[LON-CAPA-cvs] cvs: doc /install/linux install.pl
raeburn
raeburn at source.lon-capa.org
Sat Jul 27 14:39:10 EDT 2024
raeburn Sat Jul 27 18:39:10 2024 EDT
Modified files:
/doc/install/linux install.pl
Log:
- Add new action: "Configure systemd security settings for Apache web server".
to support Fedora 40.
- Check if ProtectHome property is set to readonly or yes for httpd.service,
and if so default for the action is Y
- If action selected then ProtectHome=no will be included in
/etc/systemd/httpd.service.d//override.conf
-------------- next part --------------
Index: doc/install/linux/install.pl
diff -u doc/install/linux/install.pl:1.90 doc/install/linux/install.pl:1.91
--- doc/install/linux/install.pl:1.90 Thu Jun 20 00:29:49 2024
+++ doc/install/linux/install.pl Sat Jul 27 18:39:10 2024
@@ -78,7 +78,7 @@
&mt('Stopping execution.')."\n";
exit;
} else {
- print LOG '$Id: install.pl,v 1.90 2024/06/20 00:29:49 raeburn Exp $'."\n";
+ print LOG '$Id: install.pl,v 1.91 2024/07/27 18:39:10 raeburn Exp $'."\n";
}
#
@@ -595,6 +595,9 @@
my ($sslhostsfilesref,$has_std,$has_int,$rewritenum,$nochgstd,$nochgint);
($recommended{'firewall'},$apachefw) = &chkfirewall($distro);
($recommended{'runlevels'},$tostop,$uses_systemctl) = &chkconfig($distro,$instdir);
+ if ((ref($uses_systemctl) eq 'HASH') && ($uses_systemctl->{'apache'})) {
+ $recommended{'systemd'} = &check_systemd_security($distro);
+ }
$recommended{'apache'} = &chkapache($distro,$instdir);
($recommended{'apachessl'},$sslhostsfilesref,$has_std,$has_int,$rewritenum,
$nochgstd,$nochgint) = &chkapachessl($distro,$instdir,$hostname,$hostip);
@@ -622,14 +625,20 @@
$process = 'mysqld';
$proc_owner = 'mysql';
}
+ if ($1 >= 16) {
+ $use_systemctl = 1;
+ }
} elsif ($distro =~ /^debian(\w+)/) {
if ($1 >= 10) {
$process = 'mysql';
$proc_owner = 'mysql';
- }
+ }
if ($1 >= 11) {
$mysqldaemon = 'mariadb';
}
+ if ($1 >= 9) {
+ $use_systemctl = 1;
+ }
} elsif ($distro =~ /^fedora(\d+)/) {
if ($1 >= 16) {
$process = 'mysqld';
@@ -901,6 +910,26 @@
return (\%needfix,\%tostop,\%uses_systemctl);
}
+sub check_systemd_security {
+ my ($distro) = @_;
+ my $service = 'httpd.service';
+ if ($distro =~ /^(suse|sles|ubuntu|debian)/) {
+ $service = 'apache2.service';
+ }
+ system("systemctl daemon-reload");
+ if (open(PIPE,"systemctl show $service --property=ProtectHome 2>/dev/null |")) {
+ my $protection = <PIPE>;
+ close(PIPE);
+ chomp($protection);
+ if ($protection =~ /^ProtectHome=(read-only|yes)$/i) {
+ return 1;
+ }
+ } else {
+ print &mt('Could not check systemctl configuration for Apache')."\n";
+ }
+ return 0;
+}
+
sub uses_firewalld {
my ($distro) = @_;
my ($inuse,$checkfirewalld,$zone);
@@ -1040,7 +1069,9 @@
my $diffres = <PIPE>;
close(PIPE);
chomp($diffres);
- unless ($diffres) {
+ if ($diffres) {
+ $fixapache = 1;
+ } else {
$fixapache = 0;
}
}
@@ -1904,12 +1935,13 @@
".&mt('3.')." ".&mt('Set-up the MySQL database.')."
".&mt('4.')." ".&mt('Set-up MySQL permissions.')."
