From: Clinton Ebadi Date: Sat, 6 Nov 2021 19:29:31 +0000 (-0400) Subject: mysql: revoke permissions when dropping database X-Git-Tag: release_20211106-1 X-Git-Url: https://git.hcoop.net/hcoop/domtool2.git/commitdiff_plain/HEAD?hp=470e9d68205632c5fe9a073ae15b08887b17b117 mysql: revoke permissions when dropping database Grants are not automatically deleted. Also have to explicitly revoke grant option or a "USAGE WITH GRANT OPTION" grant is left behind. --- diff --git a/Makefile b/Makefile index efa01a6..1f1d55b 100644 --- a/Makefile +++ b/Makefile @@ -31,7 +31,7 @@ config.sml: mlton: bin/domtool-server bin/domtool-client bin/domtool-slave \ bin/domtool-admin bin/domtool-doc bin/dbtool bin/vmail \ - bin/smtplog bin/setsa bin/mysql-fixperms bin/webbw bin/domtool-tail \ + bin/smtplog bin/setsa bin/webbw bin/domtool-tail \ bin/fwtool bin/domtool-config bin/domtool-portal smlnj: $(COMMON_DEPS) openssl/smlnj/FFI/libssl.h.cm pcre/smlnj/FFI/libpcre.h.cm \ @@ -113,10 +113,6 @@ src/smtplog.mlb: src/prefix.mlb src/sources src/suffix.mlb $(MAKE_MLB_BASE) >src/smtplog.mlb echo "main-smtplog.sml" >>src/smtplog.mlb -src/mysql-fixperms.mlb: src/prefix.mlb src/sources src/suffix.mlb - $(MAKE_MLB_BASE) >src/mysql-fixperms.mlb - echo "main-mysql-fixperms.sml" >>src/mysql-fixperms.mlb - src/fwtool.mlb: src/prefix.mlb src/sources src/suffix.mlb $(MAKE_MLB_BASE) >src/fwtool.mlb echo "main-fwtool.sml" >>src/fwtool.mlb @@ -204,9 +200,6 @@ bin/setsa: $(COMMON_MLTON_DEPS) src/setsa.mlb bin/smtplog: $(COMMON_MLTON_DEPS) src/smtplog.mlb $(MLTON) -output bin/smtplog src/smtplog.mlb -bin/mysql-fixperms: $(COMMON_MLTON_DEPS) src/mysql-fixperms.mlb - $(MLTON) -output bin/mysql-fixperms src/mysql-fixperms.mlb - bin/fwtool: $(COMMON_MLTON_DEPS) src/fwtool.mlb $(MLTON) -output bin/fwtool src/fwtool.mlb @@ -254,7 +247,6 @@ install: install_sos -cp bin/vmail /usr/local/bin/ -cp bin/setsa /usr/local/bin/ -cp bin/smtplog /usr/local/bin/ - -cp bin/mysql-fixperms /usr/local/bin/ -cp bin/vmailpasswd /usr/local/bin/ -cp bin/webbw /usr/local/sbin/ -cp bin/domtool-tail /usr/local/bin/ diff --git a/bootstrap/common.ssl.conf b/bootstrap/common.ssl.conf index c2c0ddb..40e234c 100644 --- a/bootstrap/common.ssl.conf +++ b/bootstrap/common.ssl.conf @@ -36,7 +36,7 @@ crl_extensions = crl_ext default_days = 365 default_crl_days= 30 -default_md = sha1 +default_md = sha256 preserve = no policy = policy_domtool @@ -55,7 +55,7 @@ emailAddress = supplied [ req ] default_bits = 4096 default_keyfile = ${Domtool_Defaults::ca_dir}/private/ca-key.pem -default_md = sha1 +default_md = sha256 prompt = no distinguished_name = root_ca_distinguished_name diff --git a/lib/apache.dtl b/lib/apache.dtl index 9269ee1..745cc62 100644 --- a/lib/apache.dtl +++ b/lib/apache.dtl @@ -43,8 +43,8 @@ extern val php73 : php_version; {{FastCGI based php 7.3.}} extern val php74 : php_version; {{FastCGI based php 7.4.}} - -val fast_php : php_version = php56; +extern val php80 : php_version; +{{FastCGI based php 8.0.}} extern val vhost : host -> Vhost => [Domain] {WebPlaces : [web_place], diff --git a/lib/hcoop.dtl b/lib/hcoop.dtl index db725ba..d65d892 100644 --- a/lib/hcoop.dtl +++ b/lib/hcoop.dtl @@ -29,8 +29,8 @@ val outpost_ipv6 : (ipv6) = "2a01:7e00::f03c:91ff:fe70:7c62"; (* Digital Ocean *) val busted_ip : (ip) = "64.225.6.23"; -val busted_private_ip : (ip) = "2604:a880:800:c1::1fe:7001"; -val busted_ipv6 : (ipv6) = "10.132.165.25"; +val busted_private_ip : (ip) = "10.132.165.25"; +val busted_ipv6 : (ipv6) = "2604:a880:800:c1::1fe:7001"; val gibran_ip : (ip) = "142.93.177.82"; val gibran_private_ip : (ip) = "10.132.5.78"; diff --git a/src/main-mysql-fixperms.sml b/src/main-mysql-fixperms.sml deleted file mode 100644 index 1e49f0f..0000000 --- a/src/main-mysql-fixperms.sml +++ /dev/null @@ -1,24 +0,0 @@ -(* HCoop Domtool (http://hcoop.sourceforge.net/) - * Copyright (c) 2007, Adam Chlipala - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * as published by the Free Software Foundation; either version 2 - * of the License, or (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. - *) - -(* Driver for requesting MySQL DROP permission granting *) - -val _ = - case CommandLine.arguments () of - [] => Main.requestMysqlFixperms () - | _ => print "Invalid command-line arguments\n" diff --git a/src/main.sig b/src/main.sig index bea8247..ffee519 100644 --- a/src/main.sig +++ b/src/main.sig @@ -77,8 +77,6 @@ signature MAIN = sig val requestSmtpLog : string -> unit - val requestMysqlFixperms : unit -> unit - val requestApt : {node : string, pkg : string} -> OS.Process.status val requestAptExists : {node : string, pkg : string} -> OS.Process.status val requestCron : {node : string, uname : string} -> OS.Process.status diff --git a/src/main.sml b/src/main.sml index dfe0bd5..c6272f2 100644 --- a/src/main.sml +++ b/src/main.sml @@ -754,23 +754,6 @@ fun requestSmtpLog domain = OpenSSL.close bio end -fun requestMysqlFixperms () = - let - val (_, context) = requestContext (fn () => ()) - val bio = OpenSSL.connect true (context, - Config.Dbms.dbmsNode ^ ":" ^ Int.toString Config.slavePort) - in - Msg.send (bio, MsgMysqlFixperms); - case Msg.recv bio of - NONE => print "Server closed connection unexpectedly.\n" - | SOME m => - case m of - MsgOk => print "Permissions granted.\n" - | MsgError s => print ("Failed: " ^ s ^ "\n") - | _ => print "Unexpected server reply.\n"; - OpenSSL.close bio - end - fun requestApt {node, pkg} = let val (user, context) = requestContext (fn () => ()) @@ -1847,16 +1830,6 @@ fun slave () = ("Invalid database name " ^ user ^ "_" ^ dbname, SOME ("Invalid database name " ^ dbname))) (fn () => ()) - | MsgMysqlFixperms => - (print "Starting mysql-fixperms\n"; - doIt (fn () => if OS.Process.isSuccess - (OS.Process.system "/usr/bin/sudo -H /afs/hcoop.net/common/etc/scripts/mysql-grant-table-drop") then - ("Requested mysql-fixperms", - NONE) - else - ("Requested mysql-fixperms, but execution failed!", - SOME "Script execution failed.")) - (fn () => ())) | MsgFirewallRegen => doIt (fn () => (Acl.read Config.aclFile; if Acl.query {user = user, class = "priv", value = "all"} then diff --git a/src/msg.sml b/src/msg.sml index eb04648..23ec652 100644 --- a/src/msg.sml +++ b/src/msg.sml @@ -238,7 +238,7 @@ fun send (bio, m) = | MsgGrantDb {dbtype, dbname} => (OpenSSL.writeInt (bio, 37); OpenSSL.writeString (bio, dbtype); OpenSSL.writeString (bio, dbname)) - | MsgMysqlFixperms => OpenSSL.writeInt (bio, 38) + (* | MsgMysqlFixperms => OpenSSL.writeInt (bio, 38) *) | MsgDescribe dom => (OpenSSL.writeInt (bio, 39); OpenSSL.writeString (bio, dom)) | MsgDescription s => (OpenSSL.writeInt (bio, 40); @@ -365,7 +365,7 @@ fun recv bio = (SOME dbtype, SOME dbname) => SOME (MsgGrantDb {dbtype = dbtype, dbname = dbname}) | _ => NONE) - | 38 => SOME MsgMysqlFixperms + (* | 38 => SOME MsgMysqlFixperms *) | 39 => Option.map MsgDescribe (OpenSSL.readString bio) | 40 => Option.map MsgDescription (OpenSSL.readString bio) | 41 => SOME MsgReUsers diff --git a/src/msgTypes.sml b/src/msgTypes.sml index c815960..aece410 100644 --- a/src/msgTypes.sml +++ b/src/msgTypes.sml @@ -125,7 +125,7 @@ datatype msg = (* MsgRegenerate without actual publishing of configuration *) | MsgGrantDb of {dbtype : string, dbname : string} (* Grant all allowed privileges on a DBMS database to the user *) - | MsgMysqlFixperms + (* | MsgMysqlFixperms *) (* Run the script to grant DROP privileges on MySQL tables to owning users *) | MsgDescribe of string (* Ask for a listing of all of a domain's real configuration *) diff --git a/src/plugins/apache.sml b/src/plugins/apache.sml index 9d751e8..59e96b3 