diff options
author | Neil Williams <neil.williams@linaro.org> | 2018-07-19 08:44:08 +0100 |
---|---|---|
committer | Remi Duraffort <remi.duraffort@linaro.org> | 2018-07-20 09:29:40 +0000 |
commit | d54b739187afaede745486d484324878fa6b4f95 (patch) | |
tree | 0bc74f130414c57967007774abb0a1c2e19048ef | |
parent | 839a14d07878687fd5af09aecc67c13820375789 (diff) |
Simplify and rationalise log permissions
Move similar calls into one place, change the directory to have
setgid as setuid is ignored.
Use python handlers instead of shells.
Allow users in the 'adm' group to read all log files and
start lava-server manage commands.
Drop recursive mode and permission operations, use glob
to act on all log files.
Change-Id: I563b08a2cacfb6cf6fa4a213deaddb48b30e7c4d
-rwxr-xr-x | share/postinst.py | 81 |
1 files changed, 39 insertions, 42 deletions
diff --git a/share/postinst.py b/share/postinst.py index 960f5253b..d716b0f2e 100755 --- a/share/postinst.py +++ b/share/postinst.py @@ -19,13 +19,12 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. import contextlib -import django import os import psycopg2 import pwd import random import shutil -import stat +import glob import subprocess import sys @@ -46,19 +45,21 @@ LAVA_DB_SERVER = "localhost" def psql_run(cmd_list, failure_msg): uid = pwd.getpwnam('postgres')[2] os.seteuid(uid) - run(cmd_list, failure_msg) + ret = run(cmd_list, failure_msg) uid = pwd.getpwnam('root')[2] os.seteuid(uid) + return ret def run(cmd_list, failure_msg): print(" ".join(cmd_list)) try: - subprocess.check_call(cmd_list) + ret = subprocess.check_call(cmd_list) except subprocess.CalledProcessError: print(failure_msg) # all failures are fatal during setup sys.exit(1) + return ret def db_setup(config, pg_admin_username, pg_admin_password): @@ -80,8 +81,8 @@ def db_setup(config, pg_admin_username, pg_admin_password): try: cursor.execute("CREATE ROLE %s NOSUPERUSER NOCREATEDB NOCREATEROLE INHERIT LOGIN ENCRYPTED PASSWORD '%s'" % (config.LAVA_DB_USER, config.LAVA_DB_PASSWORD)) - except psycopg2.ProgrammingError: - print("LAVA db user password not set in db") + except psycopg2.ProgrammingError as exc: + print(exc) cursor.execute("SELECT EXISTS(SELECT * FROM information_schema.tables WHERE table_name='%s')" % config.LAVA_DB_NAME) db_existed_before = cursor.fetchone()[0] @@ -89,8 +90,8 @@ def db_setup(config, pg_admin_username, pg_admin_password): if not db_existed_before: try: cursor.execute("CREATE DATABASE \"%s\" LC_CTYPE 'C.UTF-8' ENCODING 'UTF-8' OWNER \"%s\" TEMPLATE template0" % (config.LAVA_DB_NAME, config.LAVA_DB_USER)) - except psycopg2.ProgrammingError as e: - print(e) + except psycopg2.ProgrammingError as exc: + print(exc) conn = psycopg2.connect("dbname='%s' user='%s' host='%s' password='%s' connect_timeout=5" % ( config.LAVA_DB_NAME, @@ -190,21 +191,17 @@ def configure(): print("legacy directory is missing, skip..") # support changes in xml-rpc API for 2017.6 - shutil.chown("/etc/lava-server/dispatcher.d/", - config.LAVA_SYS_USER, - config.LAVA_SYS_USER) + shutil.chown( + "/etc/lava-server/dispatcher.d/", config.LAVA_SYS_USER, config.LAVA_SYS_USER) - shutil.chown(DISPATCHER_CONFIG, - config.LAVA_SYS_USER, - config.LAVA_SYS_USER) + shutil.chown( + DISPATCHER_CONFIG, config.LAVA_SYS_USER, config.LAVA_SYS_USER) - shutil.chown("%s/devices/" % DISPATCHER_CONFIG, - config.LAVA_SYS_USER, - config.LAVA_SYS_USER) + shutil.chown( + "%s/devices/" % DISPATCHER_CONFIG, config.LAVA_SYS_USER, config.LAVA_SYS_USER) - shutil.chown("%s/device-types/" % DISPATCHER_CONFIG, - config.LAVA_SYS_USER, - config.LAVA_SYS_USER) + shutil.chown( + "%s/device-types/" % DISPATCHER_CONFIG, config.LAVA_SYS_USER, config.LAVA_SYS_USER) # user