File:  [LON-CAPA] / doc / loncapafiles / systemd_config_check.piml
Revision 1.2: download - view: text, annotated - select for diffs
Wed Nov 27 16:30:09 2024 UTC (7 days, 9 hours ago) by raeburn
Branches: MAIN
CVS tags: version_2_12_X, version_2_11_X, HEAD
- Support Fedora 40 and 41
 - Check if RestrictSUIDSGID property is set to yes for httpd.service,
   If so, include RestrictSUIDSGID=no in override.conf
 - If /etc/systemd/httpd.service.d/override.conf already exists, change
   what needs to be changed and preserve the rest.

<!DOCTYPE piml PUBLIC "-//TUX/DTD piml 1.0 Final//EN"
        "http://lpml.sourceforge.net/DTD/piml.dtd">
<!-- systemd_config_check.piml -->

<!-- $Id: systemd_config_check.piml,v 1.2 2024/11/27 16:30:09 raeburn Exp $ -->

<!--

This file is part of the LearningOnline Network with CAPA (LON-CAPA).

LON-CAPA is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

LON-CAPA is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with LON-CAPA; if not, write to the Free Software
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA

/home/httpd/html/adm/gpl.txt

http://www.lon-capa.org/

-->

<piml>
<targetroot>/</targetroot>
<files>
<file>
<target dist="default">/home/httpd/perl</target>
<perlscript mode="fg">

use strict;

my $service = 'apache2.service';
my $use_systemctl;
my ($dist,$version) = ('<DIST />' =~ /^([A-Za-z]+)([\d\.]+)$/);
if (($dist eq 'sles') || ($dist eq 'suse')) {
    if ($version &gt;= 12) {
        $use_systemctl = 1;
    }
} elsif ($dist eq 'fedora') {
    if ($version &gt;= 16) {
        $use_systemctl = 1;
    }
    $service = 'httpd.service';
} elsif ($dist =~ /^(centos|rhes|scientific|oracle|rocky|alma)$/) {
    if ($version &gt;= 7) {
        $use_systemctl = 1;
    }
    $service = 'httpd.service';
} elsif ($dist eq 'ubuntu') {
    if ($version &gt;= 16) {
        $use_systemctl = 1;
    }
} elsif ($dist eq 'debian') {
    if ($version &gt;= 9) {
        $use_systemctl = 1;
    }
}

