--- doc/install/linux/install.pl 2024/11/26 22:08:36 1.96 +++ doc/install/linux/install.pl 2024/11/26 23:54:22 1.97 @@ -78,7 +78,7 @@ if (!open(LOG,">>loncapa_install.log")) &mt('Stopping execution.')."\n"; exit; } else { - print LOG '$Id: install.pl,v 1.96 2024/11/26 22:08:36 raeburn Exp $'."\n"; + print LOG '$Id: install.pl,v 1.97 2024/11/26 23:54:22 raeburn Exp $'."\n"; } # @@ -988,11 +988,21 @@ sub check_systemd_security { $service = 'apache2.service'; } system("systemctl daemon-reload"); - if (open(PIPE,"systemctl show $service --property=ProtectHome 2>/dev/null |")) { - my $protection = ; + if (open(PIPE,"systemctl show $service --property=ProtectHome --property=RestrictSUIDSGID 2>/dev/null |")) { + my ($protecthome,$suidsgid); + while (my $line = ) { + chomp($line); + if ($line =~ /^ProtectHome=(read-only|yes)$/i) { + $protecthome = 1; + } elsif ($line =~ /^RestrictSUIDSGID=yes$/i) { + $suidsgid = 1; + } + } close(PIPE); - chomp($protection); - if ($protection =~ /^ProtectHome=(read-only|yes)$/i) { + if ($protecthome) { + return 1; + } + if ($suidsgid) { return 1; } } else { @@ -2979,8 +2989,8 @@ sub check_systemd_update { if (-d '/etc/systemd/system/'.$service.'.d') { if (-e '/etc/systemd/system/'.$service.'.d/override.conf') { if (open(my $fh,'<','/etc/systemd/system/'.$service.'.d/override.conf')) { - my ($category,$addservice,$protectoff,$linenum,$change, - %lines,@move,@nocat,@ordered); + my ($category,$addservice,$protectoff,$changeprot,$suidsgidok,$changesug, + $linenum,%lines,@move,@nocat,@ordered); $linenum = 0; while (my $entry = <$fh>) { $linenum ++; @@ -3000,7 +3010,7 @@ sub check_systemd_update { push(@{$lines{'Service'}},$entry); } else { push(@move,$entry); - $change = $linenum; + $changeprot = $linenum; } } else { if ($category =~ /^Service$/i) { @@ -3008,9 +3018,28 @@ sub check_systemd_update { } else { push(@move,'ProtectHome=no'); } - $change = $linenum; + $changeprot = $linenum; } $protectoff = $linenum; + } elsif ($entry =~ /^RestrictSUIDSGID\s*=\s*([\w-]+)\s*$/) { + my $value = $1; + next if ($suidsgidok); + if (lc($value) eq 'no') { + if ($category =~ /^Service$/i) { + push(@{$lines{'Service'}},$entry); + } else { + push(@move,$entry); + $changesug = $linenum; + } + } else { + if ($category =~ /^Service$/i) { + push(@{$lines{'Service'}},'RestrictSUIDSGID=no'); + } else { + push(@move,'RestrictSUIDSGID=no'); + } + $changesug = $linenum; + } + $suidsgidok = $linenum; } else { next if ($entry =~ /^\s*$/); if ($category =~ /^Service$/i) { @@ -3030,7 +3059,10 @@ sub check_systemd_update { if (!$protectoff) { push(@{$lines{'Service'}},'ProtectHome=no'); } - if ($addservice || $change || !$protectoff) { + if (!$suidsgidok) { + push(@{$lines{'Service'}},'RestrictSUIDSGID=no'); + } + if ($addservice || $changeprot || !$protectoff || $changesug || !$suidsgidok) { if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { if (@ordered) { foreach my $category (@ordered) { @@ -3047,6 +3079,10 @@ sub check_systemd_update { unless (grep/^ProtectHome\s*=\s*no\s*$/i,@{$lines{$category}}) { print $fh "$item\n"; } + } elsif ($item =~ /^RestrictSUIDSGID\s*=\s*no\s*$/i) { + unless (grep/^RestrictSUIDSGID\s*=\s*no\s*$/i,@{$lines{$category}}) { + print $fh "$item\n"; + } } else { print $fh "$item\n"; } @@ -3075,7 +3111,7 @@ sub check_systemd_update { } } else { if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { - print $fh '[Service]'."\n".'ProtectHome=no'."\n"; + print $fh '[Service]'."\n".'ProtectHome=no'."\n".'RestrictSUIDSGID=no'."\n"; close($fh); print_and_log('Created /etc/systemd/system/'.$service.'.d/override.conf'); system('systemctl daemon-reload');