CC-2797: Files in /etc/airtime should not be world readable

-fixed
2011-09-09 16:16:48 -04:00 · 2011-09-09 16:16:48 -04:00 · 1b165f473c
parent 1ba200441e
commit 1b165f473c
6 changed files with 95 additions and 9 deletions
--- a/install_minimal/include/AirtimeIni.php
+++ b/install_minimal/include/AirtimeIni.php
@ -33,6 +33,7 @@ class AirtimeIni
    const CONF_FILE_MONIT = "/etc/monit/conf.d/airtime-monit.cfg";

    const CONF_PYPO_GRP = "pypo";
+    const CONF_WWW_DATA_GRP = "www-data";

    public static function IniFilesExist()
    {
@ -67,41 +68,58 @@ class AirtimeIni
        if (!copy(AirtimeInstall::GetAirtimeSrcDir()."/build/airtime.conf", AirtimeIni::CONF_FILE_AIRTIME)){
            echo "Could not copy airtime.conf to /etc/airtime/. Exiting.";
            exit(1);
+        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_AIRTIME, self::CONF_WWW_DATA_GRP)){
+            echo "Could not set ownership of api_client.cfg to 'pypo'. Exiting.";
+            exit(1);
        }
        
        if (!copy(__DIR__."/../../python_apps/api_clients/api_client.cfg", AirtimeIni::CONF_FILE_API_CLIENT)){
            echo "Could not copy api_client.cfg to /etc/airtime/. Exiting.";
            exit(1);
+        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_API_CLIENT, self::CONF_PYPO_GRP)){
+            echo "Could not set ownership of api_client.cfg to 'pypo'. Exiting.";
+            exit(1);
        }
                
        if (!copy(__DIR__."/../../python_apps/pypo/pypo.cfg", AirtimeIni::CONF_FILE_PYPO)){
            echo "Could not copy pypo.cfg to /etc/airtime/. Exiting.";
            exit(1);
+        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_PYPO, self::CONF_PYPO_GRP)){
+            echo "Could not set ownership of pypo.cfg to 'pypo'. Exiting.";
+            exit(1);
        }
        
        if (!copy(__DIR__."/../../python_apps/show-recorder/recorder.cfg", AirtimeIni::CONF_FILE_RECORDER)){
            echo "Could not copy recorder.cfg to /etc/airtime/. Exiting.";
            exit(1);
+        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_RECORDER, self::CONF_PYPO_GRP)){
+            echo "Could not set ownership of recorder.cfg to 'pypo'. Exiting.";
+            exit(1);
        }
        
        if (!copy(__DIR__."/../../python_apps/pypo/liquidsoap_scripts/liquidsoap.cfg", AirtimeIni::CONF_FILE_LIQUIDSOAP)){
            echo "Could not copy liquidsoap.cfg to /etc/airtime/. Exiting.";
            exit(1);
-        }else{
-            if (!chown(AirtimeIni::CONF_FILE_LIQUIDSOAP, "pypo") || !chgrp(AirtimeIni::CONF_FILE_LIQUIDSOAP, "pypo") ){
-                echo "Could not set ownership of liquidsoap.cfg to 'pypo'. Exiting.";
-                exit(1);
-            }
+        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_LIQUIDSOAP, self::CONF_PYPO_GRP)){
+            echo "Could not set ownership of liquidsoap.cfg to 'pypo'. Exiting.";
+            exit(1);
        }
-        chmod(AirtimeIni::CONF_FILE_LIQUIDSOAP, 0640);
-        chgrp(AirtimeIni::CONF_FILE_LIQUIDSOAP, AirtimeIni::CONF_PYPO_GRP);
-                
+                        
        if (!copy(__DIR__."/../../python_apps/media-monitor/media-monitor.cfg", AirtimeIni::CONF_FILE_MEDIAMONITOR)){
            echo "Could not copy media-monitor.cfg to /etc/airtime/. Exiting.";
            exit(1);
+        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_MEDIAMONITOR, self::CONF_PYPO_GRP)){
+            echo "Could not set ownership of media-monitor.cfg to 'pypo'. Exiting.";
+            exit(1);
        }
    }
    
