diff --git a/config/default.yml b/config/default.yml index 319695a5b..68d2a73a6 100644 --- a/config/default.yml +++ b/config/default.yml @@ -372,3 +372,4 @@ ban: ember_server: port: 14050 live_reload_port: 14051 +umask: "0027" diff --git a/src/api-umbrella/cli/read_config.lua b/src/api-umbrella/cli/read_config.lua index 9b96a3667..20658f997 100644 --- a/src/api-umbrella/cli/read_config.lua +++ b/src/api-umbrella/cli/read_config.lua @@ -10,10 +10,14 @@ local nillify_yaml_nulls = require "api-umbrella.utils.nillify_yaml_nulls" local path = require "pl.path" local plutils = require "pl.utils" local random_token = require "api-umbrella.utils.random_token" +local stat = require "posix.sys.stat" local stringx = require "pl.stringx" local types = require "pl.types" +local unistd = require "posix.unistd" local url = require "socket.url" +local chmod = stat.chmod +local chown = unistd.chown local is_empty = types.is_empty local split = plutils.split local strip = stringx.strip @@ -153,20 +157,24 @@ local function set_computed_config() config["etc_dir"] = path.join(config["root_dir"], "etc") end + if not config["var_dir"] then + config["var_dir"] = path.join(config["root_dir"], "var") + end + if not config["log_dir"] then - config["log_dir"] = path.join(config["root_dir"], "var/log") + config["log_dir"] = path.join(config["var_dir"], "log") end if not config["run_dir"] then - config["run_dir"] = path.join(config["root_dir"], "var/run") + config["run_dir"] = path.join(config["var_dir"], "run") end if not config["tmp_dir"] then - config["tmp_dir"] = path.join(config["root_dir"], "var/tmp") + config["tmp_dir"] = path.join(config["var_dir"], "tmp") end if not config["db_dir"] then - config["db_dir"] = path.join(config["root_dir"], "var/db") + config["db_dir"] = path.join(config["var_dir"], "db") end local trusted_proxies = config["router"]["trusted_proxies"] or {} @@ -359,6 +367,11 @@ local function set_computed_config() end end +local function set_process_permissions() + unistd.setpid("g", "api-umbrella") + stat.umask(tonumber(config["umask"], 8)) +end + -- Handle setup of random secret tokens that should be be unique for API -- Umbrella installations, but should be persisted across restarts. -- @@ -401,6 +414,11 @@ local function set_cached_random_tokens() -- Persist the cached tokens. dir.makepath(config["run_dir"]) file.write(cached_path, lyaml.dump({ cached })) + chmod(cached_path, tonumber("0640", 8)) + if config["group"] then + chown(cached_path, nil, config["group"]) + end + deep_defaults(config, cached) end end @@ -415,6 +433,10 @@ local function write_runtime_config() local runtime_config_path = path.join(config["run_dir"], "runtime_config.yml") dir.makepath(config["run_dir"]) file.write(runtime_config_path, lyaml.dump({config})) + chmod(runtime_config_path, tonumber("0640", 8)) + if config["group"] then + chown(runtime_config_path, nil, config["group"]) + end end return function(options) @@ -431,6 +453,8 @@ return function(options) read_default_config() read_system_config() set_computed_config() + set_process_permissions() + set_cached_random_tokens() if options and options["write"] then @@ -438,5 +462,7 @@ return function(options) end end + set_process_permissions() + return config end diff --git a/src/api-umbrella/cli/setup.lua b/src/api-umbrella/cli/setup.lua index 36a2aa8f8..f7ab5b4bb 100644 --- a/src/api-umbrella/cli/setup.lua +++ b/src/api-umbrella/cli/setup.lua @@ -13,6 +13,9 @@ local stat = require "posix.sys.stat" local tablex = require "pl.tablex" local unistd = require "posix.unistd" +local chmod = stat.chmod +local chown = unistd.chown + local config local template_config @@ -95,19 +98,8 @@ local function prepare() config["log_dir"], config["run_dir"], config["tmp_dir"], - path.join(config["db_dir"], "elasticsearch"), - path.join(config["etc_dir"], "elasticsearch_scripts"), - path.join(config["db_dir"], "mongodb"), - path.join(config["db_dir"], "rsyslog"), - path.join(config["etc_dir"], "trafficserver/snapshots"), - path.join(config["log_dir"], "trafficserver"), - path.join(config["root_dir"], "var/trafficserver"), } - if