".&mt('5.')." ".&mt('Configure Apache web server.')."
-".&mt('6.')." ".&mt('Configure SSL for Apache web server.')."
-".&mt('7.')." ".&mt('Configure start-up of services.')."
-".&mt('8.')." ".&mt('Check firewall settings.')."
-".&mt('9.')." ".&mt('Stop services not used by LON-CAPA,')."
+".&mt('6.')." ".&mt('Configure systemd security settings for Apache web server.')."
+".&mt('7.')." ".&mt('Configure SSL for Apache web server.')."
+".&mt('8.')." ".&mt('Configure start-up of services.')."
+".&mt('9.')." ".&mt('Check firewall settings.')."
+".&mt('10.')." ".&mt('Stop services not used by LON-CAPA,')."
".&mt('i.e., services for a print server: [_1] daemon.',"'cups'")."
-".&mt('10.')." ".&mt('Download LON-CAPA source code in readiness for installation.')."
+".&mt('11.')." ".&mt('Download LON-CAPA source code in readiness for installation.')."
".&mt('Typically, you will run this script only once, when you first install LON-CAPA.')."
@@ -1938,7 +1970,7 @@
chomp($instdir);
my %callsub;
-my @actions = ('wwwuser','pwauth','mysql','mysqlperms','apache',
+my @actions = ('wwwuser','pwauth','mysql','mysqlperms','apache','systemd',
'apachessl','runlevels','firewall','stopsrvcs','download');
my %prompts = &texthash(
wwwuser => "Create the 'www' user?",
@@ -1946,6 +1978,7 @@
mysql => 'Set-up the MySQL database?',
mysqlperms => 'Set-up MySQL permissions?',
apache => 'Configure Apache web server?',
+ systemd => 'Configure systemd security settings for Apache web server?',
apachessl => 'Configure SSL for Apache web server?',
runlevels => 'Set overrides for start-up order of services?',
firewall => 'Configure firewall settings for Apache',
@@ -1988,6 +2021,7 @@
&mt('The following command can be used to install the package (and dependencies):')."\n\n".
$updatecmd."\n\n";
if ($installnow eq '') {
+ print &mt('Stopping execution.')."\n";
exit;
} else {
print &mt('Run command? ~[Y/n~]');
@@ -2155,6 +2189,12 @@
print_and_log(&mt('Skipping configuration of Apache web server.')."\n");
}
+if ($callsub{'systemd'}) {
+ &check_systemd_update($distro);
+} else {
+ print_and_log('Skipping systemd configuration update for web server');
+}
+
if ($callsub{'apachessl'}) {
my $targetdir = '/etc/httpd/conf.d';
if ($distro =~ /^(suse|sles)/) {
@@ -2278,7 +2318,7 @@
'ssh, http')."\n";
} else {
my $version;
- if ($distro =~ /^(redhat|centos)(\d+)/) {
+ if ($distro =~ /^(redhat|centos|rocky|alma)(\d+)/) {
$version = $1;
}
if ($version > 5) {
@@ -2376,6 +2416,10 @@
if ($1 > 12) {
$lc_uses_systemctl = 1;
}
+ } elsif ($distro =~ /^fedora(\d+)$/) {
+ if ($1 > 25) {
+ $lc_uses_systemctl = 1;
+ }
}
if (!-e '/etc/loncapa-release') {
print &mt('If you are now ready to install LON-CAPA, enter the following commands:')."\n\n";
@@ -2683,7 +2727,7 @@
$is_mariadb = 1;
if ((($mysqlversion == 10) && ($mysqlminorversion >= 4)) || ($mysqlversion >= 11)) {
$usescreate = 1;
- } elsif (($mysqlversion == 10) && ($mysqlminorversion >= 2)) {
+ } elsif (($mysqlversion == 10) && ($mysqlminorversion >= 2)) {
$usesauth = 1;
} elsif (($mysqlversion == 5) && ($mysqlminorversion >= 5)) {
$hasauthcol = 1;
@@ -2820,6 +2864,116 @@
