[LON-CAPA-cvs] cvs: doc /loncapafiles systemd_config_check.piml
raeburn
raeburn at source.lon-capa.org
Wed Nov 27 11:30:09 EST 2024
raeburn Wed Nov 27 16:30:09 2024 EDT
Modified files:
/doc/loncapafiles systemd_config_check.piml
Log:
- Support Fedora 40 and 41
- Check if RestrictSUIDSGID property is set to yes for httpd.service,
If so, include RestrictSUIDSGID=no in override.conf
- If /etc/systemd/httpd.service.d/override.conf already exists, change
what needs to be changed and preserve the rest.
-------------- next part --------------
Index: doc/loncapafiles/systemd_config_check.piml
diff -u doc/loncapafiles/systemd_config_check.piml:1.1 doc/loncapafiles/systemd_config_check.piml:1.2
--- doc/loncapafiles/systemd_config_check.piml:1.1 Sun Jul 28 19:40:59 2024
+++ doc/loncapafiles/systemd_config_check.piml Wed Nov 27 16:30:09 2024
@@ -2,7 +2,7 @@
"http://lpml.sourceforge.net/DTD/piml.dtd">
<!-- systemd_config_check.piml -->
-<!-- $Id: systemd_config_check.piml,v 1.1 2024/07/28 19:40:59 raeburn Exp $ -->
+<!-- $Id: systemd_config_check.piml,v 1.2 2024/11/27 16:30:09 raeburn Exp $ -->
<!--
@@ -66,81 +66,155 @@
if ($use_systemctl) {
system('systemctl daemon-reload');
- if (open(PIPE,"systemctl show $service --property=ProtectHome 2>/dev/null |")) {
- my $protection = <PIPE>;
+ if (open(PIPE,"systemctl show $service --property=ProtectHome --property=RestrictSUIDSGID 2>/dev/null |")) {
+ my ($protecthome,$suidsgid);
+ while (my $line =<PIPE>) {
+ chomp($line);
+ if ($line =~ /^ProtectHome=(read-only|yes)$/i) {
+ $protecthome = 1;
+ } elsif ($line =~ /^RestrictSUIDSGID=yes$/i) {
+ $suidsgid = 1;
+ }
+ }
close(PIPE);
- chomp($protection);
- if ($protection =~ /^ProtectHome=(read-only|yes)$/i) {
+ if ($protecthome || $suidsgid) {
if (!-d '/etc/systemd/system/'.$service.'.d') {
mkdir '/etc/systemd/system/'.$service.'.d', 0755;
}
if (-d '/etc/systemd/system/'.$service.'.d') {
if (-e '/etc/systemd/system/'.$service.'.d/override.conf') {
if (open(my $fh,'<','/etc/systemd/system/'.$service.'.d/override.conf')) {
- my ($inservice,$addservice,$protectoff,$linenum,$change, at lines);
+ my ($category,$addservice,$needs_update,$linenum,%is_no,%lines,
+ @move, at nocat, at ordered);
+ $linenum = 0;
while (my $entry = <$fh>) {
$linenum ++;
chomp($entry);
- if ($entry eq '[Service]') {
- if (!$protectoff) {
- $inservice = $linenum;
- push(@lines,$entry);
+ if ($entry =~ /^\s*\[([^\]]+)\]\s*$/) {
+ $category = $1;
+ if ($category =~ /^Service$/i) {
+ unless (grep(/^Service$/, at ordered)) {
+ push(@ordered,'Service');
+ }
} else {
- $addservice = 1;
- next;
+ unless (grep(/^\Q$category\E$/, at ordered)) {
+ push(@ordered,$category);
+ }
}
- }
- if ($entry =~ /^ProtectHome\s*=\s*([\w-]+)\s*$/) {
- my $value = $1;
- if ($protectoff) {
- next;
- if (lc($value) eq 'no') {
- $protectoff = $linenum;
- push(@lines,$entry);
+ } elsif ($entry =~ /^(ProtectHome|RestrictSUIDSGID)\s*=\s*([\w-]+)\s*$/) {
+ my ($key,$value) = ($1,$2);
+ next if ($is_no{$key});
+ if (lc($value) eq 'no') {
+ if ($category =~ /^Service$/i) {
+ push(@{$lines{'Service'}},$entry);
} else {
- if ($protectoff) {
- next;
- } else {
- push(@lines,'ProtectHome=no');
- $protectoff = $linenum;
- $change = $linenum;
- }
+ push(@move,$entry);
+ $needs_update = 1;
}
+ } else {
+ my $offstr = $key.'=no';
+ if ($category =~ /^Service$/i) {
+ push(@{$lines{'Service'}},$offstr);
+ } else {
+ push(@move,$offstr);
+ }
+ $needs_update = 1;
+ }
+ $is_no{$key} = $linenum;
+ } else {
+ next if ($entry =~ /^\s*$/);
+ if ($category =~ /^Service$/i) {
