CC-2797: Files in /etc/airtime should not be world readable

-upgrade script
2011-09-09 16:23:01 -04:00 · 2011-09-09 16:23:01 -04:00 · 62aff0014d
parent 1b165f473c
commit 62aff0014d
2 changed files with 50 additions and 9 deletions
--- a/install_minimal/include/AirtimeIni.php
+++ b/install_minimal/include/AirtimeIni.php
@ -68,7 +68,7 @@ class AirtimeIni
        if (!copy(AirtimeInstall::GetAirtimeSrcDir()."/build/airtime.conf", AirtimeIni::CONF_FILE_AIRTIME)){
            echo "Could not copy airtime.conf to /etc/airtime/. Exiting.";
            exit(1);
-        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_AIRTIME, self::CONF_WWW_DATA_GRP)){
+        } else if (!self::ChangeFileOwnerGroupMod(AirtimeIni::CONF_FILE_AIRTIME, self::CONF_WWW_DATA_GRP)){
            echo "Could not set ownership of api_client.cfg to 'pypo'. Exiting.";
            exit(1);
        }
@ -76,7 +76,7 @@ class AirtimeIni
        if (!copy(__DIR__."/../../python_apps/api_clients/api_client.cfg", AirtimeIni::CONF_FILE_API_CLIENT)){
            echo "Could not copy api_client.cfg to /etc/airtime/. Exiting.";
            exit(1);
-        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_API_CLIENT, self::CONF_PYPO_GRP)){
+        } else if (!self::ChangeFileOwnerGroupMod(AirtimeIni::CONF_FILE_API_CLIENT, self::CONF_PYPO_GRP)){
            echo "Could not set ownership of api_client.cfg to 'pypo'. Exiting.";
            exit(1);
        }
@ -84,7 +84,7 @@ class AirtimeIni
        if (!copy(__DIR__."/../../python_apps/pypo/pypo.cfg", AirtimeIni::CONF_FILE_PYPO)){
            echo "Could not copy pypo.cfg to /etc/airtime/. Exiting.";
            exit(1);
-        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_PYPO, self::CONF_PYPO_GRP)){
+        } else if (!self::ChangeFileOwnerGroupMod(AirtimeIni::CONF_FILE_PYPO, self::CONF_PYPO_GRP)){
            echo "Could not set ownership of pypo.cfg to 'pypo'. Exiting.";
            exit(1);
        }
@ -92,7 +92,7 @@ class AirtimeIni
        if (!copy(__DIR__."/../../python_apps/show-recorder/recorder.cfg", AirtimeIni::CONF_FILE_RECORDER)){
            echo "Could not copy recorder.cfg to /etc/airtime/. Exiting.";
            exit(1);
-        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_RECORDER, self::CONF_PYPO_GRP)){
+        } else if (!self::ChangeFileOwnerGroupMod(AirtimeIni::CONF_FILE_RECORDER, self::CONF_PYPO_GRP)){
            echo "Could not set ownership of recorder.cfg to 'pypo'. Exiting.";
            exit(1);
        }
@ -100,7 +100,7 @@ class AirtimeIni
        if (!copy(__DIR__."/../../python_apps/pypo/liquidsoap_scripts/liquidsoap.cfg", AirtimeIni::CONF_FILE_LIQUIDSOAP)){
            echo "Could not copy liquidsoap.cfg to /etc/airtime/. Exiting.";
            exit(1);
-        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_LIQUIDSOAP, self::CONF_PYPO_GRP)){
+        } else if (!self::ChangeFileOwnerGroupMod(AirtimeIni::CONF_FILE_LIQUIDSOAP, self::CONF_PYPO_GRP)){
            echo "Could not set ownership of liquidsoap.cfg to 'pypo'. Exiting.";
            exit(1);
        }
@ -108,13 +108,13 @@ class AirtimeIni
        if (!copy(__DIR__."/../../python_apps/media-monitor/media-monitor.cfg", AirtimeIni::CONF_FILE_MEDIAMONITOR)){
            echo "Could not copy media-monitor.cfg to /etc/airtime/. Exiting.";
            exit(1);
-        } else if (!self::ChangeFileOwnerGroupModToPypo(AirtimeIni::CONF_FILE_MEDIAMONITOR, self::CONF_PYPO_GRP)){
+        } else if (!self::ChangeFileOwnerGroupMod(AirtimeIni::CONF_FILE_MEDIAMONITOR, self::CONF_PYPO_GRP)){
            echo "Could not set ownership of media-monitor.cfg to 'pypo'. Exiting.";
            exit(1);
        }
    }
    