config["app_env"] == "test" then - table.insert(dirs, path.join(config["run_dir"], "test-env-mongo-orchestration")) - end - for _, directory in ipairs(dirs) do dir.makepath(directory) end @@ -149,6 +141,10 @@ local function ensure_geoip_db() local default_city_db_path = path.join(config["_embedded_root_dir"], "var/db/geoip/city-v6.dat") dir.makepath(path.dirname(city_db_path)) file.copy(default_city_db_path, city_db_path) + chmod(city_db_path, tonumber("0640", 8)) + if config["group"] then + chown(city_db_path, nil, config["group"]) + end end end @@ -188,7 +184,16 @@ local function write_templates() dir.makepath(path.dirname(install_path)) file.write(install_path, content) - stat.chmod(install_path, stat.stat(template_path).st_mode) + if config["group"] then + chown(install_path, nil, config["group"]) + end + + local install_filename = path.basename(install_path) + if install_filename == "rc.log" or install_filename == "rc.main" or install_filename == "rc.perp" then + chmod(install_path, tonumber("0750", 8)) + else + chmod(install_path, tonumber("0640", 8)) + end end end end @@ -214,18 +219,37 @@ local function write_static_site_key() end local function set_permissions() - local _, err - _, _, err = run_command("chmod 1777 " .. config["tmp_dir"]) - if err then - print("chmod failed: ", err) - os.exit(1) - end + chmod(config["tmp_dir"], tonumber("1777", 8)) if config["user"] and config["group"] then - _, _, err = run_command("chown -R " .. config["user"] .. ":" .. config["group"] .. " " .. path.join(config["etc_dir"], "trafficserver") .. " " .. path.join(config["root_dir"], "var")) - if err then - print(err) - os.exit(1) + local user = config["user"] + local group = config["group"] + chown(config["db_dir"], nil, group) + chown(config["log_dir"], nil, group) + chown(config["run_dir"], user, group) + chown(config["tmp_dir"], user, group) + chown(config["var_dir"], nil, group) + chown(config["etc_dir"], nil, group) + chown(path.join(config["db_dir"], "geoip"), nil, group) + chown(path.join(config["etc_dir"], "elasticsearch"), nil, group) + chown(path.join(config["etc_dir"], "nginx"), nil, group) + chown(path.join(config["etc_dir"], "perp"), nil, group) + chown(path.join(config["etc_dir"], "trafficserver"), nil, group) + + if config["app_env"] == "test" then + chown(path.join(config["etc_dir"], "test-env"), nil, group) + chown(path.join(config["etc_dir"], "test-env/mongo-orchestration"), nil, group) + chown(path.join(config["etc_dir"], "test-env/nginx"), nil, group) + chown(path.join(config["etc_dir"], "test-env/openldap"), nil, group) + chown(path.join(config["etc_dir"], "test-env/unbound"), nil, group) + end + end + + local service_dirs = dir.getdirectories(path.join(config["etc_dir"], "perp")) + for _, service_dir in ipairs(service_dirs) do + chmod(service_dir, tonumber("0750", 8)) + if config["group"] then + chown(service_dir, nil, config["group"]) end end end @@ -311,17 +335,16 @@ local function activate_services() -- Set the sticky bit for any active services. if is_active then - local _, _, err = run_command("chmod +t " .. service_dir) - if err then - print(err) - os.exit(1) + chmod(service_dir, tonumber("1750", 8)) + + local log_dir = path.join(config["log_dir"], service_name) + dir.makepath(log_dir) + chmod(log_dir, tonumber("0750", 8)) + if config["user"] and config["group"] then + chown(log_dir, config["user"], config["group"]) end else - local _, _, err = run_command("chmod -t " .. service_dir) - if err then - print(err) - os.exit(1) - end + chmod(service_dir, tonumber("0750", 8)) end end end diff --git a/templates/etc/perp/dev-env-ember-server/rc.log b/templates/etc/perp/dev-env-ember-server/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/dev-env-ember-server/rc.log +++ b/templates/etc/perp/dev-env-ember-server/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/dev-env-ember-server/rc.main.mustache