return ($version,$minorversion,$subversion,$name);
}
+sub check_systemd_update {
+ my ($distro) = @_;
+ my ($use_systemctl,$service);
+ $service = 'apache2.service';
+ if ($distro =~ /^ubuntu(\w+)/) {
+ if ($1 >= 16) {
+ $use_systemctl = 1;
+ }
+ } elsif ($distro =~ /^debian(\w+)/) {
+ if ($1 >= 9) {
+ $use_systemctl = 1;
+ }
+ } elsif ($distro =~ /^fedora(\d+)/) {
+ $service = 'httpd.service';
+ if ($1 >= 16) {
+ $use_systemctl = 1;
+ }
+ } elsif ($distro =~ /^(?:centos|rhes|scientific|oracle|rocky|alma)(\d+)/) {
+ $service = 'httpd.service';
+ if ($1 >= 7) {
+ $use_systemctl = 1;
+ }
+ } elsif ($distro =~ /^sles(\d+)/) {
+ if ($1 >= 12) {
+ $use_systemctl = 1;
+ }
+ } elsif ($distro =~ /^suse(\d+)/) {
+ if ($1 >= 13) {
+ $use_systemctl = 1;
+ }
+ }
+ if ($use_systemctl) {
+ my $needsupdate = &check_systemd_security($distro);
+ if ($needsupdate) {
+ if (!-d '/etc/systemd/system/'.$service.'.d') {
+ mkdir '/etc/systemd/system/'.$service.'.d', 0755;
+ }
+ if (-d '/etc/systemd/system/'.$service.'.d') {
+ if (-e '/etc/systemd/system/'.$service.'.d/override.conf') {
+ if (open(my $fh,'<','/etc/systemd/system/'.$service.'.d/override.conf')) {
+ my ($inservice,$addservice,$protectoff,$linenum,$change, at lines);
+ while (my $entry = <$fh>) {
+ $linenum ++;
+ chomp($entry);
+ if ($entry eq '[Service]') {
+ if (!$protectoff) {
+ $inservice = $linenum;
+ push(@lines,$entry);
+ } else {
+ $addservice = 1;
+ next;
+ }
+ }
+ if ($entry =~ /^ProtectHome\s*=\s*([\w-]+)\s*$/) {
+ my $value = $1;
+ if ($protectoff) {
+ next;
+ if (lc($value) eq 'no') {
+ $protectoff = $linenum;
+ push(@lines,$entry);
+ } else {
+ if ($protectoff) {
+ next;
+ } else {
+ push(@lines,'ProtectHome=no');
+ $protectoff = $linenum;
+ $change = $linenum;
+ }
+ }
+ }
+ }
+ }
+ close($fh);
+ if ($addservice || $change || !$protectoff) {
+ if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) {
+ if ($addservice) {
+ print $fh "[Service]\n";
+ }
+ foreach my $entry (@lines) {
+ print $fh "$entry\n";
+ }
+ close($fh);
+ print_and_log('Updated /etc/systemd/system/'.$service.'.d/override.conf');
+ } else {
+ print_and_log('Could not open /etc/systemd/system/'.$service.'.d/override.conf for writing.');
+ }
+ } else {
+ print_and_log('No change needed in /etc/systemd/system/'.$service.'.d/override.conf');
+ }
+ } else {
+ print_and_log('Could not open /etc/systemd/system/'.$service.'.d/override.conf for reading.');
+ }
+ } else {
+ if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) {
+ print $fh '[Service]'."\n".'ProtectHome=no'."\n";
+ close($fh);
+ print_and_log('Created /etc/systemd/system/'.$service.'.d/override.conf');
+ }
+ }
+ } else {
+ print_and_log('No /etc/systemd/system/'.$service.'.d directory exists and creating one failed,');
+ }
+ } else {
+ print_and_log('No update needed to systemd security settings for Apache web server.');
+ }
+ } else {
+ print_and_log('No update needed to systemd, as this Linux distro does not use systemctl');
+ }
+}
+
###########################################################
##
## RHEL/CentOS/Fedora/Scientific Linux
More information about the LON-CAPA-cvs
mailing list