mirror of
https://github.com/AdguardTeam/AdGuardHome.git
synced 2024-12-19 21:41:56 +03:00
3895cfb4f0
Updates #7400. Squashed commit of the following: commit f50d7c200de545dc6c8ef70b39208f522033fb90 Merge:47040a14c37b16bcf7Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 18:09:23 2024 +0300 Merge branch 'master' into 7400-chown-permcheck commit47040a14cdAuthor: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Tue Dec 3 14:26:43 2024 +0300 permcheck: fix nil entries commite1d21c576dAuthor: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Dec 2 15:37:58 2024 +0300 permcheck: fix nil owner commitb1fc67c4d1Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 18:07:15 2024 +0300 permcheck: imp doc commit0b6a71326eAuthor: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 17:16:24 2024 +0300 permcheck: imp code commit7dfbeda179Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 29 14:28:17 2024 +0300 permcheck: imp code commit3a5b6aced9Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 19:21:03 2024 +0300 all: imp code, docs commitc076c93669Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Thu Nov 28 15:14:06 2024 +0300 permcheck: imp code, docs commit09e4ae1ba1Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 27 19:19:11 2024 +0300 all: implement windows permcheck commitb75ed7d4d3Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Mon Nov 25 18:01:47 2024 +0300 all: revert permissions
123 lines
3 KiB
Go
123 lines
3 KiB
Go
//go:build unix
|
|
|
|
package permcheck
|
|
|
|
import (
|
|
"context"
|
|
"fmt"
|
|
"io/fs"
|
|
"log/slog"
|
|
"os"
|
|
"path/filepath"
|
|
|
|
"github.com/AdguardTeam/golibs/container"
|
|
"github.com/AdguardTeam/golibs/errors"
|
|
"github.com/AdguardTeam/golibs/logutil/slogutil"
|
|
)
|
|
|
|
// entity is a filesystem entity with a path and a flag indicating whether it is
|
|
// a directory.
|
|
type entity = container.KeyValue[string, bool]
|
|
|
|
// entities returns a list of filesystem entities that need to be ranged over.
|
|
//
|
|
// TODO(a.garipov): Put all paths in one place and remove this duplication.
|
|
func entities(workDir, dataDir, statsDir, querylogDir, confFilePath string) (ents []entity) {
|
|
ents = []entity{{
|
|
Key: workDir,
|
|
Value: true,
|
|
}, {
|
|
Key: confFilePath,
|
|
Value: false,
|
|
}, {
|
|
Key: dataDir,
|
|
Value: true,
|
|
}, {
|
|
Key: filepath.Join(dataDir, "filters"),
|
|
Value: true,
|
|
}, {
|
|
Key: filepath.Join(dataDir, "sessions.db"),
|
|
Value: false,
|
|
}, {
|
|
Key: filepath.Join(dataDir, "leases.json"),
|
|
Value: false,
|
|
}}
|
|
|
|
if dataDir != querylogDir {
|
|
ents = append(ents, entity{
|
|
Key: querylogDir,
|
|
Value: true,
|
|
})
|
|
}
|
|
ents = append(ents, entity{
|
|
Key: filepath.Join(querylogDir, "querylog.json"),
|
|
Value: false,
|
|
}, entity{
|
|
Key: filepath.Join(querylogDir, "querylog.json.1"),
|
|
Value: false,
|
|
})
|
|
|
|
if dataDir != statsDir {
|
|
ents = append(ents, entity{
|
|
Key: statsDir,
|
|
Value: true,
|
|
})
|
|
}
|
|
ents = append(ents, entity{
|
|
Key: filepath.Join(statsDir, "stats.db"),
|
|
})
|
|
|
|
return ents
|
|
}
|
|
|
|
// checkPath checks the permissions of a single filesystem entity. The results
|
|
// are logged at the appropriate level.
|
|
func checkPath(ctx context.Context, l *slog.Logger, entPath string, want fs.FileMode) {
|
|
l = l.With("path", entPath)
|
|
|
|
s, err := os.Stat(entPath)
|
|
if err != nil {
|
|
lvl := slog.LevelError
|
|
if errors.Is(err, os.ErrNotExist) {
|
|
lvl = slog.LevelDebug
|
|
}
|
|
|
|
l.Log(ctx, lvl, "checking permissions", slogutil.KeyError, err)
|
|
|
|
return
|
|
}
|
|
|
|
// TODO(a.garipov): Add a more fine-grained check and result reporting.
|
|
perm := s.Mode().Perm()
|
|
if perm == want {
|
|
return
|
|
}
|
|
|
|
permOct, wantOct := fmt.Sprintf("%#o", perm), fmt.Sprintf("%#o", want)
|
|
l.WarnContext(ctx, "found unexpected permissions", "perm", permOct, "want", wantOct)
|
|
}
|
|
|
|
// chmodPath changes the permissions of a single filesystem entity. The results
|
|
// are logged at the appropriate level.
|
|
func chmodPath(ctx context.Context, l *slog.Logger, entPath string, fm fs.FileMode) {
|
|
var lvl slog.Level
|
|
var msg string
|
|
args := []any{"path", entPath}
|
|
|
|
switch err := os.Chmod(entPath, fm); {
|
|
case err == nil:
|
|
lvl = slog.LevelInfo
|
|
msg = "changed permissions"
|
|
case errors.Is(err, os.ErrNotExist):
|
|
lvl = slog.LevelDebug
|
|
msg = "checking permissions"
|
|
args = append(args, slogutil.KeyError, err)
|
|
default:
|
|
lvl = slog.LevelError
|
|
msg = "cannot change permissions; this can leave your system vulnerable, see " +
|
|
"https://adguard-dns.io/kb/adguard-home/running-securely/#os-service-concerns"
|
|
args = append(args, "target_perm", fmt.Sprintf("%#o", fm), slogutil.KeyError, err)
|
|
}
|
|
|
|
l.Log(ctx, lvl, msg, args...)
|
|
}
|