+    public static function ChangeFileOwnerGroupModToPypo($filename, $user){
+        return (chown($filename, $user) &&
+                chgrp($filename, $user) &&
+                chmod($filename, 0640));
+    }
+    
    public static function CreateMonitFile(){
        if (!copy(__DIR__."/../../python_apps/monit/airtime-monit.cfg", AirtimeIni::CONF_FILE_MONIT)){
            echo "Could not copy airtime-monit.cfg to /etc/monit/conf.d/. Exiting.";
--- a/utils/airtime-check-system.php
+++ b/utils/airtime-check-system.php
@ -1,5 +1,7 @@
 <?php

+AirtimeCheck::ExitIfNotRoot();
+
 $sapi_type = php_sapi_name();

 //detect if we are running via the command line
@ -67,6 +69,20 @@ class AirtimeCheck {
    const PYINOTIFY_MIN_VERSION = "0.9.2";

    public static $check_system_ok = true;
+
+    /**
+     * Ensures that the user is running this PHP script with root
+     * permissions. If not running with root permissions, causes the
+     * script to exit.
+     */
+    public static function ExitIfNotRoot()
+    {
+        // Need to check that we are superuser before running this.
+        if(exec("whoami") != "root"){
+            echo "Must be root user.\n";
+            exit(1);
+        }
+    }
   
    private static function CheckAirtimeDaemonRunning($filename, $process_id_str, $process_running_str, $name, $logFile)
    {
--- a/utils/airtime-log.php
+++ b/utils/airtime-log.php
@ -1,5 +1,7 @@
 <?php

+exitIfNotRoot();
+
 $airtimeIni = getAirtimeConf();
 $airtime_base_dir = $airtimeIni['general']['airtime_dir'];

@ -15,6 +17,20 @@ $log_files = array("media-monitor" => "/var/log/airtime/media-monitor/media-moni

 array_filter($log_files, "file_exists");

+/**
+ * Ensures that the user is running this PHP script with root
+ * permissions. If not running with root permissions, causes the
+ * script to exit.
+ */
+function exitIfNotRoot()
+{
+    // Need to check that we are superuser before running this.
+    if(exec("whoami") != "root"){
+        echo "Must be root user.\n";
+        exit(1);
+    }
+}
+
 function printUsage($userMsg = "")
 {
    global $opts;
--- a/utils/airtime-update-db-settings.py
+++ b/utils/airtime-update-db-settings.py
@ -5,10 +5,15 @@ we need to update database host, dbname, username and password.
 This script reads from airtime.conf.
 """
 import os
+import sys
 import ConfigParser
 import xml.dom.minidom
 from xml.dom.minidom import Node

+if not os.geteuid() == 0:
+    sys.exit('Must be root user.')
+
+
 #Read the universal values
 parser = ConfigParser.SafeConfigParser()
 parser.read('/etc/airtime/airtime.conf')
--- a/utils/airtime-user.php
+++ b/utils/airtime-user.php
@ -1,5 +1,7 @@
 <?php

+exitIfNotRoot();
+
 $airtimeIni = GetAirtimeConf();
 $airtime_base_dir = $airtimeIni['general']['airtime_dir'];

@ -36,6 +38,19 @@ function printUsage()
    echo "\n";
 }

+/**
+ * Ensures that the user is running this PHP script with root
+ * permissions. If not running with root permissions, causes the
+ * script to exit.
+ */
+function exitIfNotRoot()
+{
+    // Need to check that we are superuser before running this.
+    if(exec("whoami") != "root"){
+        echo "Must be root user.\n";
+        exit(1);
+    }
+}

 if (count($argv) != 3) {
    printUsage();
--- a/utils/phone_home_stat.php
+++ b/utils/phone_home_stat.php
@ -1,4 +1,7 @@
 <?php
+
+exitIfNotRoot();
+
 $values = parse_ini_file('/etc/airtime/airtime.conf', true);

 // Name of the web server user
@ -65,4 +68,17 @@ if(Application_Model_Preference::GetSupportFeedback() == '1'){
    curl_setopt($ch, CURLOPT_POSTFIELDS, $dataArray);
    $result = curl_exec($ch);
 }
-?>
+
+/**
+ * Ensures that the user is running this PHP script with root
+ * permissions. If not running with root permissions, causes the
+ * script to exit.
+ */
+function exitIfNotRoot()
+{
+    // Need to check that we are superuser before running this.
+    if(exec("whoami") != "root"){
+        echo "Must be root user.\n";
+        exit(1);
+    }
+}