From 41f8803559f4d2b9d2df005464c9ad199431f9a6 Mon Sep 17 00:00:00 2001 From: "Chris St. Pierre" Date: Wed, 14 Nov 2012 11:47:14 -0500 Subject: set default umask for server, added option to change it --- doc/man/bcfg2.conf.txt | 3 +++ man/bcfg2-admin.8 | 2 +- man/bcfg2-build-reports.8 | 2 +- man/bcfg2-crypt.8 | 2 +- man/bcfg2-info.8 | 2 +- man/bcfg2-lint.8 | 2 +- man/bcfg2-lint.conf.5 | 2 +- man/bcfg2-reports.8 | 2 +- man/bcfg2-server.8 | 2 +- man/bcfg2.1 | 2 +- man/bcfg2.conf.5 | 5 ++++- src/lib/Bcfg2/Options.py | 6 ++++++ src/lib/Bcfg2/Server/BuiltinCore.py | 18 ++++++++---------- src/lib/Bcfg2/Server/CherryPyCore.py | 6 ++++-- src/lib/Bcfg2/Server/Core.py | 2 ++ 15 files changed, 36 insertions(+), 22 deletions(-) diff --git a/doc/man/bcfg2.conf.txt b/doc/man/bcfg2.conf.txt index 942ead40d..b8e252cc4 100644 --- a/doc/man/bcfg2.conf.txt +++ b/doc/man/bcfg2.conf.txt @@ -143,6 +143,9 @@ vcs_root E.g., if the VCS repository does not hold the bcfg2 data at the top level, you may need to set this option. +umask + The umask to set for the server. Default is *0077*. + Server Plugins -------------- diff --git a/man/bcfg2-admin.8 b/man/bcfg2-admin.8 index 2cfff35af..008f56fa2 100644 --- a/man/bcfg2-admin.8 +++ b/man/bcfg2-admin.8 @@ -1,4 +1,4 @@ -.TH "BCFG2-ADMIN" "8" "November 07, 2012" "1.3" "Bcfg2" +.TH "BCFG2-ADMIN" "8" "November 14, 2012" "1.3" "Bcfg2" .SH NAME bcfg2-admin \- Perform repository administration tasks . diff --git a/man/bcfg2-build-reports.8 b/man/bcfg2-build-reports.8 index 6030e8b6b..1639adc74 100644 --- a/man/bcfg2-build-reports.8 +++ b/man/bcfg2-build-reports.8 @@ -1,4 +1,4 @@ -.TH "BCFG2-BUILD-REPORTS" "8" "November 07, 2012" "1.3" "Bcfg2" +.TH "BCFG2-BUILD-REPORTS" "8" "November 14, 2012" "1.3" "Bcfg2" .SH NAME bcfg2-build-reports \- Generate state reports for Bcfg2 clients . diff --git a/man/bcfg2-crypt.8 b/man/bcfg2-crypt.8 index 1e161c099..ab428c266 100644 --- a/man/bcfg2-crypt.8 +++ b/man/bcfg2-crypt.8 @@ -1,4 +1,4 @@ -.TH "BCFG2-CRYPT" "8" "November 07, 2012" "1.3" "Bcfg2" +.TH "BCFG2-CRYPT" "8" "November 14, 2012" "1.3" "Bcfg2" .SH NAME bcfg2-crypt \- Bcfg2 encryption and decryption utility . diff --git a/man/bcfg2-info.8 b/man/bcfg2-info.8 index 1ea428865..57c9e012c 100644 --- a/man/bcfg2-info.8 +++ b/man/bcfg2-info.8 @@ -1,4 +1,4 @@ -.TH "BCFG2-INFO" "8" "November 07, 2012" "1.3" "Bcfg2" +.TH "BCFG2-INFO" "8" "November 14, 2012" "1.3" "Bcfg2" .SH NAME bcfg2-info \- Creates a local version of the Bcfg2 server core for state observation . diff --git a/man/bcfg2-lint.8 b/man/bcfg2-lint.8 index a908f5877..01ba87a51 100644 --- a/man/bcfg2-lint.8 +++ b/man/bcfg2-lint.8 @@ -1,4 +1,4 @@ -.TH "BCFG2-LINT" "8" "November 07, 2012" "1.3" "Bcfg2" +.TH "BCFG2-LINT" "8" "November 14, 2012" "1.3" "Bcfg2" .SH NAME bcfg2-lint \- Check Bcfg2 specification for validity, common mistakes, and style . diff --git a/man/bcfg2-lint.conf.5 b/man/bcfg2-lint.conf.5 index e99ac1bb6..d02b4e380 100644 --- a/man/bcfg2-lint.conf.5 +++ b/man/bcfg2-lint.conf.5 @@ -1,4 +1,4 @@ -.TH "BCFG2-LINT.CONF" "5" "November 07, 2012" "1.3" "Bcfg2" +.TH "BCFG2-LINT.CONF" "5" "November 14, 2012" "1.3" "Bcfg2" .SH NAME bcfg2-lint.conf \- Configuration parameters for bcfg2-lint . diff --git a/man/bcfg2-reports.8 b/man/bcfg2-reports.8 index 4841d9e7a..3b9e549e7 100644 --- a/man/bcfg2-reports.8 +++ b/man/bcfg2-reports.8 @@ -1,4 +1,4 @@ -.TH "BCFG2-REPORTS" "8" "November 07, 2012" "1.3" "Bcfg2" +.TH "BCFG2-REPORTS" "8" "November 14, 2012" "1.3" "Bcfg2" .SH NAME bcfg2-reports \- Query reporting system for client status . diff --git a/man/bcfg2-server.8 b/man/bcfg2-server.8 index b717ba797..1fbbb0ec7 100644 --- a/man/bcfg2-server.8 +++ b/man/bcfg2-server.8 @@ -1,4 +1,4 @@ -.TH "BCFG2-SERVER" "8" "November 07, 2012" "1.3" "Bcfg2" +.TH "BCFG2-SERVER" "8" "November 14, 