Simplify and rationalise log permissions

Move similar calls into one place, change the directory to have setgid as setuid is ignored. Use python handlers instead of shells. Allow users in the 'adm' group to read all log files and start lava-server manage commands. Drop recursive mode and permission operations, use glob to act on all log files. Change-Id: I563b08a2cacfb6cf6fa4a213deaddb48b30e7c4d
author: Neil Williams <neil.williams@linaro.org> 2018-07-19 08:44:08 +0100
committer: Remi Duraffort <remi.duraffort@linaro.org> 2018-07-20 09:29:40 +0000
commit: d54b739187afaede745486d484324878fa6b4f95 (patch)
tree: 0bc74f130414c57967007774abb0a1c2e19048ef
parent: 839a14d07878687fd5af09aecc67c13820375789 (diff)
1 files changed, 39 insertions, 42 deletions
diff --git a/share/postinst.py b/share/postinst.py
index 960f5253b..d716b0f2e 100755
--- a/share/postinst.py
+++ b/share/postinst.py
@@ -19,13 +19,12 @@
 #  along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 import contextlib
-import django
 import os
 import psycopg2
 import pwd
 import random
 import shutil
-import stat
+import glob
 import subprocess
 import sys
 
@@ -46,19 +45,21 @@ LAVA_DB_SERVER = "localhost"
 def psql_run(cmd_list, failure_msg):
     uid = pwd.getpwnam('postgres')[2]
     os.seteuid(uid)
-    run(cmd_list, failure_msg)
+    ret = run(cmd_list, failure_msg)
     uid = pwd.getpwnam('root')[2]
     os.seteuid(uid)
+    return ret
 
 
 def run(cmd_list, failure_msg):
     print(" ".join(cmd_list))
     try:
-        subprocess.check_call(cmd_list)
+        ret = subprocess.check_call(cmd_list)
     except subprocess.CalledProcessError:
         print(failure_msg)
         # all failures are fatal during setup
         sys.exit(1)
+    return ret
 
 
 def db_setup(config, pg_admin_username, pg_admin_password):
@@ -80,8 +81,8 @@ def db_setup(config, pg_admin_username, pg_admin_password):
 
     try:
         cursor.execute("CREATE ROLE %s NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN ENCRYPTED PASSWORD '%s'" % (config.LAVA_DB_USER, config.LAVA_DB_PASSWORD))
-    except psycopg2.ProgrammingError:
-        print("LAVA db user password not set in db")
+    except psycopg2.ProgrammingError as exc:
+        print(exc)
 
     cursor.execute("SELECT EXISTS(SELECT * FROM information_schema.tables WHERE table_name='%s')" % config.LAVA_DB_NAME)
     db_existed_before = cursor.fetchone()[0]
@@ -89,8 +90,8 @@ def db_setup(config, pg_admin_username, pg_admin_password):
     if not db_existed_before:
         try:
             cursor.execute("CREATE DATABASE \"%s\" LC_CTYPE 'C.UTF-8' ENCODING 'UTF-8' OWNER \"%s\" TEMPLATE template0" % (config.LAVA_DB_NAME, config.LAVA_DB_USER))
-        except psycopg2.ProgrammingError as e:
-            print(e)
+        except psycopg2.ProgrammingError as exc:
+            print(exc)
 
     conn = psycopg2.connect("dbname='%s' user='%s' host='%s' password='%s' connect_timeout=5" % (
         config.LAVA_DB_NAME,
@@ -190,21 +191,17 @@ def configure():
         print("legacy directory is missing, skip..")
 
     # support changes in xml-rpc API for 2017.6
-    shutil.chown("/etc/lava-server/dispatcher.d/",
-                 config.LAVA_SYS_USER,
-                 config.LAVA_SYS_USER)
+    shutil.chown(
+        "/etc/lava-server/dispatcher.d/", config.LAVA_SYS_USER, config.LAVA_SYS_USER)
 
-    shutil.chown(DISPATCHER_CONFIG,
-                 config.LAVA_SYS_USER,
-                 config.LAVA_SYS_USER)
+    shutil.chown(
+        DISPATCHER_CONFIG, config.LAVA_SYS_USER, config.LAVA_SYS_USER)
 
-    shutil.chown("%s/devices/" % DISPATCHER_CONFIG,
-                 config.LAVA_SYS_USER,
-                 config.LAVA_SYS_USER)
+    shutil.chown(
+        "%s/devices/" % DISPATCHER_CONFIG, config.LAVA_SYS_USER, config.LAVA_SYS_USER)
 