b/templates/etc/perp/dev-env-ember-server/rc.main.mustache index 868595c26..3188b0970 100755 --- a/templates/etc/perp/dev-env-ember-server/rc.main.mustache +++ b/templates/etc/perp/dev-env-ember-server/rc.main.mustache @@ -1,8 +1,11 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" diff --git a/templates/etc/perp/elasticsearch/rc.log b/templates/etc/perp/elasticsearch/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/elasticsearch/rc.log +++ b/templates/etc/perp/elasticsearch/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/elasticsearch/rc.main.mustache b/templates/etc/perp/elasticsearch/rc.main.mustache index 787f5a96e..e93ef9c32 100755 --- a/templates/etc/perp/elasticsearch/rc.main.mustache +++ b/templates/etc/perp/elasticsearch/rc.main.mustache @@ -1,17 +1,28 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" + api_umbrella_group="{{group}}" run_args=("-e" "rc.env") if [ -n "$api_umbrella_user" ]; then run_args+=("-u" "$api_umbrella_user") fi + dirs=("{{db_dir}}/elasticsearch" "{{etc_dir}}/elasticsearch_scripts") + mkdir -p "${dirs[@]}" + chmod 750 "${dirs[@]}" + if [ -n "$api_umbrella_user" ]; then + chown $api_umbrella_user:$api_umbrella_group "${dirs[@]}" + fi + exec runtool "${run_args[@]}" elasticsearch fi diff --git a/templates/etc/perp/geoip-auto-updater/rc.log b/templates/etc/perp/geoip-auto-updater/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/geoip-auto-updater/rc.log +++ b/templates/etc/perp/geoip-auto-updater/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/geoip-auto-updater/rc.main.mustache b/templates/etc/perp/geoip-auto-updater/rc.main.mustache index 88db76030..becf2c045 100755 --- a/templates/etc/perp/geoip-auto-updater/rc.main.mustache +++ b/templates/etc/perp/geoip-auto-updater/rc.main.mustache @@ -1,8 +1,11 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." diff --git a/templates/etc/perp/mongod/rc.log b/templates/etc/perp/mongod/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/mongod/rc.log +++ b/templates/etc/perp/mongod/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/mongod/rc.main.mustache b/templates/etc/perp/mongod/rc.main.mustache index f7ec49c96..c46067bde 100755 --- a/templates/etc/perp/mongod/rc.main.mustache +++ b/templates/etc/perp/mongod/rc.main.mustache @@ -1,17 +1,28 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" + api_umbrella_group="{{group}}" run_args=() if [ -n "$api_umbrella_user" ]; then run_args+=("-u" "$api_umbrella_user") fi + dirs=("{{db_dir}}/mongodb") + mkdir -p "${dirs[@]}" + chmod 750 "${dirs[@]}" + if [ -n "$api_umbrella_user" ]; then + chown $api_umbrella_user:$api_umbrella_group "${dirs[@]}" + fi + exec runtool "${run_args[@]}" mongod --config "{{etc_dir}}/mongod.conf" fi diff --git a/templates/etc/perp/mora/rc.log b/templates/etc/perp/mora/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/mora/rc.log +++ b/templates/etc/perp/mora/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/mora/rc.main.mustache b/templates/etc/perp/mora/rc.main.mustache index 3d3aebbdb..65fa2064e 100755 --- a/templates/etc/perp/mora/rc.main.mustache +++ b/templates/etc/perp/mora/rc.main.mustache @@ -1,8 +1,11 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" diff --git a/templates/etc/perp/nginx-reloader/rc.log b/templates/etc/perp/nginx-reloader/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/nginx-reloader/rc.log +++ b/templates/etc/perp/nginx-reloader/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/nginx-reloader/rc.main.mustache b/templates/etc/perp/nginx-reloader/rc.main.mustache index 1cce3061a..54409afd8 100755 --- a/templates/etc/perp/nginx-reloader/rc.main.mustache +++ b/templates/etc/perp/nginx-reloader/rc.main.mustache @@ -1,8 +1,11 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." diff --git a/templates/etc/perp/nginx/rc.log b/templates/etc/perp/nginx/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/nginx/rc.log +++ b/templates/etc/perp/nginx/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/nginx/rc.main.mustache b/templates/etc/perp/nginx/rc.main.mustache index 516dfef56..47aacceac 100755 --- a/templates/etc/perp/nginx/rc.main.mustache +++ b/templates/etc/perp/nginx/rc.main.mustache @@ -1,8 +1,11 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." diff --git a/templates/etc/perp/rc.log.mustache b/templates/etc/perp/rc.log.mustache index 725194e22..c659ec4ca 100755 --- a/templates/etc/perp/rc.log.mustache +++ b/templates/etc/perp/rc.log.mustache @@ -1,4 +1,10 @@ #!