [code guidelines?](http://docs.librenms.org/Developing/Code-Guidelines/) #### Testers If you would like to test this pull request then please run: `./scripts/github-apply `, i.e `./scripts/github-apply 5926` After you are done testing, you can remove the changes with `./scripts/github-remove`. If there are schema changes, you can ask on discord how to revert. --- LibreNMS/Validations/User.php | 43 ++++++++++++++++++++--------------- logs/.gitignore | 0 rrd/.gitignore | 0 3 files changed, 25 insertions(+), 18 deletions(-) mode change 100644 => 100755 logs/.gitignore mode change 100644 => 100755 rrd/.gitignore diff --git a/LibreNMS/Validations/User.php b/LibreNMS/Validations/User.php index c9efbfa4b6..a6c73caf0a 100644 --- a/LibreNMS/Validations/User.php +++ b/LibreNMS/Validations/User.php @@ -63,6 +63,12 @@ class User extends BaseValidation // Let's test the user configured if we have it if (Config::has('user')) { $dir = Config::get('install_dir'); + + // generic fix + $fix = "sudo chown -R $lnms_username:$lnms_groupname $dir\n" . + "sudo setfacl -d -m g::rwx $dir/rrd $dir/logs $dir/bootstrap/cache/ $dir/storage/\n" . + "sudo chmod -R ug=rwX $dir/rrd $dir/logs $dir/bootstrap/cache/ $dir/storage/\n"; + $find_result = rtrim(`find $dir \! -user $lnms_username -o \! -group $lnms_groupname 2> /dev/null`); if (!empty($find_result)) { // Ignore files created by the webserver @@ -90,31 +96,32 @@ class User extends BaseValidation "We have found some files that are owned by a different user than $lnms_username, this " . 'will stop you updating automatically and / or rrd files being updated causing graphs to fail.' ) - ->setFix("chown -R $lnms_username:$lnms_groupname $dir") + ->setFix($fix) ->setList('Files', $files); $validator->result($result); + return; } } + + // check folder permissions + $folders = [ + 'rrd' => Config::get('rrd_dir'), + 'log' => Config::get('log_dir'), + 'bootstrap' => "$dir/bootstrap/cache/", + 'storage' => "$dir/storage/", + 'cache' => "$dir/storage/framework/cache/", + 'sessions' => "$dir/storage/framework/sessions/", + 'views' => "$dir/storage/framework/views/", + ]; + + $folders_string = implode(' ', $folders); + $incorrect = exec("find $folders_string -group $lnms_groupname ! -perm -g=w"); + if (!empty($incorrect)) { + $validator->fail("Some folders have incorrect file permissions", $fix); + } } else { $validator->warn("You don't have \$config['user'] set, this most likely needs to be set to librenms"); } - - // check permissions - $folders = [ - 'rrd' => Config::get('rrd_dir'), - 'log' => Config::get('log_dir'), - 'bootstrap' => "$dir/bootstrap/cache/", - 'storage' => "$dir/storage/", - 'cache' => "$dir/storage/framework/cache/", - 'sessions' => "$dir/storage/framework/sessions/", - 'views' => "$dir/storage/framework/views/", - ]; - - foreach ($folders as $name => $folder) { - if (!check_file_permissions($folder, '660')) { - $validator->fail("The $name folder has improper permissions.", "chmod ug+rw $folder"); - } - } } } diff --git a/logs/.gitignore b/logs/.gitignore old mode 100644 new mode 100755 diff --git a/rrd/.gitignore b/rrd/.gitignore old mode 100644 new mode 100755