--- doc/install/linux/install.pl 2024/08/01 12:56:58 1.94 +++ doc/install/linux/install.pl 2024/11/27 16:24:20 1.98 @@ -78,7 +78,7 @@ if (!open(LOG,">>loncapa_install.log")) &mt('Stopping execution.')."\n"; exit; } else { - print LOG '$Id: install.pl,v 1.94 2024/08/01 12:56:58 raeburn Exp $'."\n"; + print LOG '$Id: install.pl,v 1.98 2024/11/27 16:24:20 raeburn Exp $'."\n"; } # @@ -732,7 +732,7 @@ sub check_mysql_running { $proc_owner = 'mysql'; $process = 'mysqld'; } - if ($1 >= 15) { + if ($1 >= 12) { $mysqldaemon ='mariadb'; } } elsif ($distro =~ /^suse(\d+)/) { @@ -818,9 +818,15 @@ sub chkconfig { $uses_systemctl{'ntp'} = 1; $uses_systemctl{'cups'} = 1; $uses_systemctl{'memcached'} = 1; - if (($name eq 'sles') && ($num >= 15)) { - $daemon{'ntp'} = 'chronyd'; - $daemon{'mysql'} = 'mariadb'; + if ($name eq 'sles') { + if ($num >= 12) { + $daemon{'mysql'} = 'mariadb'; + } + if ($num >= 15) { + $daemon{'ntp'} = 'chronyd'; + } else { + $daemon{'ntp'} = 'ntpd'; + } } else { $daemon{'ntp'} = 'ntpd'; } @@ -850,7 +856,7 @@ sub chkconfig { (($distro =~ /^debian/) && ($version >= 10))) { $daemon{'ntp'} = 'chrony'; } - if (($distro =~ /^debian/) && ($version >= 11)) { + if (($distro =~ /^debian/) && ($version >= 10)) { $daemon{'mysql'} = 'mariadb'; } } elsif ($distro =~ /^fedora(\d+)/) { @@ -982,11 +988,21 @@ sub check_systemd_security { $service = 'apache2.service'; } system("systemctl daemon-reload"); - if (open(PIPE,"systemctl show $service --property=ProtectHome 2>/dev/null |")) { - my $protection = ; + if (open(PIPE,"systemctl show $service --property=ProtectHome --property=RestrictSUIDSGID 2>/dev/null |")) { + my ($protecthome,$suidsgid); + while (my $line = ) { + chomp($line); + if ($line =~ /^ProtectHome=(read-only|yes)$/i) { + $protecthome = 1; + } elsif ($line =~ /^RestrictSUIDSGID=yes$/i) { + $suidsgid = 1; + } + } close(PIPE); - chomp($protection); - if ($protection =~ /^ProtectHome=(read-only|yes)$/i) { + if ($protecthome) { + return 1; + } + if ($suidsgid) { return 1; } } else { @@ -2973,46 +2989,96 @@ sub check_systemd_update { if (-d '/etc/systemd/system/'.$service.'.d') { if (-e '/etc/systemd/system/'.$service.'.d/override.conf') { if (open(my $fh,'<','/etc/systemd/system/'.$service.'.d/override.conf')) { - my ($inservice,$addservice,$protectoff,$linenum,$change,@lines); + my ($category,$addservice,$needs_update,$linenum,%is_no,%lines, + @move,@nocat,@ordered); + $linenum = 0; while (my $entry = <$fh>) { $linenum ++; chomp($entry); - if ($entry eq '[Service]') { - if (!$protectoff) { - $inservice = $linenum; - push(@lines,$entry); + if ($entry =~ /^\s*\[([^\]]+)\]\s*$/) { + $category = $1; + if ($category =~ /^Service$/i) { + unless (grep(/^Service$/,@ordered)) { + push(@ordered,'Service'); + } } else { - $addservice = 1; - next; + unless (grep(/^\Q$category\E$/,@ordered)) { + push(@ordered,$category); + } } - } - if ($entry =~ /^ProtectHome\s*=\s*([\w-]+)\s*$/) { - my $value = $1; - if ($protectoff) { - next; - if (lc($value) eq 'no') { - $protectoff = $linenum; - push(@lines,$entry); + } elsif ($entry =~ /^(ProtectHome|RestrictSUIDSGID)\s*=\s*([\w-]+)\s*$/) { + my ($key,$value) = ($1,$2); + next if ($is_no{$key}); + if (lc($value) eq 'no') { + if ($category =~ /^Service$/i) { + push(@{$lines{'Service'}},$entry); } else { - if ($protectoff) { - next; - } else { - push(@lines,'ProtectHome=no'); - $protectoff = $linenum; - $change = $linenum; - } + push(@move,$entry); + $needs_update = 1; + } + } else { + my $offstr = $key.'=no'; + if ($category =~ /^Service$/i) { + push(@{$lines{'Service'}},$offstr); + } else { + push(@move,$offstr); } + $needs_update = 1; + } + $is_no{$key} = $linenum; + } else { + next if ($entry =~ /^\s*$/); + if ($category =~ /^Service$/i) { + push(@{$lines{'Service'}},$entry); + } elsif ($category ne '') { + push(@{$lines{$category}},$entry); + } else { + push(@nocat,$entry); } } } close($fh); - if ($addservice || $change || !$protectoff) { + unless (grep(/^Service$/,@ordered)) { + $addservice = 1; + unshift(@ordered,'Service'); + } + foreach my $item ('ProtectHome','RestrictSUIDSGID') { + unless (exists($is_no{$item})) { + push(@{$lines{'Service'}},$item.'=no'); + $needs_update = 1; + } + } + if ($addservice || $needs_update) { if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { - if ($addservice) { - print $fh "[Service]\n"; + if (@ordered) { + foreach my $category (@ordered) { + print $fh "[$category]\n"; + if (ref($lines{$category}) eq 'ARRAY') { + foreach my $item (@{$lines{$category}}) { + print $fh "$item\n"; + } + } + if ($category eq 'Service') { + if (@move) { + foreach my $item (@move) { + if ($item =~ /^(ProtectHome|RestrictSUIDSGID)\s*=\s*no\s*$/i) { + my $key = $1; + unless (grep/^$key\s*=\s*no\s*$/i,@{$lines{$category}}) { + print $fh "$item\n"; + } + } else { + print $fh "$item\n"; + } + } + } + } + print $fh "\n"; + } } - foreach my $entry (@lines) { - print $fh "$entry\n"; + if (@nocat) { + foreach my $item (@nocat) { + print $fh "$item\n"; + } } close($fh); print_and_log('Updated /etc/systemd/system/'.$service.'.d/override.conf'); @@ -3028,10 +3094,12 @@ sub check_systemd_update { } } else { if (open(my $fh,'>','/etc/systemd/system/'.$service.'.d/override.conf')) { - print $fh '[Service]'."\n".'ProtectHome=no'."\n"; + print $fh '[Service]'."\n".'ProtectHome=no'."\n".'RestrictSUIDSGID=no'."\n"; close($fh); print_and_log('Created /etc/systemd/system/'.$service.'.d/override.conf'); system('systemctl daemon-reload'); + } else { + print_and_log('Could not open /etc/systemd/system/'.$service.'.d/override.conf for writing.'); } } } else {