stuart: devel/kolab/Kolab Templates.pm,1.1.1.1,1.2
cvs at intevation.de
cvs at intevation.de
Thu May 13 15:11:41 CEST 2004
Author: stuart
Update of /kolabrepository/devel/kolab/Kolab
In directory doto:/tmp/cvs-serv15361/Kolab
Modified Files:
Templates.pm
Log Message:
New file permission handling. This should fix the security vulnerabilities that we've been experiencing
Index: Templates.pm
===================================================================
RCS file: /kolabrepository/devel/kolab/Kolab/Templates.pm,v
retrieving revision 1.1.1.1
retrieving revision 1.2
diff -u -d -r1.1.1.1 -r1.2
--- Templates.pm 3 May 2004 14:04:04 -0000 1.1.1.1
+++ Templates.pm 13 May 2004 13:11:39 -0000 1.2
@@ -63,6 +63,9 @@
sub META_ALWAYS_CHANGE() { return "always_change"; }
sub META_ON_CHANGE() { return "on_change"; }
sub META_DISABLED() { return "disabled"; }
+sub META_PERMS() { return "file_perms"; }
+sub META_UID() { return "file_uid"; }
+sub META_GID() { return "file_gid"; }
sub buildTemplates
{
@@ -102,6 +105,16 @@
next;
}
+ if (!$templates{$file}->{META_PERMS()}) {
+ $templates{$file}->{META_PERMS()} = 0644;
+ } else {
+ $templates{$file}->{META_PERMS()} = oct($templates{$file}->{META_PERMS()});
+ }
+ $templates{$file}->{META_UID()} = $Kolab::config{'kolab_uid'} if !$templates{$file}->{META_UID()};
+ $templates{$file}->{META_GID()} = $Kolab::config{'kolab_gid'} if !$templates{$file}->{META_GID()};
+
+ Kolab::log(PREFIX, "Conf file $templates{$file}->{META_DESTINATION()} is owned by $templates{$file}->{META_UID()}:$templates{$file}->{META_GID()} with perms $templates{$file}->{META_PERMS()}", KOLAB_VERBOSE_DEBUG);
+
$templates{$file}->{"__FILE_HANDLE"} = $fh;
}
@@ -152,6 +165,18 @@
$templates{$file}->{META_ON_CHANGE()} = lerpVar($templates{$file}->{META_ON_CHANGE()})
if $templates{$file}->{META_ON_CHANGE()};
+ # Truncate the temp file
+ if (!($tmpfile = IO::File->new($tmp, 'w'))) {
+ Kolab::log(PREFIX, "Unable to truncate temporary file $tmp", KOLAB_ERROR);
+ exit 1;
+ }
+ undef $tmpfile;
+
+ # Change the permissions to what we want
+ chown $templates{$file}->{META_UID()}, $templates{$file}->{META_GID()}, $tmp;
+ chmod $templates{$file}->{META_PERMS()}, $tmp;
+
+ # Reopen the temp file, using the new permissions
if (!($tmpfile = IO::File->new($tmp, 'w'))) {
Kolab::log(PREFIX, "Unable to open temporary file $tmp", KOLAB_ERROR);
exit 1;
@@ -175,10 +200,46 @@
undef $fh;
undef $tmpfile;
+ # Make sure our directories exist
+ my $dirname = trim(`dirname $old`);
+ if (!opendir(DIR, $dirname)) {
+ Kolab::log(PREFIX, "Unable to open backup directory $dirname", KOLAB_WARN);
+ next;
+ }
+
+ $dirname = trim(`dirname $new`);
+ if (!opendir(DIR, $dirname)) {
+ Kolab::log(PREFIX, "Unable to open configuration directory $dirname", KOLAB_WARN);
+ next;
+ }
+
+ # Truncate the backup file
+ if (!($tmpfile = IO::File->new($old, 'w'))) {
+ Kolab::log(PREFIX, "Unable to truncate backup file $old", KOLAB_ERROR);
+ exit 1;
+ }
+ undef $tmpfile;
+
+ # Change the permissions to what we want
+ chown $templates{$file}->{META_UID()}, $templates{$file}->{META_GID()}, $old;
+ chmod $templates{$file}->{META_PERMS()}, $old;
+
+ # And copy the existing config file to the backup
copy($new, $old);
- copy($tmp, $new);
- chown($Kolab::config{"kolab_uid"}, $Kolab::config{"kolab_gid"}, $new);
+ # Truncate the new config file
+ if (!($tmpfile = IO::File->new($new, 'w'))) {
+ Kolab::log(PREFIX, "Unable to truncate configuration file $new", KOLAB_ERROR);
+ exit 1;
+ }
+ undef $tmpfile;
+
+ # Change the permissions to what we want
+ chown $templates{$file}->{META_UID()}, $templates{$file}->{META_GID()}, $new;
+ chmod $templates{$file}->{META_PERMS()}, $new;
+
+ # And finally copy the temp file to the new config location
+ copy($tmp, $new);
}
if ($nochange) {
@@ -198,7 +259,7 @@
$haschanged = $? >> 8;
chomp($stdout);
- Kolab::log(PREFIX, "Diff cmd returned $haschanged w/ stdout $stdout", KOLAB_DEBUG);
+ Kolab::log(PREFIX, "Diff cmd returned $haschanged", KOLAB_DEBUG);
}
if ($nochange) {
@@ -223,7 +284,7 @@
$haschanged = $? >> 8;
chomp($stdout);
- Kolab::log(PREFIX, "Change cmd returned $haschanged w/ stdout $stdout", KOLAB_DEBUG);
+ Kolab::log(PREFIX, "Change cmd returned $haschanged", KOLAB_DEBUG);
}
# Sixth phase: Cleanup
More information about the commits
mailing list