[CalendarServer-changes] [1190] CalendarServer/trunk
source_changes at macosforge.org
source_changes at macosforge.org
Wed Feb 14 10:17:56 PST 2007
Revision: 1190
http://trac.macosforge.org/projects/calendarserver/changeset/1190
Author: cdaboo at apple.com
Date: 2007-02-14 10:17:56 -0800 (Wed, 14 Feb 2007)
Log Message:
-----------
Merge of branches/users/cdaboo/security-1150.
Modified Paths:
--------------
CalendarServer/trunk/support/Makefile.Apple
CalendarServer/trunk/twistedcaldav/config.py
CalendarServer/trunk/twistedcaldav/tap.py
Modified: CalendarServer/trunk/support/Makefile.Apple
===================================================================
--- CalendarServer/trunk/support/Makefile.Apple 2007-02-14 18:17:01 UTC (rev 1189)
+++ CalendarServer/trunk/support/Makefile.Apple 2007-02-14 18:17:56 UTC (rev 1190)
@@ -32,8 +32,8 @@
PYTHON = /usr/bin/python
PY_INSTALL_FLAGS = --root="$(DSTROOT)" --home="$(SHAREDIR)/caldavd"
-USER = 93 # FIXME: calendar
-GROUP = 93 # FIXME: calendar
+USER = calendar
+GROUP = calendar
#
# Build
@@ -90,8 +90,8 @@
$(_v) $(INSTALL_FILE) $(Sources)/doc/caladmin.8 $(DSTROOT)$(MANDIR)/man8
$(_v) gzip -9 -f $(DSTROOT)$(MANDIR)/man8/*.8
$(_v) $(INSTALL_DIRECTORY) $(DSTROOT)$(NSLIBRARYDIR)/$(Project)
- $(_v) $(INSTALL_DIRECTORY) -o $(USER) -g $(GROUP) $(DSTROOT)$(NSLOCALDIR)/$(NSLIBRARYSUBDIR)/$(Project)/Documents
- $(_v) $(INSTALL_DIRECTORY) -o $(USER) -g $(GROUP) $(DSTROOT)$(VARDIR)/log/caldavd
+ $(_v) $(INSTALL_DIRECTORY) -o $(USER) -g $(GROUP) -m 0750 $(DSTROOT)$(NSLOCALDIR)/$(NSLIBRARYSUBDIR)/$(Project)/Documents
+ $(_v) $(INSTALL_DIRECTORY) -m 0750 $(DSTROOT)$(VARDIR)/log/caldavd
$(_v) $(INSTALL_DIRECTORY) $(DSTROOT)$(NSLIBRARYDIR)/LaunchDaemons
$(_v) $(INSTALL_FILE) $(Sources)/conf/launchd.plist $(DSTROOT)$(NSLIBRARYDIR)/LaunchDaemons/org.calendarserver.calendarserver.plist
$(_v) $(MKDIR) $(DSTROOT)$(ETCDIR)/sbs_backup/
Modified: CalendarServer/trunk/twistedcaldav/config.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/config.py 2007-02-14 18:17:01 UTC (rev 1189)
+++ CalendarServer/trunk/twistedcaldav/config.py 2007-02-14 18:17:56 UTC (rev 1190)
@@ -94,6 +94,10 @@
for key, value in items:
setattr(self, key, value)
+class ConfigurationError (RuntimeError):
+ """
+ Invalid server configuration.
+ """
config = Config(defaultConfig)
Modified: CalendarServer/trunk/twistedcaldav/tap.py
===================================================================
--- CalendarServer/trunk/twistedcaldav/tap.py 2007-02-14 18:17:01 UTC (rev 1189)
+++ CalendarServer/trunk/twistedcaldav/tap.py 2007-02-14 18:17:56 UTC (rev 1190)
@@ -17,7 +17,7 @@
##
import os
-import sys
+import stat
from zope.interface import implements
@@ -44,7 +44,7 @@
from twisted.web2.server import Site
from twistedcaldav.cluster import makeService_multiprocess, makeService_pydir
-from twistedcaldav.config import config, parseConfig, defaultConfig
+from twistedcaldav.config import config, parseConfig, defaultConfig, ConfigurationError
from twistedcaldav.logging import RotatingFileAccessLoggingObserver
from twistedcaldav.root import RootResource
from twistedcaldav.resource import CalDAVResource
@@ -153,12 +153,26 @@
self.parent['pidfile'] = config.PIDFile
# Verify that document root actually exists
- self.checkDirectory(config.DocumentRoot, "Document root")
+ self.checkDirectory(
+ config.DocumentRoot,
+ "Document root",
+ access=os.R_OK or os.W_OK,
+ permissions=0750,
+ uname=config.Username,
+ gname=config.Groupname)
# Verify that ssl certs exist if needed
if config.SSLEnable:
- self.checkFile(config.SSLPrivateKey, "SSL Private key")
- self.checkFile(config.SSLCertificate, "SSL Public key")
+ self.checkFile(
+ config.SSLPrivateKey,
+ "SSL Private key",
+ access=os.R_OK,
+ permissions=0640)
+ self.checkFile(
+ config.SSLCertificate,
+ "SSL Public key",
+ access=os.R_OK,
+ permissions=0644)
