Commit e480e17b authored by paz's avatar paz

Show a notice to check permissions if cli-command was invoked as root.

parent b11a03cc
Pipeline #14702 passed with stages
in 12 minutes and 59 seconds
...@@ -25,6 +25,7 @@ This project adheres to [Semantic Versioning](http://semver.org/). ...@@ -25,6 +25,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
* Use schleuder.org as website and team@schleuder.org as contact email. * Use schleuder.org as website and team@schleuder.org as contact email.
* Check environment variable if code coverage check should be executed. (#342) * Check environment variable if code coverage check should be executed. (#342)
* Transform GPG fingerprints to upper case before saving to database. (#327) * Transform GPG fingerprints to upper case before saving to database. (#327)
* CLI-commands that (potentially) change data now remind the system admin to check file system permission if the command was run with root privileges. (#326)
## [3.2.2] / 2018-02-06 ## [3.2.2] / 2018-02-06
......
...@@ -62,11 +62,13 @@ module Schleuder ...@@ -62,11 +62,13 @@ module Schleuder
list.logger.notify_admin(msg, nil, I18n.t('check_keys')) list.logger.notify_admin(msg, nil, I18n.t('check_keys'))
end end
end end
permission_notice
end end
desc 'refresh_keys [list1@example.com]', "Refresh all keys of all list from the keyservers sequentially (one by one or on the passed list). (This is supposed to be run from cron weekly.)" desc 'refresh_keys [list1@example.com]', "Refresh all keys of all list from the keyservers sequentially (one by one or on the passed list). (This is supposed to be run from cron weekly.)"
def refresh_keys(list=nil) def refresh_keys(list=nil)
work_on_lists(:refresh_keys,list) work_on_lists(:refresh_keys,list)
permission_notice
end end
desc 'pin_keys [list1@example.com]', "Find keys for subscriptions without a pinned key and try to pin a certain key (one by one or based on the passed list)." desc 'pin_keys [list1@example.com]', "Find keys for subscriptions without a pinned key and try to pin a certain key (one by one or based on the passed list)."
...@@ -122,6 +124,7 @@ module Schleuder ...@@ -122,6 +124,7 @@ module Schleuder
end end
say "Schleuder has been set up. You can now create a new list using `schleuder-cli`.\nWe hope you enjoy!" say "Schleuder has been set up. You can now create a new list using `schleuder-cli`.\nWe hope you enjoy!"
permission_notice
rescue => exc rescue => exc
fatal exc.message fatal exc.message
end end
...@@ -257,6 +260,7 @@ Please notify the users and admins of this list of these changes. ...@@ -257,6 +260,7 @@ Please notify the users and admins of this list of these changes.
if messages.present? if messages.present?
say messages.gsub(' // ', "\n") say messages.gsub(' // ', "\n")
end end
permission_notice
rescue => exc rescue => exc
fatal "#{exc}\n#{exc.backtrace.first}" fatal "#{exc}\n#{exc.backtrace.first}"
end end
...@@ -335,5 +339,20 @@ Please notify the users and admins of this list of these changes. ...@@ -335,5 +339,20 @@ Please notify the users and admins of this list of these changes.
true true
end end
def permission_notice
if Process.euid == 0
dirs = [Conf.lists_dir, Conf.listlogs_dir]
if Conf.database['adapter'] == 'sqlite3'
dirs << Conf.database['database']
end
dirs_sentence = dirs.uniq.map { |dir| enquote(dir) }.to_sentence
say "Warning: this process was run as root -- please make sure the all files in #{dirs_sentence} have correct file system permissions for the user that is running both, schleuder from the MTA and `schleuder-api-daemon`."
end
end
def enquote(string)
"\`#{string}\`"
end
end end
end end
...@@ -132,6 +132,19 @@ describe 'cli' do ...@@ -132,6 +132,19 @@ describe 'cli' do
expect(admin_emails.sort).to eq( ['schleuder2@example.org', expect(admin_emails.sort).to eq( ['schleuder2@example.org',
'schleuder2-nokey@example.org' ].sort) 'schleuder2-nokey@example.org' ].sort)
end end
it "warns about file system permissions if it was run as root" do
expect(Process).to receive(:euid).and_return(0)
v2list_path = 'spec/fixtures/v2list'
orig_stdout = $stdout
$stdout = StringIO.new
Cli.new.migrate_v2_list(v2list_path)
output = $stdout.string
$stdout = orig_stdout
expect(output).to include("Warning: this process was run as root")
end
end end
context '#refresh_keys' do context '#refresh_keys' do
...@@ -199,7 +212,21 @@ describe 'cli' do ...@@ -199,7 +212,21 @@ describe 'cli' do
teardown_list_and_mailer(list) teardown_list_and_mailer(list)
end end
it "warns about file system permissions if it was run as root" do
expect(Process).to receive(:euid).and_return(0)
list = create(:list)
orig_stdout = $stdout
$stdout = StringIO.new
Cli.new.refresh_keys(list.email)
output = $stdout.string
$stdout = orig_stdout
expect(output).to include("Warning: this process was run as root")
end
end end
context '#pin_keys' do context '#pin_keys' do
it 'pins fingerprints on not yet set keys' do it 'pins fingerprints on not yet set keys' do
list = create(:list) list = create(:list)
...@@ -275,6 +302,18 @@ describe 'cli' do ...@@ -275,6 +302,18 @@ describe 'cli' do
expect(exc.status).to eql(1) expect(exc.status).to eql(1)
File.rename(tmp_filename, dbfile) File.rename(tmp_filename, dbfile)
end end
it "warns about file system permissions if it was run as root" do
expect(Process).to receive(:euid).and_return(0)
orig_stdout = $stdout
$stdout = StringIO.new
Cli.new.install
output = $stdout.string
$stdout = orig_stdout
expect(output).to include("Warning: this process was run as root")
end
end end
context '#commands' do context '#commands' do
...@@ -284,4 +323,18 @@ describe 'cli' do ...@@ -284,4 +323,18 @@ describe 'cli' do
expect($?.exitstatus).to eq(1) expect($?.exitstatus).to eq(1)
end end
end end
context '#check_keys' do
it "warns about file system permissions if it was run as root" do
expect(Process).to receive(:euid).and_return(0)
orig_stdout = $stdout
$stdout = StringIO.new
Cli.new.check_keys
output = $stdout.string
$stdout = orig_stdout
expect(output).to include("Warning: this process was run as root")
end
end
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment