From 811dc1e5e566b76e8448fd1dcf156c8f2d56427a Mon Sep 17 00:00:00 2001 From: Clinton Ebadi Date: Sat, 4 Oct 2014 19:00:23 -0400 Subject: [PATCH] Run domtool as hcoop.daemon instead of hcoop Previous releases inadvertently took advantage of a weakness in domtool's afs acls to access the hcoop key when interacting with domtool. Now that it has been fixed, a dummy domtool user `hcoop.daemon' with no permissions exists so that it can authenticate to domtool and perform the simple queries required by the portal. We still have to set DOMTOOL_USER internally because suexec scrubs the environment and using mod_env to set it does not work. --- aptquery.sml | 4 ++-- domtool.sml | 2 +- sec.sml | 6 +++--- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/aptquery.sml b/aptquery.sml index d7fc8cc..7264c80 100644 --- a/aptquery.sml +++ b/aptquery.sml @@ -14,7 +14,7 @@ fun query {node, pkg = name} = else raise Fail "Invalid package name" - val proc = Unix.executeInEnv ("/usr/local/bin/domtool-admin", ["package-exists", Init.nodeName node, name], ["DOMTOOL_USER=hcoop"]) + val proc = Unix.executeInEnv ("/usr/local/bin/domtool-admin", ["package-exists", Init.nodeName node, name], ["DOMTOOL_USER=hcoop.daemon"]) val inf = Unix.textInstreamOf proc fun loop (section, descr) = @@ -33,7 +33,7 @@ fun query {node, pkg = name} = let val _ = Unix.reap proc - val installed = OS.Process.isSuccess (OS.Process.system ("DOMTOOL_USER=hcoop /usr/local/bin/domtool-admin package " ^ Init.nodeName node ^ " " ^ name ^ " >/dev/null 2>/dev/null")) + val installed = OS.Process.isSuccess (OS.Process.system ("DOMTOOL_USER=hcoop.daemon /usr/local/bin/domtool-admin package " ^ Init.nodeName node ^ " " ^ name ^ " >/dev/null 2>/dev/null")) in SOME {name = name, section = section, descr = descr, installed = installed} end diff --git a/domtool.sml b/domtool.sml index 6558774..138daee 100644 --- a/domtool.sml +++ b/domtool.sml @@ -2,7 +2,7 @@ structure Domtool :> DOMTOOL = struct fun perms class user = let - val proc = Unix.execute ("/bin/sh", ["-c", "DOMTOOL_USER=hcoop /usr/local/bin/domtool-admin perms " ^ user]) + val proc = Unix.execute ("/bin/sh", ["-c", "DOMTOOL_USER=hcoop.daemon /usr/local/bin/domtool-admin perms " ^ user]) val inf = Unix.textInstreamOf proc fun loop () = diff --git a/sec.sml b/sec.sml index 2a161f0..2d53ef3 100644 --- a/sec.sml +++ b/sec.sml @@ -45,7 +45,7 @@ fun socketPerms {node, uname} = let val proc = Unix.execute ("/bin/sh", ["-c", - "DOMTOOL_USER=hcoop /usr/local/bin/domtool-admin sockperm " + "DOMTOOL_USER=hcoop.daemon /usr/local/bin/domtool-admin sockperm " ^ Init.nodeName node ^ " " ^ uname]) val inf = Unix.textInstreamOf proc @@ -65,7 +65,7 @@ fun socketPerms {node, uname} = fun checkIt cmd {node, uname} = OS.Process.isSuccess (OS.Process.system - ("DOMTOOL_USER=hcoop /usr/local/bin/domtool-admin " + ("DOMTOOL_USER=hcoop.daemon /usr/local/bin/domtool-admin " ^ cmd ^ " " ^ Init.nodeName node ^ " " ^ uname ^ " >/dev/null 2>/dev/null")) val isTpe = checkIt "tpe" @@ -76,7 +76,7 @@ fun findFirewallRules {node, uname} = let val proc = Unix.execute ("/bin/sh", ["-c", - "DOMTOOL_USER=hcoop /usr/local/bin/domtool-admin firewall " + "DOMTOOL_USER=hcoop.daemon /usr/local/bin/domtool-admin firewall " ^ Init.nodeName node ^ " " ^ uname]) val inf = Unix.textInstreamOf proc -- 2.20.1