CC-2797: Files in /etc/airtime should not be world readable

-fixed
2011-09-09 16:16:48 -04:00 · 2011-09-09 16:16:48 -04:00 · 1b165f473c
parent 1ba200441e
commit 1b165f473c
6 changed files with 95 additions and 9 deletions
--- a/install_minimal/include/AirtimeIni.php
+++ b/install_minimal/include/AirtimeIni.php
@ -33,6 +33,7 @@ class AirtimeIni
    const CONF_FILE_MONIT = "/etc/monit/conf.d/airtime-monit.cfg";
    const CONF_PYPO_GRP = "pypo";
    const CONF_WWW_DATA_GRP = "www-data";
    public static function IniFilesExist()
    {
@ -67,41 +68,58 @@ class AirtimeIni
        if (!copy(AirtimeInstall::GetAirtimeSrcDir()."/build/airtime.conf", AirtimeIni::CONF_FILE_AIRTIME)){
            echo "Could not copy airtime.conf to /etc/airtime/. Exiting.";
            exit(1);
        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_AIRTIME, self::CONF_WWW_DATA_GRP)){
            echo "Could not set ownership of api_client.cfg to 'pypo'. Exiting.";
            exit(1);
        }
        if (!copy(__DIR__."/../../python_apps/api_clients/api_client.cfg", AirtimeIni::CONF_FILE_API_CLIENT)){
            echo "Could not copy api_client.cfg to /etc/airtime/. Exiting.";
            exit(1);
        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_API_CLIENT, self::CONF_PYPO_GRP)){
            echo "Could not set ownership of api_client.cfg to 'pypo'. Exiting.";
            exit(1);
        }
        if (!copy(__DIR__."/../../python_apps/pypo/pypo.cfg", AirtimeIni::CONF_FILE_PYPO)){
            echo "Could not copy pypo.cfg to /etc/airtime/. Exiting.";
            exit(1);
        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_PYPO, self::CONF_PYPO_GRP)){
            echo "Could not set ownership of pypo.cfg to 'pypo'. Exiting.";
            exit(1);
        }
        if (!copy(__DIR__."/../../python_apps/show-recorder/recorder.cfg", AirtimeIni::CONF_FILE_RECORDER)){
            echo "Could not copy recorder.cfg to /etc/airtime/. Exiting.";
            exit(1);
        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_RECORDER, self::CONF_PYPO_GRP)){
            echo "Could not set ownership of recorder.cfg to 'pypo'. Exiting.";
            exit(1);
        }
        if (!copy(__DIR__."/../../python_apps/pypo/liquidsoap_scripts/liquidsoap.cfg", AirtimeIni::CONF_FILE_LIQUIDSOAP)){
            echo "Could not copy liquidsoap.cfg to /etc/airtime/. Exiting.";
            exit(1);
-        }else{
+        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_LIQUIDSOAP, self::CONF_PYPO_GRP)){
-            if (!chown(AirtimeIni::CONF_FILE_LIQUIDSOAP, "pypo") || !chgrp(AirtimeIni::CONF_FILE_LIQUIDSOAP, "pypo") ){
+            echo "Could not set ownership of liquidsoap.cfg to 'pypo'. Exiting.";
-                echo "Could not set ownership of liquidsoap.cfg to 'pypo'. Exiting.";
+            exit(1);
                exit(1);
            }
        }
-        chmod(AirtimeIni::CONF_FILE_LIQUIDSOAP, 0640);
+                        
        chgrp(AirtimeIni::CONF_FILE_LIQUIDSOAP, AirtimeIni::CONF_PYPO_GRP);
        if (!copy(__DIR__."/../../python_apps/media-monitor/media-monitor.cfg", AirtimeIni::CONF_FILE_MEDIAMONITOR)){
            echo "Could not copy media-monitor.cfg to /etc/airtime/. Exiting.";
            exit(1);
        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_MEDIAMONITOR, self::CONF_PYPO_GRP)){
            echo "Could not set ownership of media-monitor.cfg to 'pypo'. Exiting.";
            exit(1);
        }
    }
    public static function ChangeFileOwnerGroupModToPypo($filename, $user){
        return (chown($filename, $user) &&
                chgrp($filename, $user) &&
                chmod($filename, 0640));
    }
    public static function CreateMonitFile(){
        if (!copy(__DIR__."/../../python_apps/monit/airtime-monit.cfg", AirtimeIni::CONF_FILE_MONIT)){
            echo "Could not copy airtime-monit.cfg to /etc/monit/conf.d/. Exiting.";
--- a/utils/airtime-check-system.php
+++ b/utils/airtime-check-system.php
@ -1,5 +1,7 @@
 <?php
 AirtimeCheck::ExitIfNotRoot();
 $sapi_type = php_sapi_name();
 //detect if we are running via the command line
@ -67,6 +69,20 @@ class AirtimeCheck {
    const PYINOTIFY_MIN_VERSION = "0.9.2";
    public static $check_system_ok = true;
    /**
     * Ensures that the user is running this PHP script with root
     * permissions. If not running with root permissions, causes the
     * script to exit.