may not have been removed but the directory has, after purge. if not os.path.isdir(LAVA_SYS_HOME): @@ -218,33 +215,38 @@ def configure(): os.makedirs(os.path.dirname(LAVA_LOGS), exist_ok=True) # Allow lavaserver to write to all the log files - run(["chmod", "u+rXs", LAVA_LOGS], 'chmod lava logs') - - # Allow users in the adm group to read the master logs - with open("%s/lava-master.log" % LAVA_LOGS, 'w+') as fh: - fh.write('') - shutil.chown("%s/lava-master.log" % LAVA_LOGS, user=None, group='adm') - run(["chmod", "g+rXs", LAVA_LOGS], 'chmod lava logs group') + # setgid on LAVA_LOGS directory + os.chmod(LAVA_LOGS, 0o2775) + + # Allow users in the adm group to read all logs + with open("%s/django.log" % LAVA_LOGS, 'w+') as logfile: + logfile.write('') + shutil.chown(LAVA_LOGS, user=config.LAVA_SYS_USER, group='adm') + for file in glob.glob("%s/*" % LAVA_LOGS): + shutil.chown(file, user=config.LAVA_SYS_USER, group='adm') + # allow users in the adm group to run lava-server commands + os.chmod(file, 0o0664) # Allow lava user to write the secret key - with open(SECRET_KEY, 'w+') as fh: - fh.write('') + with open(SECRET_KEY, 'w+') as key: + key.write('') shutil.chown(SECRET_KEY, config.LAVA_SYS_USER, config.LAVA_SYS_USER) os.chmod(SECRET_KEY, 0o640) # Allow lavaserver to write device dictionary files os.makedirs("%s/devices/" % DISPATCHER_CONFIG, exist_ok=True) - shutil.chown("%s/devices/" % DISPATCHER_CONFIG, - config.LAVA_SYS_USER, - config.LAVA_SYS_USER) + shutil.chown( + "%s/devices/" % DISPATCHER_CONFIG, config.LAVA_SYS_USER, config.LAVA_SYS_USER) # Create temporary database role for db operations. pg_admin_username = "user_%012x" % random.getrandbits(48) pg_admin_password = "%012x" % random.getrandbits(48) - result = subprocess.run(["sudo", "-u", "postgres", "psql", "-c", "CREATE ROLE %s PASSWORD '%s' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;" % (pg_admin_username, pg_admin_password)]) + result = psql_run( + ["psql", "-c", "CREATE ROLE %s PASSWORD '%s' SUPERUSER CREATEDB CREATEROLE INHERIT LOGIN;" % (pg_admin_username, pg_admin_password)], + "Failed to create temporary superuser role") - if result.returncode != 0: + if result != 0: print("Failed to create postgres superuser.") return @@ -252,16 +254,11 @@ def configure(): db_setup(config, pg_admin_username, pg_admin_password) finally: # Removing temprorary user from postgres. - result = subprocess.run(["sudo", "-u", "postgres", "psql", "-c", - "DROP ROLE %s ;" % pg_admin_username]) - if result.returncode != 0: + result = psql_run( + ["psql", "-c", "DROP ROLE %s ;" % pg_admin_username], "Failed to drop temporary superuser role.") + if result != 0: print("Temporary user %s was not properly removed from postgres. Please do so manually." % pg_admin_username) - # Allow lavaserver to write to all the log files - with open("%s/django.log" % LAVA_LOGS, 'w+') as fh: - fh.write('') - shutil.chown("%s/django.log" % LAVA_LOGS, config.LAVA_SYS_USER, "adm") - def main(): configure() |