#
# Nuke the file log observer's time format.
@@ -166,19 +180,66 @@
if not config.ErrorLogFile and config.ServerType == 'slave':
log.FileLogObserver.timeFormat = ''
-
- def checkDirectory(self, dirpath, description):
+
+
+ # Check current umask and warn if changed
+ oldmask = os.umask(0027)
+ if oldmask != 0027:
+ print "WARNING: changing umask from: 0%03o to 0%03o" % (oldmask, 0027,)
+
+ def checkDirectory(self, dirpath, description, access=None, fail=False, permissions=None, uname=None, gname=None):
if not os.path.exists(dirpath):
- raise ValueError("%s does not exist: %s" % (description, dirpath,))
+ raise ConfigurationError("%s does not exist: %s" % (description, dirpath,))
elif not os.path.isdir(dirpath):
- raise ValueError("%s is not a directory: %s" % (description, dirpath,))
+ raise ConfigurationError("%s is not a directory: %s" % (description, dirpath,))
+ elif access and not os.access(dirpath, access):
+ raise ConfigurationError("Insufficient permissions for server on %s directory: %s" % (description, dirpath,))
+ self.securityCheck(dirpath, description, fail=fail, permissions=permissions, uname=uname, gname=gname)
- def checkFile(self, filepath, description):
+ def checkFile(self, filepath, description, access=None, fail=False, permissions=None, uname=None, gname=None):
if not os.path.exists(filepath):
- raise ValueError("%s does not exist: %s" % (description, filepath,))
+ raise ConfigurationError("%s does not exist: %s" % (description, filepath,))
elif not os.path.isfile(filepath):
- raise ValueError("%s is not a file: %s" % (description, filepath,))
+ raise ConfigurationError("%s is not a file: %s" % (description, filepath,))
+ elif access and not os.access(filepath, access):
+ raise ConfigurationError("Insufficient permissions for server on %s directory: %s" % (description, filepath,))
+ self.securityCheck(filepath, description, fail=fail, permissions=permissions, uname=uname, gname=gname)
+ def securityCheck(self, path, description, fail=False, permissions=None, uname=None, gname=None):
+ def raiseOrPrint(txt):
+ if fail:
+ raise ConfigurationError(txt)
+ else:
+ print "WARNING: %s" % (txt,)
+
+ pathstat = os.stat(path)
+ if permissions:
+ if stat.S_IMODE(pathstat[stat.ST_MODE]) != permissions:
+ raiseOrPrint("The permisions on %s directory %s are 0%03o and do not match expected permissions: 0%03o" % \
+ (description, path, stat.S_IMODE(pathstat[stat.ST_MODE]), permissions))
+ if uname:
+ import pwd
+ try:
+ pathuname = pwd.getpwuid(pathstat[stat.ST_UID])[0]
+ if pathuname != uname:
+ raiseOrPrint("The owner of %s directory %s is %s and does not match the expected owner: %s" % \
+ (description, path, pathuname, uname))
+ except KeyError:
+ raiseOrPrint("The owner of %s directory %s is unknown (%s) and does not match the expected owner: %s" % \
+ (description, path, pathstat[stat.ST_UID], uname))
+
+ if gname:
+ import grp
+ try:
+ pathgname = grp.getgrgid(pathstat[stat.ST_GID])[0]
+ if pathgname != gname:
+ raiseOrPrint("The group of %s directory %s is %s and does not match the expected group: %s" % \
+ (description, path, pathgname, gname))
+ except KeyError:
+ raiseOrPrint("The group of %s directory %s is unknown (%s) and does not match the expected group: %s" % \
+ (description, path, pathstat[stat.ST_GID], gname))
+
+
class CalDAVServiceMaker(object):
implements(IPlugin, service.IServiceMaker)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.macosforge.org/pipermail/calendarserver-changes/attachments/20070214/e159e69e/attachment.html
More information about the calendarserver-changes
mailing list