/usr/bin/env bash +set -e -u + +# Redirect stderr to stdout +exec 2>&1 + +umask "{{umask}}" if [ "${1}" = "start" ]; then api_umbrella_log_dir="{{log_dir}}" @@ -16,16 +22,18 @@ if [ "${1}" = "start" ]; then log_args=("-ttt" "$log_dir") # Create the log directory. - mkdir -p "$log_dir" + dirs=("$log_dir") + runtool mkdir -p "${dirs[@]}" + chmod 750 "${dirs[@]}" + if [ -n "$api_umbrella_user" ]; then + chown $api_umbrella_user:$api_umbrella_group "${dirs[@]}" + fi # Define a configuration file for svlogd to disable internal log rotation # (since we'll rely on the system and logrotated for that). - printf 's0\nn0\n' > "$log_dir/config" - - # Set permissions. - chmod 0755 "$log_dir" + printf 's0\nn0\n' | runtool tee "$log_dir/config" if [ -n "$api_umbrella_user" ]; then - chown -R $api_umbrella_user:$api_umbrella_group "$log_dir" + chown $api_umbrella_user:$api_umbrella_group "$log_dir/config" fi exec runtool "${run_args[@]}" svlogd "${log_args[@]}" diff --git a/templates/etc/perp/rsyslog/rc.log b/templates/etc/perp/rsyslog/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/rsyslog/rc.log +++ b/templates/etc/perp/rsyslog/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/rsyslog/rc.main.mustache b/templates/etc/perp/rsyslog/rc.main.mustache index 41389648e..ba11ab09f 100755 --- a/templates/etc/perp/rsyslog/rc.main.mustache +++ b/templates/etc/perp/rsyslog/rc.main.mustache @@ -1,17 +1,28 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" + api_umbrella_group="{{group}}" run_args=("-e" "rc.env") if [ -n "$api_umbrella_user" ]; then run_args+=("-u" "$api_umbrella_user") fi + dirs=("{{db_dir}}/rsyslog") + mkdir -p "${dirs[@]}" + chmod 750 "${dirs[@]}" + if [ -n "$api_umbrella_user" ]; then + chown $api_umbrella_user:$api_umbrella_group "${dirs[@]}" + fi + exec \ runtool "${run_args[@]}" \ rsyslogd \ diff --git a/templates/etc/perp/test-env-mailhog/rc.log b/templates/etc/perp/test-env-mailhog/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/test-env-mailhog/rc.log +++ b/templates/etc/perp/test-env-mailhog/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/test-env-mailhog/rc.main.mustache b/templates/etc/perp/test-env-mailhog/rc.main.mustache index a1f9310a5..64fd1f3f9 100755 --- a/templates/etc/perp/test-env-mailhog/rc.main.mustache +++ b/templates/etc/perp/test-env-mailhog/rc.main.mustache @@ -1,8 +1,11 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" diff --git a/templates/etc/perp/test-env-mongo-orchestration/rc.log b/templates/etc/perp/test-env-mongo-orchestration/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/test-env-mongo-orchestration/rc.log +++ b/templates/etc/perp/test-env-mongo-orchestration/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/test-env-mongo-orchestration/rc.main.mustache b/templates/etc/perp/test-env-mongo-orchestration/rc.main.mustache index 2f831b6e9..204004d2a 100755 --- a/templates/etc/perp/test-env-mongo-orchestration/rc.main.mustache +++ b/templates/etc/perp/test-env-mongo-orchestration/rc.main.mustache @@ -1,11 +1,15 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" + api_umbrella_group="{{group}}" PATH="{{_test_env_install_dir}}/sbin:{{_test_env_install_dir}}/bin:$PATH" run_args=("-e" "rc.env") @@ -13,6 +17,13 @@ if [ "${1}" = "start" ]; then run_args+=("-u" "$api_umbrella_user") fi + dirs=("{{run_dir}}/test-env-mongo-orchestration") + mkdir -p "${dirs[@]}" + chmod 750 "${dirs[@]}" + if [ -n "$api_umbrella_user" ]; then + chown $api_umbrella_user:$api_umbrella_group "${dirs[@]}" + fi + exec \ runtrap test-env-mongo-orchestration "${0}" \ runtool "${run_args[@]}" \ diff --git a/templates/etc/perp/test-env-nginx/rc.log b/templates/etc/perp/test-env-nginx/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/test-env-nginx/rc.log +++ b/templates/etc/perp/test-env-nginx/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/test-env-nginx/rc.main.mustache b/templates/etc/perp/test-env-nginx/rc.main.mustache index 8342e38a1..ee9dd95d0 100755 --- a/templates/etc/perp/test-env-nginx/rc.main.mustache +++ b/templates/etc/perp/test-env-nginx/rc.main.mustache @@ -1,8 +1,11 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." diff --git a/templates/etc/perp/test-env-openldap/rc.log b/templates/etc/perp/test-env-openldap/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/test-env-openldap/rc.log +++ b/templates/etc/perp/test-env-openldap/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/test-env-openldap/rc.main.mustache b/templates/etc/perp/test-env-openldap/rc.main.mustache index eb0a511f4..83b83b7c9 100755 --- a/templates/etc/perp/test-env-openldap/rc.main.mustache +++ b/templates/etc/perp/test-env-openldap/rc.main.mustache @@ -1,13 +1,15 @@ #!/usr/bin/env bash - -set -e +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" + api_umbrella_group="{{group}}" db_dir="{{db_dir}}/test-env-openldap" slapd_ldif_path="{{etc_dir}}/test-env/openldap/slapd.ldif" seed_ldif_path="{{etc_dir}}/test-env/openldap/seed.ldif" @@ -22,8 +24,13 @@ if [ "${1}" = "start" ]; then # Before each test run, wipe and populate the LDAP database from the seed # data. set -x - rm -rf "$db_dir" - mkdir -p "$db_dir" + dirs=("$db_dir") + rm -rf "${dirs[@]}" + runtool mkdir -p "${dirs[@]}" + chmod 750 "${dirs[@]}" + if [ -n "$api_umbrella_user" ]; then + chown $api_umbrella_user:$api_umbrella_group "${dirs[@]}" + fi runtool "${run_args[@]}" slapadd -F "$db_dir" -n 0 -l "$slapd_ldif_path" runtool "${run_args[@]}" slapadd -F "$db_dir" -l "$seed_ldif_path" diff --git a/templates/etc/perp/test-env-unbound/rc.log b/templates/etc/perp/test-env-unbound/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/test-env-unbound/rc.log +++ b/templates/etc/perp/test-env-unbound/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/test-env-unbound/rc.main.mustache b/templates/etc/perp/test-env-unbound/rc.main.mustache index befdcd9b8..9906b91aa 100755 --- a/templates/etc/perp/test-env-unbound/rc.main.mustache +++ b/templates/etc/perp/test-env-unbound/rc.main.mustache @@ -1,8 +1,11 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" diff --git a/templates/etc/perp/trafficserver/rc.log b/templates/etc/perp/trafficserver/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/trafficserver/rc.log +++ b/templates/etc/perp/trafficserver/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/trafficserver/rc.main.mustache b/templates/etc/perp/trafficserver/rc.main.mustache index 60d9c332e..bebe7b62c 100755 --- a/templates/etc/perp/trafficserver/rc.main.mustache +++ b/templates/etc/perp/trafficserver/rc.main.mustache @@ -1,17 +1,28 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" + api_umbrella_group="{{group}}" run_args=("-e" "rc.env") if [ -n "$api_umbrella_user" ]; then run_args+=("-u" "$api_umbrella_user") fi + dirs=("{{etc_dir}}/trafficserver" "{{etc_dir}}/trafficserver/snapshots" "{{var_dir}}/trafficserver") + mkdir -p "${dirs[@]}" + chmod 750 "${dirs[@]}" + if [ -n "$api_umbrella_user" ]; then + chown $api_umbrella_user:$api_umbrella_group "${dirs[@]}" + fi + exec runtool "${run_args[@]}" traffic_cop --stdout fi diff --git a/templates/etc/perp/web-delayed-job/rc.log b/templates/etc/perp/web-delayed-job/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/web-delayed-job/rc.log +++ b/templates/etc/perp/web-delayed-job/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/web-delayed-job/rc.main.mustache b/templates/etc/perp/web-delayed-job/rc.main.mustache index 60b9aaa72..e7498cf3c 100755 --- a/templates/etc/perp/web-delayed-job/rc.main.mustache +++ b/templates/etc/perp/web-delayed-job/rc.main.mustache @@ -1,8 +1,11 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" diff --git a/templates/etc/perp/web-puma/rc.log b/templates/etc/perp/web-puma/rc.log index 089baa65a..0bfdd70ef 100755 --- a/templates/etc/perp/web-puma/rc.log +++ b/templates/etc/perp/web-puma/rc.log @@ -1,2 +1,3 @@ #!