Add CLI command to create the configuration directory

It is now not necessary anymore to generate the token as the web server's user. A user now creates the configuration directory using the CLI as well, while the SGID is set (in the default mode) causing the token only to be accessible by the super user who owns the directory/file and the web server's group. refs #7163 refs #7408 refs #7410
2014-10-21 16:23:54 +02:00 · 2014-10-21 16:23:54 +02:00 · 049e42ba9a
parent 3a3d29ea4f
commit 049e42ba9a
1 changed files with 67 additions and 2 deletions
--- a/application/clicommands/SetupCommand.php
+++ b/application/clicommands/SetupCommand.php
@ -40,8 +40,6 @@ class SetupCommand extends Command
     * Create a new setup token
     *
     * Re-generates the setup token used to authenticate when installing Icinga Web 2 using the web-based wizard.
-     * Note that it is required to run this command while logged in as your webserver's user or to make him the
-     * owner of the created file afterwards manually.
     *
     * USAGE:
     *
@ -49,6 +47,11 @@ class SetupCommand extends Command
     */
    public function generateTokenAction()
    {
+        if (false === $this->isSuperUser()) {
+            $this->fail($this->translate('This action needs to be run as super user in order to work properly!'));
+            return false;
+        }
+
        $token = bin2hex(openssl_random_pseudo_bytes(8));
        $filepath = $this->app->getConfigDir() . '/setup.token';

@ -62,4 +65,66 @@ class SetupCommand extends Command

        printf($this->translate("The newly generated setup token is: %s\n"), $token);
    }
+
+    /**
+     * Create the configuration directory
+     *
+     * This command creates the configuration directory for Icinga Web 2. The `group' argument
+     * is mandatory and should be the groupname of the user your web server is running as.
+     *
+     * USAGE:
+     *
+     *   icingacli setup createConfigDirectory <group> [options]
+     *
+     * OPTIONS:
+     *
+     *   --mode  The access mode to use. Default is: 2775
+     *   --path  The path to the configuration directory. If omitted the default is used.
+     *
+     * EXAMPLES:
+     *
+     *   icingacli setup createConfigDirectory apache
+     *   icingacli setup createConfigDirectory apache --mode 2770
+     *   icingacli setup createConfigDirectory apache --path /some/path
+     */
+    public function createConfigDirectoryAction()
+    {
+        if (false === $this->isSuperUser()) {
+            $this->fail($this->translate('This action needs to be run as super user in order to work properly!'));
+            return false;
+        }
+
+        $group = $this->params->getStandalone();
+        if ($group === null) {
+            $this->fail($this->translate('The `group\' argument is mandatory.'));
+            return false;
+        }
+
+        $path = $this->params->get('path', $this->app->getConfigDir());
+        if (file_exists($path)) {
+            $this->fail(sprintf($this->translate('Path "%s" already exists.'), $path));
+            return false;
+        }
+
+        $mode = octdec($this->params->get('mode', '2775'));
+        if (false === mkdir($path)) {
+            $this->fail(sprintf($this->translate('Unable to create path: %s'), $path));
+            return false;
+        }
+
+        $old = umask(0); // Prevent $mode from being mangled by the system's umask ($old)
+        chmod($path, $mode);
+        umask($old);
+        chgrp($path, $group);
+    }
+
+    /**
+     * Return whether the current user is a super user
+     *
+     * @return  bool
+     */
+    protected function isSuperUser()
+    {
+        return intval(shell_exec('echo $EUID')) === 0;
+    }
 }