     */
    public static function ExitIfNotRoot()
    {
        // Need to check that we are superuser before running this.
        if(exec("whoami") != "root"){
            echo "Must be root user.\n";
            exit(1);
        }
    }
    private static function CheckAirtimeDaemonRunning($filename, $process_id_str, $process_running_str, $name, $logFile)
    {
--- a/utils/airtime-log.php
+++ b/utils/airtime-log.php
@ -1,5 +1,7 @@
 <?php
 exitIfNotRoot();
 $airtimeIni = getAirtimeConf();
 $airtime_base_dir = $airtimeIni['general']['airtime_dir'];
@ -15,6 +17,20 @@ $log_files = array("media-monitor" => "/var/log/airtime/media-monitor/media-moni
 array_filter($log_files, "file_exists");
 /**
 * Ensures that the user is running this PHP script with root
 * permissions. If not running with root permissions, causes the
 * script to exit.
 */
 function exitIfNotRoot()
 {
    // Need to check that we are superuser before running this.
    if(exec("whoami") != "root"){
        echo "Must be root user.\n";
        exit(1);
    }
 }
 function printUsage($userMsg = "")
 {
    global $opts;
--- a/utils/airtime-update-db-settings.py
+++ b/utils/airtime-update-db-settings.py
@ -5,10 +5,15 @@ we need to update database host, dbname, username and password.
 This script reads from airtime.conf.
 """
 import os
 import sys
 import ConfigParser
 import xml.dom.minidom
 from xml.dom.minidom import Node
 if not os.geteuid() == 0:
    sys.exit('Must be root user.')
 #Read the universal values
 parser = ConfigParser.SafeConfigParser()
 parser.read('/etc/airtime/airtime.conf')
--- a/utils/airtime-user.php
+++ b/utils/airtime-user.php
@ -1,5 +1,7 @@
 <?php
 exitIfNotRoot();
 $airtimeIni = GetAirtimeConf();
 $airtime_base_dir = $airtimeIni['general']['airtime_dir'];
@ -36,6 +38,19 @@ function printUsage()
    echo "\n";
 }
 /**
 * Ensures that the user is running this PHP script with root
 * permissions. If not running with root permissions, causes the
 * script to exit.
 */
 function exitIfNotRoot()
 {
    // Need to check that we are superuser before running this.
    if(exec("whoami") != "root"){
        echo "Must be root user.\n";
        exit(1);
    }
 }
 if (count($argv) != 3) {
    printUsage();
--- a/utils/phone_home_stat.php
+++ b/utils/phone_home_stat.php
@ -1,4 +1,7 @@
 <?php
 exitIfNotRoot();
 $values = parse_ini_file('/etc/airtime/airtime.conf', true);
 // Name of the web server user
@ -65,4 +68,17 @@ if(Application_Model_Preference::GetSupportFeedback() == '1'){
    curl_setopt($ch, CURLOPT_POSTFIELDS, $dataArray);
    $result = curl_exec($ch);
 }
-?>
+
 /**
 * Ensures that the user is running this PHP script with root
 * permissions. If not running with root permissions, causes the
 * script to exit.
 */
 function exitIfNotRoot()
 {
    // Need to check that we are superuser before running this.
    if(exec("whoami") != "root"){
        echo "Must be root user.\n";
        exit(1);
    }
 }