Added a slightly modified version of the anti-fascist patch (allows for

a configurable admingroup to be set, instead of forcing it to be root), closes debian bug#370396

Added a slightly modified version of the anti-fascist patch (allows for
489e294c · micah · 8589faa7 · 489e294c · 489e294c · 489e294c
Commit 489e294c authored 18 years ago by micah
--- a/AUTHORS
+++ b/AUTHORS
@@ -15,3 +15,4 @@ cmccallum@thecsl.org
 Daniel.Bonniot@inria.fr
 Brad Fritz <brad@fritzfam.com> -- trac patch
 garcondumonde@riseup.net
+Martin Krafft madduck@debian.org -- admingroup patch
\ No newline at end of file
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,11 @@ version 0.9.4 -- unreleased
 	 . Fixed bug in toint(), and thus isnow(), which caused it
 	   to not work when run from cron.
 	 . Recursively ignore subdirs in /etc/backup.d (Closes: #361102)
+	 . Add admingroup option to configuration to allow a group that can
+	   read/write configurations (instead of only allowing root). Checks
+	   and complains about group-readable files only when the group differs
+	   from the one in the configuration file (default is root as before). 
+	   Thanks to Martin Krafft for the patch (Closes: #370396).
    handler changes
 	Added tar handler
 	mysql:

--- a/etc/backupninja.conf.in
+++ b/etc/backupninja.conf.in
@@ -25,6 +25,10 @@ reportsuccess = yes
 # even if there was no error. (default = yes)
 reportwarning = yes
+# set to the administration group that is allowed to 
+# read/write configuration files in /etc/backup.d
+admingroup = root
 #######################################################
 # for most installations, the defaults below are good #
 #######################################################

--- a/src/backupninja.in
+++ b/src/backupninja.in
@@ -130,17 +130,37 @@ function msg {
 #
 function check_perms() {
-	local file=$1
+   local file=$1
-	local perms=`ls -ld $file`
+   local perms
-	perms=${perms:4:6}
+   perms=($(stat -L --printf='%a %g %G %u %U' $file))
-	if [ "$perms" != "------" ]; then
+   local gperm=${perms[0]:1:1}
-		echo "Configuration files must not be group or world writable/readable! Dying on file $file"
+   local wperm=${perms[0]:2:1}
-		fatal "Configuration files must not be group or world writable/readable! Dying on file $file"
+   local gid=${perms[1]}
-	fi
+   local group=${perms[2]}
-	if [ `ls -ld $file | awk '{print $3}'` != "root" ]; then
+   local owner=${perms[3]}
-		echo "Configuration files must be owned by root! Dying on file $file"
-		fatal "Configuration files must be owned by root! Dying on file $file"
+   if [ "$owner" != 0 ]; then
-	fi
+      echo "Configuration files must be owned by root! Dying on file $file"
+      fatal "Configuration files must be owned by root! Dying on file $file"
+   fi
+   if [ $wperm -gt 0 ]; then
+      echo "Configuration files must not be world writable/readable! Dying on file $file"
+      fatal "Configuration files must not be world writable/readable! Dying on file $file"
+   fi
+   if [ $gperm -gt 0 ]; then
+      case "$admingroup" in
+         $gid|$group) :;;
+         *)
+           if [ "$gid" != 0 ]; then
+              echo "Configuration files must writable/readable by group ${perms[2]}! Dying on file $file"
+              fatal "Configuration files must writable/readable by group ${perms[2]}! Dying on file $file"
+           fi
+         ;;
+         esac
+   fi
 }
 # simple lowercase function
@@ -423,6 +443,7 @@ getconf PGSQLDUMP /usr/bin/pg_dump
 getconf PGSQLDUMPALL /usr/bin/pg_dumpall
 getconf GZIP /bin/gzip
 getconf RSYNC /usr/bin/rsync
+getconf admingroup root
 # initialize vservers support
 # (get config variables and check real vservers availability)
@@ -461,6 +482,7 @@ fi
 for file in $files; do
 	[ -f "$file" ] || continue
+        check_perms ${file%/*} # check containing dir
 	check_perms $file
 	suffix="${file##*.}"
 	base=`basename $file`