[LON-CAPA-cvs] cvs: doc /install/linux install.pl
raeburn
raeburn at source.lon-capa.org
Tue Nov 26 18:54:22 EST 2024
raeburn Tue Nov 26 23:54:22 2024 EDT
Modified files:
/doc/install/linux install.pl
Log:
- "Configure systemd security settings for Apache web server" for Fedora >= 40
- Check if RestrictSUIDSGID property is set to yes for httpd.service:
if so, default for action is Y.
- If action selected then RestrictSUIDSGID=no will be included in
/etc/systemd/httpd.service.d//override.conf
Index: doc/install/linux/install.pl
diff -u doc/install/linux/install.pl:1.96 doc/install/linux/install.pl:1.97
--- doc/install/linux/install.pl:1.96 Tue Nov 26 22:08:36 2024
+++ doc/install/linux/install.pl Tue Nov 26 23:54:22 2024
@@ -78,7 +78,7 @@
&mt('Stopping execution.')."\n";
exit;
} else {
- print LOG '$Id: install.pl,v 1.96 2024/11/26 22:08:36 raeburn Exp $'."\n";
+ print LOG '$Id: install.pl,v 1.97 2024/11/26 23:54:22 raeburn Exp $'."\n";
}
#
@@ -988,11 +988,21 @@
$service = 'apache2.service';
}
system("systemctl daemon-reload");
- if (open(PIPE,"systemctl show $service --property=ProtectHome 2>/dev/null |")) {
- my $protection = <PIPE>;
+ if (open(PIPE,"systemctl show $service --property=ProtectHome --property=RestrictSUIDSGID 2>/dev/null |")) {
+ my ($protecthome,$suidsgid);
+ while (my $line = <PIPE>) {
+ chomp($line);
+ if ($line =~ /^ProtectHome=(read-only|yes)$/i) {
+ $protecthome = 1;
+ } elsif ($line =~ /^RestrictSUIDSGID=yes$/i) {
+ $suidsgid = 1;
+ }
+ }
close(PIPE);
- chomp($protection);
- if ($protection =~ /^ProtectHome=(read-only|yes)$/i) {
+ if ($protecthome) {
+ return 1;
+ }
+ if ($suidsgid) {
return 1;
}
} else {
@@ -2979,8 +2989,8 @@
if (-d '/etc/systemd/system/'.$service.'.d') {
if (-e '/etc/systemd/system/'.$service.'.d/override.conf') {
if (open(my $fh,'<','/etc/systemd/system/'.$service.'.d/override.conf')) {
- my ($category,$addservice,$protectoff,$linenum,$change,
- %lines, at move, at nocat, at ordered);
+ my ($category,$addservice,$protectoff,$changeprot,$suidsgidok,$changesug,
+ $linenum,%lines, at move, at nocat, at ordered);
$linenum = 0;
while (my $entry = <$fh>) {
$linenum ++;
@@ -3000,7 +3010,7 @@
push(@{$lines{'Service'}},$entry);
} else {
push(@move,$entry);
- $change = $linenum;
+ $changeprot = $linenum;
}
} else {
if ($category =~ /^Service$/i) {
@@ -3008,9 +3018,28 @@
} else {
push(@move,'ProtectHome=no');
}
- $change = $linenum;
+ $changeprot = $linenum;
}
$protectoff = $linenum;
+ } elsif ($entry =~ /^RestrictSUIDSGID\s*=\s*([\w-]+)\s*$/) {
+ my $value = $1;
+ next if ($suidsgidok);
+ if (lc($value) eq 'no') {
+ if ($category =~ /^Service$/i) {
+ push(@{$lines{'Service'}},$entry);
+ } else {
+ push(@move,$entry);
+ $changesug = $linenum;
+ }
+ } else {
+ if ($category =~ /^Service$/i) {
+ push(@{$lines{'Service'}},'RestrictSUIDSGID=no');
+ } else {
+ push(@move,'RestrictSUIDSGID=no');
+ }
+ $changesug = $linenum;
+ }
+ $suidsgidok = $linenum;
} else {
next if ($entry =~ /^\s*$/);
if ($category =~ /^Service$/i) {
@@ -3030,7 +3059,10 @@
if (!$protectoff) {
push(@{$lines{'Service'}},'ProtectHome=no');
}
- if ($addservice || $change || !$protectoff) {
+ if (!$suidsgidok) {
+ push(@{$lines{'Service'}},'RestrictSUIDSGID=no');
+ }
+ if ($addservice || $changeprot || !$protectoff || $changesug || !$suidsgidok) {
if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) {
if (@ordered) {
foreach my $category (@ordered) {
@@ -3047,6 +3079,10 @@
unless (grep/^ProtectHome\s*=\s*no\s*$/i,@{$lines{$category}}) {
print $fh "$item\n";
}
+ } elsif ($item =~ /^RestrictSUIDSGID\s*=\s*no\s*$/i) {
+ unless (grep/^RestrictSUIDSGID\s*=\s*no\s*$/i,@{$lines{$category}}) {
+ print $fh "$item\n";
+ }
} else {
print $fh "$item\n";
}
@@ -3075,7 +3111,7 @@
}
} else {
if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) {
- print $fh '[Service]'."\n".'ProtectHome=no'."\n";
+ print $fh '[Service]'."\n".'ProtectHome=no'."\n".'RestrictSUIDSGID=no'."\n";
close($fh);
print_and_log('Created /etc/systemd/system/'.$service.'.d/override.conf');
system('systemctl daemon-reload');
More information about the LON-CAPA-cvs
mailing list