100644 --- a/src/plugins/apache.sml +++ b/src/plugins/apache.sml @@ -475,6 +475,7 @@ val php_version = fn (EVar "php56", _) => SOME 56 | (EVar "php72", _) => SOME 72 | (EVar "php73", _) => SOME 73 | (EVar "php74", _) => SOME 74 + | (EVar "php80", _) => SOME 80 | _ => NONE fun vhostBody (env, makeFullHost) = @@ -1207,13 +1208,16 @@ val () = Env.action_one "diskCache" val () = Env.action_one "phpVersion" ("version", php_version) (fn version => (write "\tAddHandler fcgid-script .php .phtml\n"; - (* FIXME: only set kerberos wrapper of waklog is on *) - (* won't be trivial, since we don't have access to node here *) - write "\n\tFcgidWrapper \""; - write (Config.Apache.fastCgiWrapperOf (Domain.getUser ())); - write " "; - write (Config.Apache.phpFastCgiWrapper version); - write "\" .php .phtml\n")) + (* FIXME: only set kerberos wrapper of waklog is on *) + (* won't be trivial, since we don't have access to node here *) + app (fn ext => (write "\n\tFcgidWrapper \""; + write (Config.Apache.fastCgiWrapperOf (Domain.getUser ())); + write " "; + write (Config.Apache.phpFastCgiWrapper version); + write "\" "; + write ext; + write "\n")) + [".php", ".phtml"])) val () = Env.action_two "addType" ("mime type", Env.string, "extension", Env.string) diff --git a/src/plugins/domtool-mysql b/src/plugins/domtool-mysql index b3690ff..4e549e6 100755 --- a/src/plugins/domtool-mysql +++ b/src/plugins/domtool-mysql @@ -32,7 +32,7 @@ case $1 in chmod 770 $DIR/$DBNAME ln -sf $DIR/$DBNAME /var/lib/mysql/$DBNAME chmod g+rw -R $DIR/$DBNAME/ - sudo -H mysql -e "GRANT CREATE,CREATE TEMPORARY TABLES,SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER,CREATE VIEW,SHOW VIEW,LOCK TABLES,GRANT OPTION ON TABLE * TO '$USERNAME'@$WHERE;" $DBNAME + sudo -H mysql -e "GRANT ALL ON TABLE * TO '$USERNAME'@$WHERE WITH GRANT OPTION;" $DBNAME sudo -H mysql -e "FLUSH PRIVILEGES;" ;; @@ -42,7 +42,10 @@ case $1 in DBNAME_BASE=$3 DBNAME="${USERNAME}_${DBNAME_BASE}" + sudo -H mysql -e "REVOKE ALL ON TABLE * FROM '$USERNAME'@$WHERE;" $DBNAME + sudo -H mysql -e "REVOKE GRANT OPTION ON TABLE * FROM '$USERNAME'@$WHERE;" $DBNAME sudo -H mysql -e "DROP DATABASE $DBNAME;" + ;; grant) @@ -50,7 +53,7 @@ case $1 in DBNAME_BASE=$3 DBNAME="${USERNAME}_${DBNAME_BASE}" - sudo -H mysql -e "GRANT CREATE,SELECT,INSERT,UPDATE,DELETE,INDEX,ALTER,CREATE VIEW,SHOW VIEW,LOCK TABLES,GRANT OPTION ON TABLE * TO '$USERNAME'@$WHERE;" $DBNAME + sudo -H mysql -e "GRANT ALL ON TABLE * TO '$USERNAME'@$WHERE WITH GRANT OPTION;" $DBNAME ;; *) diff --git a/src/plugins/firewall.sml b/src/plugins/firewall.sml index 642379d..4c10f24 100644 --- a/src/plugins/firewall.sml +++ b/src/plugins/firewall.sml @@ -212,7 +212,7 @@ fun generateFirewallConfig rules = let val _ = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname))) in - TextIO.output (tcp_inf, "proto tcp mod comment comment \"user:" ^ uname ^ "\" {\n"); + TextIO.output (tcp_inf, "proto (tcp udp) mod comment comment \"user:" ^ uname ^ "\" {\n"); TextIO.output (tcp_inf, concat lines); TextIO.output (tcp_inf, "\n}\n\n") end handle OS.SysErr _ => print ("Invalid user " ^ uname ^ " in firewall config, skipping.\n") (* no sense in opening ports for bad users *) @@ -221,7 +221,7 @@ fun generateFirewallConfig rules = let val uid = SysWord.toInt (Posix.ProcEnv.uidToWord (Posix.SysDB.Passwd.uid (Posix.SysDB.getpwnam uname))) in - TextIO.output (tcp_outf, "mod owner uid-owner " ^ (Int.toString uid) ^ " mod comment comment \"user:" ^ uname ^ "\" proto tcp {\n"); + TextIO.output (tcp_outf, "mod owner uid-owner " ^ (Int.toString uid) ^ " mod comment comment \"user:" ^ uname ^ "\" proto (tcp udp) {\n"); TextIO.output (tcp_outf, concat lines); TextIO.output (tcp_outf, "\nDROP;\n}\n\n") end handle OS.SysErr _ => print ("Invalid user " ^ uname ^ " in firewall config, skipping.\n")