mirror of
https://github.com/ovh/the-bastion.git
synced 2025-02-26 00:24:12 +08:00
enh: osh-orphaned-homedir.sh: add more security checks to ensure we don't archive still-used home dirs
This commit is contained in:
Stéphane Lesimple
Stéphane Lesimple
parent
7dabfc7135
commit
7b7c395c55
2 changed files with 53 additions and 2 deletions
|
|
@ -11,25 +11,66 @@ LOG_FACILITY=local6
|
|||
|
||||
trap "_err 'Unexpected termination!'" EXIT
|
||||
|
||||
_log "Checking orphaned home directories..."
|
||||
# first, verify that we're not a master instance, if this is the case, do nothing
|
||||
set +e
|
||||
perl -e '
|
||||
use strict;
|
||||
use warnings;
|
||||
|
||||
use File::Basename;
|
||||
use lib "'"$basedir"'/lib/perl";
|
||||
use OVH::Bastion;
|
||||
|
||||
my $c = OVH::Bastion::load_configuration() or exit(101);
|
||||
exit(102) if not exists $c->value->{readOnlySlaveMode};
|
||||
exit($c->value->{readOnlySlaveMode} ? 0 : 100);
|
||||
'; ret=$?
|
||||
set -e
|
||||
|
||||
case $ret in
|
||||
0) _log "Checking orphaned home directories...";;
|
||||
100) _log "We're a master instance, don't do anything"; trap - EXIT; exit 0;;
|
||||
101) _err "Couldn't load the main bastion configurationg, aborting"; trap - EXIT; exit 1;;
|
||||
102) _err "Invalid main bastion configuration, aborting"; trap - EXIT; exit 1;;
|
||||
*) _err "Unknown return code ($ret), aborting"; trap - EXIT; exit 1;;
|
||||
esac
|
||||
|
||||
while IFS= read -r -d '' dir
|
||||
do
|
||||
test -d "/home/oldkeeper/orphaned" || mkdir -p "/home/oldkeeper/orphaned"
|
||||
mkdir -p "/home/oldkeeper/orphaned"
|
||||
|
||||
# just in case, check ourselves again that the folder's UID/GID don't resolve
|
||||
set +e
|
||||
uid=$(get_file_uid_compat "$dir")
|
||||
gid=$(get_file_gid_compat "$dir")
|
||||
user=$(getent passwd "$uid")
|
||||
group=$(getent group "$gid")
|
||||
set -e
|
||||
if [ -n "$user" ] || [ -n "$group" ]; then
|
||||
|
||||
# wow, `find' lied to us?!
|
||||
_err "Would have archived $dir, but it seems the user ($uid=$user) or the group ($gid=$group) actually still exists (!), aborting the script"
|
||||
trap - EXIT
|
||||
exit 1
|
||||
fi
|
||||
|
||||
archive="/home/oldkeeper/orphaned/$(basename "$dir").at-$(date +%s).by-orphaned-homedir-script.tar.gz"
|
||||
_log "Found orphaned $dir [$(ls -ld "$dir")], archiving..."
|
||||
chmod 0700 /home/oldkeeper/orphaned
|
||||
if [ "$OS_FAMILY" = "Linux" ]; then
|
||||
find "$dir" -mindepth 1 -maxdepth 1 -type f -name "*.log" -print0 | xargs -r0 chattr -a
|
||||
fi
|
||||
|
||||
# remove empty directories if we have some
|
||||
find "$dir" -type d -delete 2>/dev/null || true
|
||||
acls_param=''
|
||||
[ "$OS_FAMILY" = "Linux" ] && acls_param='--acls'
|
||||
[ "$OS_FAMILY" = "FreeBSD" ] && acls_param='--acls'
|
||||
|
||||
set +e
|
||||
tar czf "$archive" $acls_param --one-file-system -p --remove-files --exclude=ttyrec "$dir" 2>/dev/null; ret=$?
|
||||
set -e
|
||||
|
||||
if [ $ret -ne 0 ]; then
|
||||
# $? can be 2 if we can't delete because ttyrec dir remains so it might not be a problem
|
||||
if [ $ret -eq 2 ] && [ -s "$archive" ] && [ -d "$dir" ] && [ "$(find "$dir" -name ttyrec -prune -o -print | wc -l)" = 1 ]; then
|
||||
|
|
|
|||
|
|
@ -314,6 +314,16 @@ del_user_from_group_compat()
|
|||
fi
|
||||
}
|
||||
|
||||
get_file_uid_compat()
|
||||
{
|
||||
stat -c "%u" "$1"
|
||||
}
|
||||
|
||||
get_file_gid_compat()
|
||||
{
|
||||
stat -c "%g" "$1"
|
||||
}
|
||||
|
||||
_logtag="$(basename "$0")[$$]"
|
||||
__log()
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in a new issue