#!/bin/bash # Copyright: 2023 Virtuozzo International GmbH # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # http://www.apache.org/licenses/LICENSE-2.0 # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. [ -n "${EXTPERMLIB_VERSION:-}" ] && return 0; EXTPERMLIB_VERSION="0.1"; EXTEND_LIST_FILE="/etc/jelastic/extendperm.conf"; _SSH_ACCESS_GROUP="ssh-access"; function ExtendPerm(){ $PROGRAM 'setfacl'; dirp="g:$_SSH_ACCESS_GROUP:xwr" filep="g:$_SSH_ACCESS_GROUP:wr" [ $UID -eq 0 -a -f /etc/sudoers.d/jelastic ] && { set +f; sudo chmod 440 /etc/sudoers.d/* >>$JEM_CALLS_LOG 2>&1; } if [ -f "$EXTEND_LIST_FILE" ] ; then FLIST=$($GREP -E "${COMPUTE_TYPE}|common" "$EXTEND_LIST_FILE"| $AWK '{print $2";"}' ) [ -f /etc/jelastic/redeploy.conf ] && $SETFACL -m $filep /etc/jelastic/redeploy.conf >>$JEM_CALLS_LOG 2>&1; [ -f /etc/autofs.conf ] && $SETFACL -m $filep /etc/autofs.conf >>$JEM_CALLS_LOG 2>&1; [ -f /etc/autofs.jelastic ] && $SETFACL -m $filep /etc/autofs.jelastic >>$JEM_CALLS_LOG 2>&1; [ -f /etc/jelastic/timeouts.conf ] && $SETFACL -m $filep /etc/jelastic/timeouts.conf >>$JEM_CALLS_LOG 2>&1; [ -d /var/cache/downloads/ ] && $SETFACL -Rm $dirp,d:${dirp},d:u::xwr "/var/cache/downloads/" >>$JEM_CALLS_LOG 2>&1; [ -d /var/lib/jelastic/hooks/ ] && $SETFACL -Rm $dirp,d:${dirp},d:u::xwr "/var/lib/jelastic/hooks/" >>$JEM_CALLS_LOG 2>&1; [ -d /var/lib/jelastic/overrides/ ] && $SETFACL -Rm $dirp,d:${dirp},d:u::xwr "/var/lib/jelastic/overrides/" >>$JEM_CALLS_LOG 2>&1; [ -d /var/lib/jelastic/customizations/ ] && $SETFACL -Rm $dirp,d:${dirp},d:u::xwr "/var/lib/jelastic/customizations/" >>$JEM_CALLS_LOG 2>&1; [ -d /var/run/screen/ ] && chmod 775 /var/run/screen/ >>$JEM_CALLS_LOG 2>&1; [ -f /etc/rc.d/rc.local ] && $SETFACL -m $filep /etc/rc.d/rc.local >>$JEM_CALLS_LOG 2>&1; [ -d /etc/nftables/ ] && $SETFACL -m $dirp,d:${dirp},d:u::xwr /etc/nftables >>$JEM_CALLS_LOG 2>&1; [ -f /etc/nftables/platform-defined.nft ] && { $SETFACL -b /etc/nftables/platform-defined.nft >>$JEM_CALLS_LOG 2>&1; chmod 600 /etc/nftables/platform-defined.nft >>$JEM_CALLS_LOG 2>&1; } [ -f /etc/nftables/user-defined.nft ] && $SETFACL -m $filep /etc/nftables/user-defined.nft >>$JEM_CALLS_LOG 2>&1; [ -f /etc/nftables/container-defined.nft ] && $SETFACL -m $filep /etc/nftables/container-defined.nft >>$JEM_CALLS_LOG 2>&1; if [ -x "$SETFACL" ] ; then $SETFACL -m $dirp /var/spool/cron >>$JEM_CALLS_LOG 2>&1; for fl in ${FLIST//;/ } do if [ -f "$fl" ] ; then $SETFACL -m $filep "$fl" >>$JEM_CALLS_LOG 2>&1; elif [ -d "$fl" ] ; then $SETFACL -Rm $dirp,d:${dirp},d:u::xwr "$fl/" >>$JEM_CALLS_LOG 2>&1; fi done else log "No necessary tools: setfacl - $SETFACL" ; fi return 0; fi } function fixModeBits(){ [[ "$UID" == '0' ]] || return 0 local mode item permissions items_755=( '/etc' '/etc/jelastic' '/etc/logrotate.d' '/etc/rc.d' '/etc/rc.d/init.d' '/etc/security' '/etc/sudoers.d' '/etc/sysconfig' \ '/etc/systemd' '/etc/systemd/system' '/etc/vsftpd' '/usr' '/usr/lib/systemd' '/usr/local' '/usr/local/bin' '/usr/local/sbin' '/var/' '/var/lib' ) items_555=('/boot/' '/usr/lib') items_644=('/etc/security/limits.conf' '/etc/mail/access.db' '/etc/mail/domaintable.db' '/etc/mail/mailertable.db' '/etc/mail/virtusertable.db') items_600=('/var/spool/anacron/cron.daily' '/var/spool/anacron/cron.monthly' '/var/spool/anacron/cron.weekly' ) permissions=('755' '555' '644' '600') for mode in ${permissions[*]}; do for item in $(eval echo \${items_$mode[@]}); do [ -e "$item" ] && chmod $mode $item done done [ -e /usr/bin/ping ] && setcap 'cap_net_admin,cap_net_raw+p' /usr/bin/ping [ -e /usr/sbin/clockdiff ] && setcap 'cap_net_raw+p' /usr/sbin/clockdiff [ -e /usr/bin/newgidmap ] && setcap 'cap_setgid+ep' /usr/bin/newgidmap [ -e /usr/bin/newuidmap ] && setcap 'cap_setuid+ep' /usr/bin/newuidmap [ -e /usr/sbin/suexec ] && setcap 'cap_setgid,cap_setuid+ep' /usr/sbin/suexec return 0; }