-    shutil.chown("%s/device-types/" % DISPATCHER_CONFIG,
-                 config.LAVA_SYS_USER,
-                 config.LAVA_SYS_USER)
+    shutil.chown(
+        "%s/device-types/" % DISPATCHER_CONFIG, config.LAVA_SYS_USER, config.LAVA_SYS_USER)
 
     # user may not have been removed but the directory has, after purge.
     if not os.path.isdir(LAVA_SYS_HOME):
@@ -218,33 +215,38 @@ def configure():
     os.makedirs(os.path.dirname(LAVA_LOGS), exist_ok=True)
 
     # Allow lavaserver to write to all the log files
-    run(["chmod", "u+rXs", LAVA_LOGS], 'chmod lava logs')
-
-    # Allow users in the adm group to read the master logs
-    with open("%s/lava-master.log" % LAVA_LOGS, 'w+') as fh:
-        fh.write('')
-    shutil.chown("%s/lava-master.log" % LAVA_LOGS, user=None, group='adm')
-    run(["chmod", "g+rXs", LAVA_LOGS], 'chmod lava logs group')
+    # setgid on LAVA_LOGS directory
+    os.chmod(LAVA_LOGS, 0o2775)
+
+    # Allow users in the adm group to read all logs
+    with open("%s/django.log" % LAVA_LOGS, 'w+') as logfile:
+        logfile.write('')
+    shutil.chown(LAVA_LOGS, user=config.LAVA_SYS_USER, group='adm')
+    for file in glob.glob("%s/*" % LAVA_LOGS):
+        shutil.chown(file, user=config.LAVA_SYS_USER, group='adm')
+        # allow users in the adm group to run lava-server commands
+        os.chmod(file, 0o0664)
 
     # Allow lava user to write the secret key
-    with open(SECRET_KEY, 'w+') as fh:
-        fh.write('')
+    with open(SECRET_KEY, 'w+') as key:
+        key.write('')
     shutil.chown(SECRET_KEY, config.LAVA_SYS_USER, config.LAVA_SYS_USER)
     os.chmod(SECRET_KEY, 0o640)
 
     # Allow lavaserver to write device dictionary files
     os.makedirs("%s/devices/" % DISPATCHER_CONFIG, exist_ok=True)
-    shutil.chown("%s/devices/" % DISPATCHER_CONFIG,
-                 config.LAVA_SYS_USER,
-                 config.LAVA_SYS_USER)
+    shutil.chown(
+        "%s/devices/" % DISPATCHER_CONFIG, config.LAVA_SYS_USER, config.LAVA_SYS_USER)
 
     # Create temporary database role for db operations.
     pg_admin_username = "user_%012x" % random.getrandbits(48)
     pg_admin_password = "%012x" % random.getrandbits(48)
 
-    result = subprocess.run(["sudo", "-u", "postgres", "psql", "-c", "CREATE ROLE %s PASSWORD '%s' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;" % (pg_admin_username, pg_admin_password)])
+    result = psql_run(
+        ["psql", "-c", "CREATE ROLE %s PASSWORD '%s' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;" % (pg_admin_username, pg_admin_password)],
+        "Failed to create temporary superuser role")
 
-    if result.returncode != 0:
+    if result != 0:
         print("Failed to create postgres superuser.")
         return
 
@@ -252,16 +254,11 @@ def configure():
         db_setup(config, pg_admin_username, pg_admin_password)
     finally:
         # Removing temprorary user from postgres.
-        result = subprocess.run(["sudo", "-u", "postgres", "psql", "-c",
-                                 "DROP ROLE %s ;" % pg_admin_username])
-        if result.returncode != 0:
+        result = psql_run(
+            ["psql", "-c", "DROP ROLE %s ;" % pg_admin_username], "Failed to drop temporary superuser role.")
+        if result != 0:
             print("Temporary user %s was not properly removed from postgres. Please do so manually." % pg_admin_username)
 
-    # Allow lavaserver to write to all the log files
-    with open("%s/django.log" % LAVA_LOGS, 'w+') as fh:
-        fh.write('')
-    shutil.chown("%s/django.log" % LAVA_LOGS, config.LAVA_SYS_USER, "adm")
-
 
 def main():
     configure()
author	Neil Williams <neil.williams@linaro.org>	2018-07-19 08:44:08 +0100
committer	Remi Duraffort <remi.duraffort@linaro.org>	2018-07-20 09:29:40 +0000
commit	d54b739187afaede745486d484324878fa6b4f95 (patch)
tree	0bc74f130414c57967007774abb0a1c2e19048ef
parent	839a14d07878687fd5af09aecc67c13820375789 (diff)