diff --git a/setup/start/sudoers b/setup/start/sudoers index 99e24fa51..cc1fc8c89 100644 --- a/setup/start/sudoers +++ b/setup/start/sudoers @@ -31,8 +31,5 @@ yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/authorized_keys Defaults!/home/yellowtent/box/src/scripts/node.sh env_keep="HOME BOX_ENV NODE_ENV" yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/node.sh -Defaults!/home/yellowtent/box/src/scripts/mvlogrotateconfig.sh env_keep="HOME BOX_ENV" -yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/mvlogrotateconfig.sh - -Defaults!/home/yellowtent/box/src/scripts/rmlogrotateconfig.sh env_keep="HOME BOX_ENV" -yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/rmlogrotateconfig.sh +Defaults!/home/yellowtent/box/src/scripts/configurelogrotate.sh env_keep="HOME BOX_ENV" +yellowtent ALL=(root) NOPASSWD: /home/yellowtent/box/src/scripts/configurelogrotate.sh diff --git a/src/apptask.js b/src/apptask.js index 4919dc9ac..180bbf4a3 100644 --- a/src/apptask.js +++ b/src/apptask.js @@ -58,8 +58,7 @@ var addons = require('./addons.js'), var COLLECTD_CONFIG_EJS = fs.readFileSync(__dirname + '/collectd.config.ejs', { encoding: 'utf8' }), CONFIGURE_COLLECTD_CMD = path.join(__dirname, 'scripts/configurecollectd.sh'), LOGROTATE_CONFIG_EJS = fs.readFileSync(__dirname + '/logrotate.ejs', { encoding: 'utf8' }), - MV_LOGROTATE_CONFIG_CMD = path.join(__dirname, 'scripts/mvlogrotateconfig.sh'), - RM_LOGROTATE_CONFIG_CMD = path.join(__dirname, 'scripts/rmlogrotateconfig.sh'), + CONFIGURE_LOGROTATE_CMD = path.join(__dirname, 'scripts/configurelogrotate.sh'), RMAPPDIR_CMD = path.join(__dirname, 'scripts/rmappdir.sh'), CREATEAPPDIR_CMD = path.join(__dirname, 'scripts/createappdir.sh'); @@ -186,11 +185,12 @@ function addLogrotateConfig(app, callback) { var runVolume = result.Mounts.find(function (mount) { return mount.Destination === '/run'; }); if (!runVolume) return callback(new Error('App does not have /run mounted')); + // logrotate configs can have arbitrary commands, so the config files must be owned by root var logrotateConf = ejs.render(LOGROTATE_CONFIG_EJS, { volumePath: runVolume.Source }); var tmpFilePath = path.join(os.tmpdir(), app.id + '.logrotate'); fs.writeFile(tmpFilePath, logrotateConf, function (error) { if (error) return callback(error); - shell.sudo('addLogrotateConfig', [ MV_LOGROTATE_CONFIG_CMD, tmpFilePath, app.id ], callback); + shell.sudo('addLogrotateConfig', [ CONFIGURE_LOGROTATE_CMD, 'add', app.id, tmpFilePath ], callback); }); }); } @@ -199,7 +199,7 @@ function removeLogrotateConfig(app, callback) { assert.strictEqual(typeof app, 'object'); assert.strictEqual(typeof callback, 'function'); - shell.sudo('removeLogrotateConfig', [ RM_LOGROTATE_CONFIG_CMD, app.id ], callback); + shell.sudo('removeLogrotateConfig', [ CONFIGURE_LOGROTATE_CMD, 'remove', app.id ], callback); } function verifyManifest(app, callback) { diff --git a/src/scripts/configurelogrotate.sh b/src/scripts/configurelogrotate.sh new file mode 100755 index 000000000..043a442cc --- /dev/null +++ b/src/scripts/configurelogrotate.