if ($use_systemctl) {
    system('systemctl daemon-reload');
    if (open(PIPE,"systemctl show $service --property=ProtectHome --property=RestrictSUIDSGID 2&gt;/dev/null |")) {
        my ($protecthome,$suidsgid);
        while (my $line =&lt;PIPE&gt;) {
            chomp($line);
            if ($line =~ /^ProtectHome=(read-only|yes)$/i) {
                $protecthome = 1;
            } elsif ($line =~ /^RestrictSUIDSGID=yes$/i) {
                $suidsgid = 1;
            }
        }
        close(PIPE);
        if ($protecthome || $suidsgid) {
            if (!-d '/etc/systemd/system/'.$service.'.d') {
                mkdir '/etc/systemd/system/'.$service.'.d', 0755;
            }
            if (-d '/etc/systemd/system/'.$service.'.d') {
                if (-e '/etc/systemd/system/'.$service.'.d/override.conf') {
                    if (open(my $fh,'&lt;','/etc/systemd/system/'.$service.'.d/override.conf')) {
                        my ($category,$addservice,$needs_update,$linenum,%is_no,%lines,
                            @move,@nocat,@ordered);
                        $linenum = 0;
                        while (my $entry = &lt;$fh&gt;) {
                            $linenum ++;
                            chomp($entry);
                            if ($entry =~ /^\s*\[([^\]]+)\]\s*$/) {
                                $category = $1;
                                if ($category =~ /^Service$/i) {
                                    unless (grep(/^Service$/,@ordered)) {
                                        push(@ordered,'Service');
                                    }
                                } else {
                                    unless (grep(/^\Q$category\E$/,@ordered)) {
                                        push(@ordered,$category);
                                    }
                                }
                            } elsif ($entry =~ /^(ProtectHome|RestrictSUIDSGID)\s*=\s*([\w-]+)\s*$/) {
                                my ($key,$value) = ($1,$2);
                                next if ($is_no{$key});
                                if (lc($value) eq 'no') {
                                    if ($category =~ /^Service$/i) {
                                        push(@{$lines{'Service'}},$entry);
                                    } else {
                                        push(@move,$entry);
                                        $needs_update = 1;
                                    }
                                } else {
                                    my $offstr = $key.'=no';
                                    if ($category =~ /^Service$/i) {
                                        push(@{$lines{'Service'}},$offstr);
                                    } else {
                                        push(@move,$offstr);
                                    }
                                    $needs_update = 1;
                                }
                                $is_no{$key} = $linenum;
                            } else {
                                next if ($entry =~ /^\s*$/);
                                if ($category =~ /^Service$/i) {
                                    push(@{$lines{'Service'}},$entry);
                                } elsif ($category ne '') {
                                    push(@{$lines{$category}},$entry);
                                } else {
                                    push(@nocat,$entry);
                                }
                            }
                        }
                        close($fh);
                        unless (grep(/^Service$/,@ordered)) {
                            $addservice = 1;
                            unshift(@ordered,'Service');
                        }
                        foreach my $item ('ProtectHome','RestrictSUIDSGID') {
                            unless (exists($is_no{$item})) {
                                push(@{$lines{'Service'}},$item.'=no');
                                $needs_update = 1;
                            }
                        }
                        if ($addservice || $needs_update) {
                            if (open(my $fh,'&gt;','/etc/systemd/system/'.$service.'.d/override.conf')) {
                                if (@ordered) {
                                    foreach my $category (@ordered) {
                                        print $fh "[$category]\n";
                                        if (ref($lines{$category}) eq 'ARRAY') {
                                            foreach my $item (@{$lines{$category}}) {
                                                print $fh "$item\n";
                                            }
                                        }
                                        if ($category eq 'Service') {
                                            if (@move) {
                                                foreach my $item (@move) {
                                                    if ($item =~ /^(ProtectHome|RestrictSUIDSGID)\s*=\s*no\s*$/i) {
                                                        my $key = $1;
                                                        unless (grep/^$key\s*=\s*no\s*$/i,@{$lines{$category}}) {
                                                            print $fh "$item\n";
                                                        }
                                                    } else {
                                                        print $fh "$item\n";
                                                    }
                                                }
                                            }
                                        }
                                        print $fh "\n";
                                    }
                                }
                                if (@nocat) {
                                    foreach my $item (@nocat) {
                                        print $fh "$item\n";
                                    }
                                }
                                close($fh);
                                print 'Updated /etc/systemd/system/'.$service.'.d/override.conf'."\n";
                                system('systemctl daemon-reload');
                            } else {
                                if ($protecthome) {
                                    print '**** ERROR: Could not open /etc/systemd/system/'.$service.'.d/override.conf to write ProtectHome=no.'."\n".
                                          'LON-CAPA web interface will not be usable.'."\n";
                                }
                                if ($suidsgid) {
                                    print '**** ERROR: Could not open /etc/systemd/system/'.$service.'.d/override.conf to write RestrictSUIDSGID=no.'."\n".
                                          'Creation of sub-directories in Authoring Space will not be possible from the web interface.'."\n";  
                                }
                            }
                        }
                    }
                } else {
                    if (open(my $fh,'&gt;','/etc/systemd/system/'.$service.'.d/override.conf')) {
                        print $fh '[Service]'."\n".'ProtectHome=no'."\n".'RestrictSUIDSGID=no'."\n";
                        close($fh);
                        print 'Created /etc/systemd/system/'.$service.'.d/override.conf'."\n";
                        system('systemctl daemon-reload');
                    } else {
                        if ($protecthome) {
                            print '**** ERROR: Could not open /etc/systemd/system/'.$service.'.d/override.conf to write ProtectHome=no.'."\n".
                                  'LON-CAPA web interface will not be usable.'."\n";
                        }
                        if ($suidsgid) {
                            print '**** ERROR: Could not open /etc/systemd/system/'.$service.'.d/override.conf to write RestrictSUIDSGID=no.'."\n".
                                  'Creation of sub-directories in Authoring Space will not be possible from the web interface.'."\n";
                        }
                    }
                }
            } else {
                print '**** ERROR: No /etc/systemd/system/'.$service.'.d directory exists and creating one failed.'."\n";
                if ($protecthome) {
                    print 'LON-CAPA web interface will not be usable.'."\n";
                }
                if ($suidsgid) {
                    print 'Creation of sub-directories in Authoring Space will not be possible from the web interface.'."\n";
                }
            }
        }
    } else {
        print '**** WARNING *** Could not determine status of ProtectHome property for systemd '.$service.".\n".
              'It was not possible to determine whether LON-CAPA web interface will be usable.'."\n";
    }
}

</perlscript>
</file>
</files>
</piml>

FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>