From: Micah Anderson Date: Fri, 9 Jun 2006 17:27:21 +0000 (+0000) Subject: Added a slightly modified version of the anti-fascist patch (allows for X-Git-Tag: backupninja-0.9.4~39 X-Git-Url: https://git.stderr.nl/gitweb?a=commitdiff_plain;h=489e294c50b6cba7545a110d26edd43e6b6e55ea;p=matthijs%2Fupstream%2Fbackupninja.git Added a slightly modified version of the anti-fascist patch (allows for a configurable admingroup to be set, instead of forcing it to be root), closes debian bug#370396 --- diff --git a/AUTHORS b/AUTHORS index 4181b73..8b615d1 100644 --- a/AUTHORS +++ b/AUTHORS @@ -15,3 +15,4 @@ cmccallum@thecsl.org Daniel.Bonniot@inria.fr Brad Fritz -- trac patch garcondumonde@riseup.net +Martin Krafft madduck@debian.org -- admingroup patch \ No newline at end of file diff --git a/ChangeLog b/ChangeLog index 07430ce..b1e9fd7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,11 @@ version 0.9.4 -- unreleased . Fixed bug in toint(), and thus isnow(), which caused it to not work when run from cron. . Recursively ignore subdirs in /etc/backup.d (Closes: #361102) + . Add admingroup option to configuration to allow a group that can + read/write configurations (instead of only allowing root). Checks + and complains about group-readable files only when the group differs + from the one in the configuration file (default is root as before). + Thanks to Martin Krafft for the patch (Closes: #370396). handler changes Added tar handler mysql: diff --git a/etc/backupninja.conf.in b/etc/backupninja.conf.in index 362eb59..10ac2bb 100644 --- a/etc/backupninja.conf.in +++ b/etc/backupninja.conf.in @@ -25,6 +25,10 @@ reportsuccess = yes # even if there was no error. (default = yes) reportwarning = yes +# set to the administration group that is allowed to +# read/write configuration files in /etc/backup.d +admingroup = root + ####################################################### # for most installations, the defaults below are good # ####################################################### diff --git a/src/backupninja.in b/src/backupninja.in index 2835a3c..57936da 100755 --- a/src/backupninja.in +++ b/src/backupninja.in @@ -130,17 +130,37 @@ function msg { # function check_perms() { - local file=$1 - local perms=`ls -ld $file` - perms=${perms:4:6} - if [ "$perms" != "------" ]; then - echo "Configuration files must not be group or world writable/readable! Dying on file $file" - fatal "Configuration files must not be group or world writable/readable! Dying on file $file" - fi - if [ `ls -ld $file | awk '{print $3}'` != "root" ]; then - echo "Configuration files must be owned by root! Dying on file $file" - fatal "Configuration files must be owned by root! Dying on file $file" - fi + local file=$1 + local perms + perms=($(stat -L --printf='%a %g %G %u %U' $file)) + local gperm=${perms[0]:1:1} + local wperm=${perms[0]:2:1} + local gid=${perms[1]} + local group=${perms[2]} + local owner=${perms[3]} + + if [ "$owner" != 0 ]; then + echo "Configuration files must be owned by root! Dying on file $file" + fatal "Configuration files must be owned by root! Dying on file $file" + fi + + if [ $wperm -gt 0 ]; then + echo "Configuration files must not be world writable/readable! Dying on file $file" + fatal "Configuration files must not be world writable/readable! Dying on file $file" + fi + + if [ $gperm -gt 0 ]; then + case "$admingroup" in + $gid|$group) :;; + + *) + if [ "$gid" != 0 ]; then + echo "Configuration files must writable/readable by group ${perms[2]}! Dying on file $file" + fatal "Configuration files must writable/readable by group ${perms[2]}! Dying on file $file" + fi + ;; + esac + fi } # simple lowercase function @@ -423,6 +443,7 @@ getconf PGSQLDUMP /usr/bin/pg_dump getconf PGSQLDUMPALL /usr/bin/pg_dumpall getconf GZIP /bin/gzip getconf RSYNC /usr/bin/rsync +getconf admingroup root # initialize vservers support # (get config variables and check real vservers availability) @@ -461,6 +482,7 @@ fi for file in $files; do [ -f "$file" ] || continue + check_perms ${file%/*} # check containing dir check_perms $file suffix="${file##*.}" base=`basename $file`