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +set -eu -o pipefail + +if [[ ${EUID} -ne 0 ]]; then + echo "This script should be run as root." > /dev/stderr + exit 1 +fi + +if [[ $# -eq 0 ]]; then + echo "No arguments supplied" + exit 1 +fi + +if [[ "$1" == "--check" ]]; then + echo "OK" + exit 0 +fi + +cmd="$1" +appid="$2" + +if [[ "${cmd}" == "add" ]]; then + # TODO prevent this script from moving the file from $1 into a random dir with using a relative ../ path + if [[ "${BOX_ENV}" == "cloudron" ]]; then + readonly destination_file_path="${HOME}/platformdata/logrotate.d/${appid}" + else + readonly destination_file_path="${HOME}/.cloudron_test/platformdata/logrotate.d/${appid}" + fi + + mv "${3}" "${destination_file_path}" + chown root:root "${destination_file_path}" +elif [[ "${cmd}" == "remove" ]]; then + if [[ "${BOX_ENV}" == "cloudron" ]]; then + rm -rf "${HOME}/platformdata/logrotate.d/${appid}" + else + rm -rf "${HOME}/.cloudron_test/platformdata/logrotate.d/${appid}" + fi +fi + diff --git a/src/scripts/mvlogrotateconfig.sh b/src/scripts/mvlogrotateconfig.sh deleted file mode 100755 index 0a789b867..000000000 --- a/src/scripts/mvlogrotateconfig.sh +++ /dev/null @@ -1,28 +0,0 @@ -#!/bin/bash - -set -eu -o pipefail - -if [[ ${EUID} -ne 0 ]]; then - echo "This script should be run as root." > /dev/stderr - exit 1 -fi - -if [[ $# -eq 0 ]]; then - echo "No arguments supplied" - exit 1 -fi - -if [[ "$1" == "--check" ]]; then - echo "OK" - exit 0 -fi - -# TODO prevent this script from moving the file from $1 into a random dir with using a relative ../ path -if [[ "${BOX_ENV}" == "cloudron" ]]; then - readonly destination_file_path="${HOME}/platformdata/logrotate.d/$2" -else - readonly destination_file_path="${HOME}/.cloudron_test/platformdata/logrotate.d/$2" -fi - -mv "${1}" "${destination_file_path}" -chown root:root "${destination_file_path}" diff --git a/src/scripts/rmlogrotateconfig.sh b/src/scripts/rmlogrotateconfig.sh deleted file mode 100755 index 8190f9a58..000000000 --- a/src/scripts/rmlogrotateconfig.sh +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash - -set -eu -o pipefail - -if [[ ${EUID} -ne 0 ]]; then - echo "This script should be run as root." > /dev/stderr - exit 1 -fi - -if [[ $# -eq 0 ]]; then - echo "No arguments supplied" - exit 1 -fi - -if [[ "$1" == "--check" ]]; then - echo "OK" - exit 0 -fi - -if [[ "${BOX_ENV}" == "cloudron" ]]; then - rm -rf "${HOME}/platformdata/logrotate.d/$1" -else - rm -rf "${HOME}/.cloudron_test/platformdata/logrotate.d/$1" -fi diff --git a/src/test/checkInstall b/src/test/checkInstall index 6e9bbf035..71026e11e 100755 --- a/src/test/checkInstall +++ b/src/test/checkInstall @@ -18,8 +18,7 @@ scripts=("${SOURCE_DIR}/src/scripts/rmappdir.sh" \ "${SOURCE_DIR}/src/scripts/configurecollectd.sh" \ "${SOURCE_DIR}/src/scripts/authorized_keys.sh" \ "${SOURCE_DIR}/src/scripts/node.sh" \ - "${SOURCE_DIR}/src/scripts/mvlogrotateconfig.sh" \ - "${SOURCE_DIR}/src/scripts/rmlogrotateconfig.sh") + "${SOURCE_DIR}/src/scripts/configurelogrotate.sh") for script in "${scripts[@]}"; do if [[ $(sudo -n "${script}" --check 2>/dev/null) != "OK" ]]; then