Check-in [f4145e1a0c]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Improve ACLs and logging on suid-fossil wrapper
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: f4145e1a0c9966a1dee1485d343fdd0c029cd9da
User & Date: rkeene 2020-08-24 21:03:01
Context
2020-08-25
15:40
Run the fossil symlink check-in: 273501fe4e user: rkeene tags: trunk
2020-08-24
21:03
Improve ACLs and logging on suid-fossil wrapper check-in: f4145e1a0c user: rkeene tags: trunk
21:02
Rebuild only users that have repositories check-in: 23227022b4 user: rkeene tags: trunk
Changes

Changes to scripts/fossil-as-user/suid-fossil.

86
87
88
89
90
91
92
93





94
95

96
97
98
99
100
101
102
...
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
...
271
272
273
274
275
276
277

278
279
280
281
282
283
284
		return;
	}

	unlink($file);
}

function log_message($message) {
error_log($message);





	$fd = fopen("/var/tmp/flint-suid-fossil.log", "a+");
	fwrite($fd, $message . "\n");

	fclose($fd);
}

function exec_log($command) {
	log_message("Running: {$command}");
	return(exec($command));
}
................................................................................
		/*
		 * Ensure that the directory has the appropriate permissions
		 */
		mkdir_p($repo_directory);

		putenv("PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin");

		exec_log('setfacl -RP -m u:' . $real_user_id . ':rwx ' . escapeshellarg($repo_directory));
		exec_log('setfacl   -m d:u:' . $real_user_id . ':rwx ' . escapeshellarg($repo_directory));
		exec_log('setfacl -RP -m m::rwx  -m u:' . $current_user_id . ':rwx ' . escapeshellarg($repo_directory));
		exec_log('setfacl   -m d:m::rwx -m d:u:' . $current_user_id . ':rwx ' . escapeshellarg($repo_directory));
		exec_log('setfacl -m   u:' . $real_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m d:u:' . $real_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m   u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m d:u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
	}

	$command = escapeshellarg(dirname(__FILE__) . "/secure-wrap") . " " . escapeshellarg($userid) . " " . escapeshellarg($user_directory) . " " . escapeshellarg($fossil_binary);
................................................................................

		putenv("PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin");

		exec_log('setfacl -RP -x   u:' . $real_user_id . ' ' . escapeshellarg($repo_directory));
		exec_log('setfacl -RP -x d:u:' . $real_user_id . ' ' . escapeshellarg($repo_directory));
		exec_log('setfacl -RP -m   m::rwx   -m u:' . $current_user_id . ':rwx ' . escapeshellarg($repo_directory));
		exec_log('setfacl -RP -m d:m::rwx -m d:u:' . $current_user_id . ':rwx ' . escapeshellarg($repo_directory));

		exec_log('setfacl -RP -x   u:' . $real_user_id . ' ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -RP -x d:u:' . $real_user_id . ' ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -RP -m   u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -RP -m d:u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
	}

	$command = escapeshellarg($fossil_binary_real);







|
>
>
>
>
>
|
<
>







 







|
|
|
|







 







>







86
87
88
89
90
91
92
93
94
95
96
97
98
99

100
101
102
103
104
105
106
107
...
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
...
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
		return;
	}

	unlink($file);
}

function log_message($message) {
	global $username;

	if (!isset($username)) {
		$username = "<unknown>";
	}

	$fd = fopen("/var/tmp/flint-suid-fossil-" . posix_getuid() . ".log", "a+");

	fwrite($fd, time() . "/{$username}: " . $message . "\n");
	fclose($fd);
}

function exec_log($command) {
	log_message("Running: {$command}");
	return(exec($command));
}
................................................................................
		/*
		 * Ensure that the directory has the appropriate permissions
		 */
		mkdir_p($repo_directory);

		putenv("PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin");

		exec_log('setfacl -RP -m u:' . $real_user_id . ':rwX ' . escapeshellarg($repo_directory));
		exec_log('setfacl   -m d:u:' . $real_user_id . ':rwX ' . escapeshellarg($repo_directory));
		exec_log('setfacl -RP -m m::rwX   -m u:' . $current_user_id . ':rwX ' . escapeshellarg($repo_directory));
		exec_log('setfacl   -m d:m::rwX -m d:u:' . $current_user_id . ':rwX ' . escapeshellarg($repo_directory));
		exec_log('setfacl -m   u:' . $real_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m d:u:' . $real_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m   u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -m d:u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
	}

	$command = escapeshellarg(dirname(__FILE__) . "/secure-wrap") . " " . escapeshellarg($userid) . " " . escapeshellarg($user_directory) . " " . escapeshellarg($fossil_binary);
................................................................................

		putenv("PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin");

		exec_log('setfacl -RP -x   u:' . $real_user_id . ' ' . escapeshellarg($repo_directory));
		exec_log('setfacl -RP -x d:u:' . $real_user_id . ' ' . escapeshellarg($repo_directory));
		exec_log('setfacl -RP -m   m::rwx   -m u:' . $current_user_id . ':rwx ' . escapeshellarg($repo_directory));
		exec_log('setfacl -RP -m d:m::rwx -m d:u:' . $current_user_id . ':rwx ' . escapeshellarg($repo_directory));
		exec_log('setfacl -RP -b ' . escapeshellarg($repo_directory));
		exec_log('setfacl -RP -x   u:' . $real_user_id . ' ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -RP -x d:u:' . $real_user_id . ' ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -RP -m   u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
		exec_log('setfacl -RP -m d:u:' . $current_user_id . ':rwx ' . escapeshellarg($home_dir_outside));
	}

	$command = escapeshellarg($fossil_binary_real);