-    public static function ChangeFileOwnerGroupModToPypo($filename, $user){
+    public static function ChangeFileOwnerGroupMod($filename, $user){
        return (chown($filename, $user) &&
                chgrp($filename, $user) &&
                chmod($filename, 0640));
--- a/install_minimal/upgrades/airtime-2.0.0/airtime-upgrade.php
+++ b/install_minimal/upgrades/airtime-2.0.0/airtime-upgrade.php
@ -332,6 +332,9 @@ class AirtimeIni200{
    const CONF_FILE_API_CLIENT = "/etc/airtime/api_client.cfg";
    const CONF_FILE_MONIT = "/etc/monit/conf.d/airtime-monit.cfg";

+    const CONF_PYPO_GRP = "pypo";
+    const CONF_WWW_DATA_GRP = "www-data";
+
    /**
     * This function updates an INI style config file.
     *
@ -430,13 +433,49 @@ class AirtimeIni200{
        }
    }

+    /* Re: http://dev.sourcefabric.org/browse/CC-2797
+     * We don't want config files to be world-readable so we
+     * set the strictest permissions possible. */
+    public static function changeConfigFilePermissions(){
+        if (!self::ChangeFileOwnerGroupMod(AirtimeIni200::CONF_FILE_AIRTIME, self::CONF_WWW_DATA_GRP)){
+            echo "Could not set ownership of api_client.cfg to 'pypo'. Exiting.";
+            exit(1);
+        }
+        if (!self::ChangeFileOwnerGroupMod(AirtimeIni200::CONF_FILE_API_CLIENT, self::CONF_PYPO_GRP)){
+            echo "Could not set ownership of api_client.cfg to 'pypo'. Exiting.";
+            exit(1);
+        }
+        if (!self::ChangeFileOwnerGroupMod(AirtimeIni200::CONF_FILE_PYPO, self::CONF_PYPO_GRP)){
+            echo "Could not set ownership of pypo.cfg to 'pypo'. Exiting.";
+            exit(1);
+        }
+        if (!self::ChangeFileOwnerGroupMod(AirtimeIni200::CONF_FILE_RECORDER, self::CONF_PYPO_GRP)){
+            echo "Could not set ownership of recorder.cfg to 'pypo'. Exiting.";
+            exit(1);
+        }
+        if (!self::ChangeFileOwnerGroupMod(AirtimeIni200::CONF_FILE_LIQUIDSOAP, self::CONF_PYPO_GRP)){
+            echo "Could not set ownership of liquidsoap.cfg to 'pypo'. Exiting.";
+            exit(1);
+        }
+        if (!self::ChangeFileOwnerGroupMod(AirtimeIni200::CONF_FILE_MEDIAMONITOR, self::CONF_PYPO_GRP)){
+            echo "Could not set ownership of media-monitor.cfg to 'pypo'. Exiting.";
+            exit(1);
+        }
+    }
+
+    public static function ChangeFileOwnerGroupMod($filename, $user){
+        return (chown($filename, $user) &&
+                chgrp($filename, $user) &&
+                chmod($filename, 0640));
+    }
+
    public static function upgradeConfigFiles(){

        $configFiles = array(AirtimeIni200::CONF_FILE_AIRTIME,
                             AirtimeIni200::CONF_FILE_PYPO,
                             AirtimeIni200::CONF_FILE_RECORDER,
                             AirtimeIni200::CONF_FILE_LIQUIDSOAP,
-                             AirtimeIni200::CONF_FILE_MONIT,
+                             AirtimeIni200::CONF_FILE_MEDIAMONITOR,
                             AirtimeIni200::CONF_FILE_API_CLIENT);

        // Backup the config files
@ -445,7 +484,8 @@ class AirtimeIni200{
            // do not back up monit cfg
            if (file_exists($conf) && $conf != AirtimeIni200::CONF_FILE_MONIT) {
                echo "Backing up $conf to $conf$suffix.bak".PHP_EOL;
-                copy($conf, $conf.$suffix.".bak");
+                //copy($conf, $conf.$suffix.".bak");
+                exec("cp -p $conf $conf$suffix.bak"); //use cli version to preserve file attributes
            }
        }

@ -508,6 +548,7 @@ ConvertToUtc::convert_cc_show_instances();

 // merging/updating config files
 echo "* Updating configFiles\n";
+AirtimeIni200::changeConfigFilePermissions();
 AirtimeIni200::upgradeConfigFiles();

 $values = parse_ini_file(AirtimeIni200::CONF_FILE_AIRTIME, true);