From fc699adadba640164cf28335e1f89ce05b596ee4 Mon Sep 17 00:00:00 2001 From: Luke Shumaker Date: Sun, 5 Feb 2017 02:30:15 -0500 Subject: Have webuser be a compile-time config rather than run-time. --- Makefile | 6 ++++-- parabolaweb-changepassword.real.in | 11 +++++------ parabolaweb-reporead-inotify.in | 5 ++--- parabolaweb-reporead-inotify.service.in | 1 + parabolaweb-reporead-rsync.in | 6 +++--- parabolaweb-reporead-rsync.service.in | 1 + parabolaweb.conf | 3 +-- parabolaweb.ini | 2 +- 8 files changed, 18 insertions(+), 17 deletions(-) diff --git a/Makefile b/Makefile index acb7252..2f647a0 100644 --- a/Makefile +++ b/Makefile @@ -13,6 +13,8 @@ uwsgidir = /etc/uwsgi pkglibexecdir = $(libexecdir)/parabolaweb-utils pkgconffile = $(sysconfdir)/parabolaweb +webuser = parabolaweb + CFLAGS += -std=c99 -Wall -Wextra -Werror -Wno-unused-parameter CPPFLAGS += -DSCRIPT_LOCATION='"$(pkglibexecdir)/parabolaweb-changepassword.real"' @@ -36,8 +38,8 @@ files.sys.all = $(targets) # Pattern rules -%: %.in .var.sbindir .var.pkgconffile - sed -e 's|@sbindir@|$(sbindir)|' -e 's|@pkgconffile@|$(pkgconffile)|' < $< > $@ +%: %.in .var.sbindir .var.pkgconffile .var.webuser + sed $(foreach v,$(patsubst .var.%,%,$(filter .var.%,$^)), -e 's|@$v@|$($v)|' ) < $< > $@ $(DESTDIR)$(sbindir)/%: % install -Dm755 $< $@ diff --git a/parabolaweb-changepassword.real.in b/parabolaweb-changepassword.real.in index 07499e8..78d526f 100644 --- a/parabolaweb-changepassword.real.in +++ b/parabolaweb-changepassword.real.in @@ -1,6 +1,6 @@ #!/bin/bash -e -# Copyright (c) 2014 Luke Shumaker +# Copyright (c) 2014, 2017 Luke Shumaker # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -19,16 +19,15 @@ export PATH usage() { printf 'Usage: %s [USERNAME]\n' "${0##*/}" - printf 'A username may only be specified if run as root or WEBUSER.\n' + printf 'A username may only be specified if run as root or @webuser@.\n' } main() { . @pkgconffile@ [[ -e "${WEBDIR}/manage.py" ]] - [[ -n "${WEBUSER}" ]] local REAL_USER=$USER - if ! { [[ $SUID_USER == root ]] || [[ $SUID_USER == "$WEBUSER" ]]; }; then + if ! { [[ $SUID_USER == root ]] || [[ $SUID_USER == @webuser@ ]]; }; then unset SUDO_USER SUDO_UID SUDO_GID SUDO_COMMAND fi @@ -44,7 +43,7 @@ main() { local PERM_OF=${SUID_USER:-$REAL_USER} local username - if [[ $PERM_OF == root ]] || [[ $PERM_OF == "$WEBUSER" ]]; then + if [[ $PERM_OF == root ]] || [[ $PERM_OF == @webuser@ ]]; then if [[ $# -gt 1 ]]; then usage >&2 return 1 @@ -58,7 +57,7 @@ main() { username=$NAME_OF fi - sudo -u "${WEBUSER}" python2 "${WEBDIR}/manage.py" changepassword "${username}" + sudo -u @webuser@ python2 "${WEBDIR}/manage.py" changepassword "${username}" } main "$@" diff --git a/parabolaweb-reporead-inotify.in b/parabolaweb-reporead-inotify.in index 66934ea..c179a67 100644 --- a/parabolaweb-reporead-inotify.in +++ b/parabolaweb-reporead-inotify.in @@ -1,6 +1,6 @@ #!