/usr/bin/env bash +set -e -u exec ../rc.log "$@" diff --git a/templates/etc/perp/web-puma/rc.main.mustache b/templates/etc/perp/web-puma/rc.main.mustache index b21b4fd66..26e8f6ea9 100755 --- a/templates/etc/perp/web-puma/rc.main.mustache +++ b/templates/etc/perp/web-puma/rc.main.mustache @@ -1,8 +1,11 @@ #!/usr/bin/env bash +set -e -u # Redirect stderr to stdout exec 2>&1 +umask "{{umask}}" + if [ "${1}" = "start" ]; then echo "starting ${2}..." api_umbrella_user="{{user}}" diff --git a/test/processes/test_file_permissions.rb b/test/processes/test_file_permissions.rb new file mode 100644 index 000000000..05cfc6f9e --- /dev/null +++ b/test/processes/test_file_permissions.rb @@ -0,0 +1,179 @@ +require_relative "../test_helper" + +class Test::Processes::TestFilePermissions < Minitest::Test + include ApiUmbrellaTestHelpers::Setup + + def setup + super + setup_server + once_per_class_setup do + @@user_uid = nil + @@group_gid = nil + @@process_uid = ::Process.euid + @@process_gid = ::Process.egid + + if($config["user"]) + @@user_uid = Etc.getpwnam($config["user"]).uid + end + + if($config["group"]) + @@group_gid = Etc.getgrnam($config["group"]).gid + end + end + end + + def test_db_dir + stat = File.stat($config["db_dir"]) + assert_equal("40750", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_db_elasticsearch_dir + stat = File.stat(File.join($config["db_dir"], "elasticsearch")) + assert_equal("40750", stat.mode.to_s(8)) + assert_owner(stat) + assert_group(stat) + end + + def test_db_mongodb_dir + stat = File.stat(File.join($config["db_dir"], "mongodb")) + assert_equal("40750", stat.mode.to_s(8)) + assert_owner(stat) + assert_group(stat) + end + + def test_etc_dir + stat = File.stat($config["etc_dir"]) + assert_equal("40750", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_etc_perp_dir + stat = File.stat(File.join($config["etc_dir"], "perp")) + assert_equal("40750", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_etc_perp_disabled_service_dir + stat = File.stat(File.join($config["etc_dir"], "perp", "dev-env-ember-server")) + assert_equal("40750", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_etc_perp_nginx_dir + stat = File.stat(File.join($config["etc_dir"], "perp", "nginx")) + assert_equal("41750", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_etc_perp_nginx_rc_env_file + stat = File.stat(File.join($config["etc_dir"], "perp", "nginx", "rc.env")) + assert_equal("100640", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_etc_perp_nginx_rc_log_file + stat = File.stat(File.join($config["etc_dir"], "perp", "nginx", "rc.log")) + assert_equal("100750", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_etc_perp_nginx_rc_main_file + stat = File.stat(File.join($config["etc_dir"], "perp", "nginx", "rc.main")) + assert_equal("100750", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_etc_trafficserver_dir + stat = File.stat(File.join($config["etc_dir"], "trafficserver")) + assert_equal("40750", stat.mode.to_s(8)) + assert_owner(stat) + assert_group(stat) + end + + def test_log_dir + stat = File.stat($config["log_dir"]) + assert_equal("40750", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_log_nginx_dir + stat = File.stat(File.join($config["log_dir"], "nginx")) + assert_equal("40750", stat.mode.to_s(8)) + assert_owner(stat) + assert_group(stat) + end + + def test_run_dir + stat = File.stat($config["run_dir"]) + assert_equal("40750", stat.mode.to_s(8)) + assert_owner(stat) + assert_group(stat) + end + + def test_run_runtime_config_file + stat = File.stat(File.join($config["run_dir"], "runtime_config.yml")) + assert_equal("100640", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_run_cached_random_config_file + stat = File.stat(File.join($config["run_dir"], "cached_random_config_values.yml")) + assert_equal("100640", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_tmp_dir + stat = File.stat($config["tmp_dir"]) + assert_equal("41777", stat.mode.to_s(8)) + assert_owner(stat) + assert_group(stat) + end + + def test_var_dir + stat = File.stat($config["var_dir"]) + assert_equal("40750", stat.mode.to_s(8)) + assert_process_owner(stat) + assert_group(stat) + end + + def test_var_trafficserver_dir + stat = File.stat(File.join($config["var_dir"], "trafficserver")) + assert_equal("40750", stat.mode.to_s(8)) + assert_owner(stat) + assert_group(stat) + end + + private + + def assert_process_owner(stat) + assert_equal(@@process_uid, stat.uid) + end + + def assert_owner(stat) + if(@@user_uid) + assert_equal(@@user_uid, stat.uid) + else + assert_equal(@@process_uid, stat.uid) + end + end + + def assert_group(stat) + if(@@group_gid) + assert_equal(@@group_gid, stat.gid) + else + assert_equal(@@process_gid, stat.gid) + end + end +end diff --git a/test/proxy/test_config.rb b/test/proxy/test_config.rb index 28340657e..60274fed3 100644 --- a/test/proxy/test_config.rb +++ b/test/proxy/test_config.rb @@ -25,7 +25,7 @@ def test_overrides_default_null_value_with_hash test_config = YAML.load_file(File.join(API_UMBRELLA_SRC_ROOT, "config/test.yml")) assert_equal(expected_test_value, test_config["web"]["mailer"]["smtp_settings"]) - runtime_config = YAML.load_file(File.join($config["root_dir"], "var/run/runtime_config.yml")) + runtime_config = YAML.load_file(File.join($config["run_dir"], "runtime_config.yml")) assert_equal(expected_test_value, runtime_config["web"]["mailer"]["smtp_settings"]) end @@ -39,7 +39,7 @@ def test_overrides_default_null_value_with_string test_config = YAML.load_file(File.join(API_UMBRELLA_SRC_ROOT, "config/test.yml")) assert_equal(expected_test_value, test_config["web"]["admin"]["auth_strategies"]["google"]["client_secret"]) - runtime_config = YAML.load_file(File.join($config["root_dir"], "var/run/runtime_config.yml")) + runtime_config = YAML.load_file(File.join($config["run_dir"], "runtime_config.yml")) assert_equal(expected_test_value, runtime_config["web"]["admin"]["auth_strategies"]["google"]["client_secret"]) end @@ -58,7 +58,7 @@ def test_overrides_default_empty_hash_value test_config = YAML.load_file(File.join(API_UMBRELLA_SRC_ROOT, "config/test.yml")) assert_equal(expected_test_value, test_config["web"]["admin"]["auth_strategies"]["ldap"]["options"]) - runtime_config = YAML.load_file(File.join($config["root_dir"], "var/run/runtime_config.yml")) + runtime_config = YAML.load_file(File.join($config["run_dir"], "runtime_config.yml")) assert_equal(expected_test_value, runtime_config["web"]["admin"]["auth_strategies"]["ldap"]["options"]) end end diff --git a/test/support/api_umbrella_test_helpers/process.rb b/test/support/api_umbrella_test_helpers/process.rb index 288560f8b..f8954a04e 100644 --- a/test/support/api_umbrella_test_helpers/process.rb +++ b/test/support/api_umbrella_test_helpers/process.rb @@ -18,7 +18,7 @@ def self.start start_time = Time.now.utc FileUtils.rm_rf(Dir.glob(File.join(TEST_RUN_ROOT, "*"), File::FNM_DOTMATCH) - [File.join(TEST_RUN_ROOT, "."), File.join(TEST_RUN_ROOT, "..")]) - FileUtils.mkdir_p(File.join(TEST_RUN_API_UMBRELLA_ROOT, "var/log")) + FileUtils.mkdir_p(TEST_RUN_API_UMBRELLA_ROOT) original_env = ENV.to_hash begin @@ -129,6 +129,10 @@ def self.start # class to ensure we have a chance to properly stop the child process on # things like SIGINTs. rescue Exception => e # rubocop:disable Lint/RescueException + puts "Error occurred while starting api-umbrella, stopping..." + puts e.message + puts e.backtrace.join("\n") + self.stop raise e end