stuart: devel/kolab/Kolab Templates.pm,1.1.1.1,1.2

cvs at intevation.de cvs at intevation.de
Thu May 13 15:11:41 CEST 2004 

Author: stuart

Update of /kolabrepository/devel/kolab/Kolab
In directory doto:/tmp/cvs-serv15361/Kolab

Modified Files:
	Templates.pm 
Log Message:
New file permission handling. This should fix the security vulnerabilities that we've been experiencing


Index: Templates.pm
===================================================================
RCS file: /kolabrepository/devel/kolab/Kolab/Templates.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -d -r1.1.1.1 -r1.2
--- Templates.pm	3 May 2004 14:04:04 -0000	1.1.1.1
+++ Templates.pm	13 May 2004 13:11:39 -0000	1.2
@@ -63,6 +63,9 @@
 sub META_ALWAYS_CHANGE()    { return "always_change"; }
 sub META_ON_CHANGE()        { return "on_change"; }
 sub META_DISABLED()         { return "disabled"; }
+sub META_PERMS()            { return "file_perms"; }
+sub META_UID()              { return "file_uid"; }
+sub META_GID()              { return "file_gid"; }
 
 sub buildTemplates
 {
@@ -102,6 +105,16 @@
             next;
         }
 
+        if (!$templates{$file}->{META_PERMS()}) {
+            $templates{$file}->{META_PERMS()} = 0644;
+        } else {
+            $templates{$file}->{META_PERMS()} = oct($templates{$file}->{META_PERMS()});
+        }
+        $templates{$file}->{META_UID()} = $Kolab::config{'kolab_uid'} if !$templates{$file}->{META_UID()};
+        $templates{$file}->{META_GID()} = $Kolab::config{'kolab_gid'} if !$templates{$file}->{META_GID()};
+
+        Kolab::log(PREFIX, "Conf file $templates{$file}->{META_DESTINATION()} is owned by $templates{$file}->{META_UID()}:$templates{$file}->{META_GID()} with perms $templates{$file}->{META_PERMS()}", KOLAB_VERBOSE_DEBUG);
+
         $templates{$file}->{"__FILE_HANDLE"} = $fh;
     }
 
@@ -152,6 +165,18 @@
             $templates{$file}->{META_ON_CHANGE()} = lerpVar($templates{$file}->{META_ON_CHANGE()})
                 if $templates{$file}->{META_ON_CHANGE()};
 
+            # Truncate the temp file
+            if (!($tmpfile = IO::File->new($tmp, 'w'))) {
+                Kolab::log(PREFIX, "Unable to truncate temporary file $tmp", KOLAB_ERROR);
+                exit 1;
+            }
+            undef $tmpfile;
+
+            # Change the permissions to what we want
+            chown $templates{$file}->{META_UID()}, $templates{$file}->{META_GID()}, $tmp;
+            chmod $templates{$file}->{META_PERMS()}, $tmp;
+
+            # Reopen the temp file, using the new permissions
             if (!($tmpfile = IO::File->new($tmp, 'w'))) {
                 Kolab::log(PREFIX, "Unable to open temporary file $tmp", KOLAB_ERROR);
                 exit 1;
@@ -175,10 +200,46 @@
             undef $fh;
             undef $tmpfile;
 
+            # Make sure our directories exist
+            my $dirname = trim(`dirname $old`);
+            if (!opendir(DIR, $dirname)) {
+                Kolab::log(PREFIX, "Unable to open backup directory $dirname", KOLAB_WARN);
+                next;
+            }
+
+            $dirname = trim(`dirname $new`);
+            if (!opendir(DIR, $dirname)) {
+                Kolab::log(PREFIX, "Unable to open configuration directory $dirname", KOLAB_WARN);
+                next;
+            }
+
+            # Truncate the backup file
+            if (!($tmpfile = IO::File->new($old, 'w'))) {
+                Kolab::log(PREFIX, "Unable to truncate backup file $old", KOLAB_ERROR);
+                exit 1;
+            }
+            undef $tmpfile;
+
+            # Change the permissions to what we want
+            chown $templates{$file}->{META_UID()}, $templates{$file}->{META_GID()}, $old;
+            chmod $templates{$file}->{META_PERMS()}, $old;
+
+            # And copy the existing config file to the backup
             copy($new, $old);
-            copy($tmp, $new);
 
-            chown($Kolab::config{"kolab_uid"}, $Kolab::config{"kolab_gid"}, $new);
+            # Truncate the new config file
+            if (!($tmpfile = IO::File->new($new, 'w'))) {
+                Kolab::log(PREFIX, "Unable to truncate configuration file $new", KOLAB_ERROR);
+                exit 1;
+            }
+            undef $tmpfile;
+
+            # Change the permissions to what we want
+            chown $templates{$file}->{META_UID()}, $templates{$file}->{META_GID()}, $new;
+            chmod $templates{$file}->{META_PERMS()}, $new;
+
+            # And finally copy the temp file to the new config location
+            copy($tmp, $new);
         }
 
         if ($nochange) {
@@ -198,7 +259,7 @@
             $haschanged = $? >> 8;
             chomp($stdout);
 
-            Kolab::log(PREFIX, "Diff cmd returned $haschanged w/ stdout $stdout", KOLAB_DEBUG);
+            Kolab::log(PREFIX, "Diff cmd returned $haschanged", KOLAB_DEBUG);
         }
 
         if ($nochange) {
@@ -223,7 +284,7 @@
         $haschanged = $? >> 8;
         chomp($stdout);
 
-        Kolab::log(PREFIX, "Change cmd returned $haschanged w/ stdout $stdout", KOLAB_DEBUG);
+        Kolab::log(PREFIX, "Change cmd returned $haschanged", KOLAB_DEBUG);
     }
 
     # Sixth phase: Cleanup

More information about the commits mailing list