/bin/bash -e -# Copyright (c) 2012-2013 Luke Shumaker +# Copyright (c) 2012-2013, 2017 Luke Shumaker # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -20,5 +20,4 @@ [[ -e "${WEBDIR}/manage.py" ]] [[ $# -eq 0 ]] -sudo -u "${WEBUSER:-$USER}" python2 "${WEBDIR}/manage.py" reporead_inotify \ - "${INOTIFYARGS[@]}" +python2 "${WEBDIR}/manage.py" reporead_inotify "${INOTIFYARGS[@]}" diff --git a/parabolaweb-reporead-inotify.service.in b/parabolaweb-reporead-inotify.service.in index 099db8d..c43ba78 100644 --- a/parabolaweb-reporead-inotify.service.in +++ b/parabolaweb-reporead-inotify.service.in @@ -5,6 +5,7 @@ Description=ParabolaWeb reporead_inotify daemon [Service] Type=simple +User=@webuser@ ExecStart=@sbindir@/parabolaweb-reporead-inotify [Install] diff --git a/parabolaweb-reporead-rsync.in b/parabolaweb-reporead-rsync.in index f18a412..d71cb2a 100644 --- a/parabolaweb-reporead-rsync.in +++ b/parabolaweb-reporead-rsync.in @@ -20,15 +20,15 @@ [[ -e "${WEBDIR}/manage.py" ]] [[ $# -eq 0 ]] -sudo -u "${WEBUSER:-$USER}" rsync -v --no-motd -mrtlH --no-p \ +rsync -v --no-motd -mrtlH --no-p \ --include='*/' --include='*'.files.tar.gz --exclude='*' \ --delete-after "$RSYNCSRV" "$RSYNCDIR/" r=0 -sudo -u "${WEBUSER:-$USER}" find "$RSYNCDIR" -name '*.files.tar.gz' -not -name '.*' | +find "$RSYNCDIR" -name '*.files.tar.gz' -not -name '.*' | sed -r 's|.*/([^/]+)/[^/]+$|\1 &|' | while read -r arch filename; do echo reporead "$arch" "$filename" - sudo -u "${WEBUSER:-$USER}" python2 "${WEBDIR}/manage.py" reporead "$arch" "$filename" || r=$? + python2 "${WEBDIR}/manage.py" reporead "$arch" "$filename" || r=$? done exit $r diff --git a/parabolaweb-reporead-rsync.service.in b/parabolaweb-reporead-rsync.service.in index dde3287..4b9919a 100644 --- a/parabolaweb-reporead-rsync.service.in +++ b/parabolaweb-reporead-rsync.service.in @@ -5,4 +5,5 @@ Description=ParabolaWeb rsync reporead batch job [Service] Type=oneshot +User=@webuser@ ExecStart=@sbindir@/parabolaweb-reporead-rsync diff --git a/parabolaweb.conf b/parabolaweb.conf index db88bef..2e67f72 100644 --- a/parabolaweb.conf +++ b/parabolaweb.conf @@ -1,6 +1,5 @@ -# If you change `WEBUSER` or `WEBDIR`, you should also change +# If you change `WEBDIR`, you should also change # `/etc/uwsgi/parabolaweb.ini`. -WEBUSER=parabolaweb WEBDIR=/srv/http/www.parabola.nu/web GITURL='git://git.parabola.nu/server/parabolaweb.git#branch=master' diff --git a/parabolaweb.ini b/parabolaweb.ini index d170279..40a80c8 100644 --- a/parabolaweb.ini +++ b/parabolaweb.ini @@ -2,7 +2,7 @@ master = true processes = 4 -# If you change `uid` or `wsgi-file`, you should also change +# If you change `wsgi-file`, you should also change # `/etc/conf.d/parabolaweb`. uid = %n -- cgit v1.2.3