+ push(@{$lines{'Service'}},$entry);
+ } elsif ($category ne '') {
+ push(@{$lines{$category}},$entry);
+ } else {
+ push(@nocat,$entry);
}
}
}
close($fh);
- if ($addservice || $change || !$protectoff) {
+ unless (grep(/^Service$/, at ordered)) {
+ $addservice = 1;
+ unshift(@ordered,'Service');
+ }
+ foreach my $item ('ProtectHome','RestrictSUIDSGID') {
+ unless (exists($is_no{$item})) {
+ push(@{$lines{'Service'}},$item.'=no');
+ $needs_update = 1;
+ }
+ }
+ if ($addservice || $needs_update) {
if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) {
- if ($addservice) {
- print $fh "[Service]\n";
+ if (@ordered) {
+ foreach my $category (@ordered) {
+ print $fh "[$category]\n";
+ if (ref($lines{$category}) eq 'ARRAY') {
+ foreach my $item (@{$lines{$category}}) {
+ print $fh "$item\n";
+ }
+ }
+ if ($category eq 'Service') {
+ if (@move) {
+ foreach my $item (@move) {
+ if ($item =~ /^(ProtectHome|RestrictSUIDSGID)\s*=\s*no\s*$/i) {
+ my $key = $1;
+ unless (grep/^$key\s*=\s*no\s*$/i,@{$lines{$category}}) {
+ print $fh "$item\n";
+ }
+ } else {
+ print $fh "$item\n";
+ }
+ }
+ }
+ }
+ print $fh "\n";
+ }
}
- foreach my $entry (@lines) {
- print $fh "$entry\n";
+ if (@nocat) {
+ foreach my $item (@nocat) {
+ print $fh "$item\n";
+ }
}
close($fh);
print 'Updated /etc/systemd/system/'.$service.'.d/override.conf'."\n";
system('systemctl daemon-reload');
} else {
- print '**** ERROR: Could not open /etc/systemd/system/'.$service.'.d/override.conf to write ProtectHome=no.'."\n".
- 'LON-CAPA web interface will not be usable.'."\n";
+ if ($protecthome) {
+ print '**** ERROR: Could not open /etc/systemd/system/'.$service.'.d/override.conf to write ProtectHome=no.'."\n".
+ 'LON-CAPA web interface will not be usable.'."\n";
+ }
+ if ($suidsgid) {
+ print '**** ERROR: Could not open /etc/systemd/system/'.$service.'.d/override.conf to write RestrictSUIDSGID=no.'."\n".
+ 'Creation of sub-directories in Authoring Space will not be possible from the web interface.'."\n";
+ }
}
}
}
} else {
if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) {
- print $fh '[Service]'."\n".'ProtectHome=no'."\n";
+ print $fh '[Service]'."\n".'ProtectHome=no'."\n".'RestrictSUIDSGID=no'."\n";
close($fh);
print 'Created /etc/systemd/system/'.$service.'.d/override.conf'."\n";
system('systemctl daemon-reload');
} else {
- print '**** ERROR: Could not open /etc/systemd/system/'.$service.'.d/override.conf to write ProtectHome=no.'."\n".
- 'LON-CAPA web interface will not be usable.'."\n";
+ if ($protecthome) {
+ print '**** ERROR: Could not open /etc/systemd/system/'.$service.'.d/override.conf to write ProtectHome=no.'."\n".
+ 'LON-CAPA web interface will not be usable.'."\n";
+ }
+ if ($suidsgid) {
+ print '**** ERROR: Could not open /etc/systemd/system/'.$service.'.d/override.conf to write RestrictSUIDSGID=no.'."\n".
+ 'Creation of sub-directories in Authoring Space will not be possible from the web interface.'."\n";
+ }
}
}
} else {
- print '**** ERROR: No /etc/systemd/system/'.$service.'.d directory exists and creating one failed.'."\n".
- 'LON-CAPA web interface will not be usable.'."\n";
+ print '**** ERROR: No /etc/systemd/system/'.$service.'.d directory exists and creating one failed.'."\n";
+ if ($protecthome) {
+ print 'LON-CAPA web interface will not be usable.'."\n";
+ }
+ if ($suidsgid) {
+ print 'Creation of sub-directories in Authoring Space will not be possible from the web interface.'."\n";
+ }
}
}
} else {
More information about the LON-CAPA-cvs
mailing list