From 049e42ba9a8cdc0748af6e8b9853225eb9cfd912 Mon Sep 17 00:00:00 2001 From: Johannes Meyer Date: Tue, 21 Oct 2014 16:23:54 +0200 Subject: [PATCH] Add CLI command to create the configuration directory It is now not necessary anymore to generate the token as the web server's user. A user now creates the configuration directory using the CLI as well, while the SGID is set (in the default mode) causing the token only to be accessible by the super user who owns the directory/file and the web server's group. refs #7163 refs #7408 refs #7410 --- application/clicommands/SetupCommand.php | 69 +++++++++++++++++++++++- 1 file changed, 67 insertions(+), 2 deletions(-) diff --git a/application/clicommands/SetupCommand.php b/application/clicommands/SetupCommand.php index 16fb53ab4..21dbac396 100644 --- a/application/clicommands/SetupCommand.php +++ b/application/clicommands/SetupCommand.php @@ -40,8 +40,6 @@ class SetupCommand extends Command * Create a new setup token * * Re-generates the setup token used to authenticate when installing Icinga Web 2 using the web-based wizard. - * Note that it is required to run this command while logged in as your webserver's user or to make him the - * owner of the created file afterwards manually. * * USAGE: * @@ -49,6 +47,11 @@ class SetupCommand extends Command */ public function generateTokenAction() { + if (false === $this->isSuperUser()) { + $this->fail($this->translate('This action needs to be run as super user in order to work properly!')); + return false; + } + $token = bin2hex(openssl_random_pseudo_bytes(8)); $filepath = $this->app->getConfigDir() . '/setup.token'; @@ -62,4 +65,66 @@ class SetupCommand extends Command printf($this->translate("The newly generated setup token is: %s\n"), $token); } + + /** + * Create the configuration directory + * + * This command creates the configuration directory for Icinga Web 2. The `group' argument + * is mandatory and should be the groupname of the user your web server is running as. + * + * USAGE: + * + * icingacli setup createConfigDirectory [options] + * + * OPTIONS: + * + * --mode The access mode to use. Default is: 2775 + * --path The path to the configuration directory. If omitted the default is used. + * + * EXAMPLES: + * + * icingacli setup createConfigDirectory apache + * icingacli setup createConfigDirectory apache --mode 2770 + * icingacli setup createConfigDirectory apache --path /some/path + */ + public function createConfigDirectoryAction() + { + if (false === $this->isSuperUser()) { + $this->fail($this->translate('This action needs to be run as super user in order to work properly!')); + return false; + } + + $group = $this->params->getStandalone(); + if ($group === null) { + $this->fail($this->translate('The `group\' argument is mandatory.')); + return false; + } + + $path = $this->params->get('path', $this->app->getConfigDir()); + if (file_exists($path)) { + $this->fail(sprintf($this->translate('Path "%s" already exists.'), $path)); + return false; + } + + $mode = octdec($this->params->get('mode', '2775')); + if (false === mkdir($path)) { + $this->fail(sprintf($this->translate('Unable to create path: %s'), $path)); + return false; + } + + $old = umask(0); // Prevent $mode from being mangled by the system's umask ($old) + chmod($path, $mode); + umask($old); + chgrp($path, $group); + } + + /** + * Return whether the current user is a super user + * + * @return bool + */ + protected function isSuperUser() + { + return intval(shell_exec('echo $EUID')) === 0; + } }