2012" "1.3" "Bcfg2" .SH NAME bcfg2-server \- Server for client configuration specifications . diff --git a/man/bcfg2.1 b/man/bcfg2.1 index adf7d1d42..6ee34831f 100644 --- a/man/bcfg2.1 +++ b/man/bcfg2.1 @@ -1,4 +1,4 @@ -.TH "BCFG2" "1" "November 07, 2012" "1.3" "Bcfg2" +.TH "BCFG2" "1" "November 14, 2012" "1.3" "Bcfg2" .SH NAME bcfg2 \- Bcfg2 client tool . diff --git a/man/bcfg2.conf.5 b/man/bcfg2.conf.5 index 6f5771af7..49aa5369f 100644 --- a/man/bcfg2.conf.5 +++ b/man/bcfg2.conf.5 @@ -1,4 +1,4 @@ -.TH "BCFG2.CONF" "5" "November 07, 2012" "1.3" "Bcfg2" +.TH "BCFG2.CONF" "5" "November 14, 2012" "1.3" "Bcfg2" .SH NAME bcfg2.conf \- Configuration parameters for Bcfg2 . @@ -180,6 +180,9 @@ Specifies the path to the root of the VCS working copy that holds your Bcfg2 specification, if it is different from \fIrepository\fP. E.g., if the VCS repository does not hold the bcfg2 data at the top level, you may need to set this option. +.TP +.B umask +The umask to set for the server. Default is \fI0077\fP. .UNINDENT .SH SERVER PLUGINS .sp diff --git a/src/lib/Bcfg2/Options.py b/src/lib/Bcfg2/Options.py index f3765a5ec..b418d57b0 100644 --- a/src/lib/Bcfg2/Options.py +++ b/src/lib/Bcfg2/Options.py @@ -577,6 +577,11 @@ SERVER_VCS_ROOT = \ default=None, odesc='', cf=('server', 'vcs_root')) +SERVER_UMASK = \ + Option('Server umask', + default='0077', + odesc='', + cf=('server', 'umask')) # database options DB_ENGINE = \ @@ -1068,6 +1073,7 @@ CLI_COMMON_OPTIONS = dict(configfile=CFILE, syslog=LOGGING_SYSLOG) DAEMON_COMMON_OPTIONS = dict(daemon=DAEMON, + umask=SERVER_UMASK, listen_all=SERVER_LISTEN_ALL, daemon_uid=SERVER_DAEMON_USER, daemon_gid=SERVER_DAEMON_GROUP) diff --git a/src/lib/Bcfg2/Server/BuiltinCore.py b/src/lib/Bcfg2/Server/BuiltinCore.py index 69fb8d0cb..63149c15e 100644 --- a/src/lib/Bcfg2/Server/BuiltinCore.py +++ b/src/lib/Bcfg2/Server/BuiltinCore.py @@ -28,17 +28,15 @@ class Core(BaseCore): #: this server core self.server = None + daemon_args = dict(uid=self.setup['daemon_uid'], + gid=self.setup['daemon_gid'], + umask=int(self.setup['umask'], 8)) if self.setup['daemon']: - #: The :class:`daemon.DaemonContext` used to drop - #: privileges, write the PID file (with :class:`PidFile`), - #: and daemonize this core. - self.context = \ - daemon.DaemonContext(uid=self.setup['daemon_uid'], - gid=self.setup['daemon_gid'], - pidfile=PIDLockFile(self.setup['daemon'])) - else: - self.context = daemon.DaemonContext(uid=self.setup['daemon_uid'], - gid=self.setup['daemon_gid']) + daemon_args['pidfile'] = PIDLockFile(self.setup['daemon']) + #: The :class:`daemon.DaemonContext` used to drop + #: privileges, write the PID file (with :class:`PidFile`), + #: and daemonize this core. + self.context = daemon.DaemonContext(**daemon_args) __init__.__doc__ = BaseCore.__init__.__doc__.split('.. -----')[0] def _dispatch(self, method, args, dispatch_dict): diff --git a/src/lib/Bcfg2/Server/CherryPyCore.py b/src/lib/Bcfg2/Server/CherryPyCore.py index 4ddcd7bdf..d097fd08f 100644 --- a/src/lib/Bcfg2/Server/CherryPyCore.py +++ b/src/lib/Bcfg2/Server/CherryPyCore.py @@ -107,8 +107,10 @@ class Core(BaseCore): :class:`cherrypy.process.plugins.DropPrivileges`, daemonize with :class:`cherrypy.process.plugins.Daemonizer`, and write a PID file with :class:`cherrypy.process.plugins.PIDFile`. """ - DropPrivileges(cherrypy.engine, uid=self.setup['daemon_uid'], - gid=self.setup['daemon_gid']).subscribe() + DropPrivileges(cherrypy.engine, + uid=self.setup['daemon_uid'], + gid=self.setup['daemon_gid'], + umask=int(self.setup['umask'], 8)).subscribe() Daemonizer(cherrypy.engine).subscribe() PIDFile(cherrypy.engine, self.setup['daemon']).subscribe() return True diff --git a/src/lib/Bcfg2/Server/Core.py b/src/lib/Bcfg2/Server/Core.py index cd2aa949f..6d0ad2bb9 100644 --- a/src/lib/Bcfg2/Server/Core.py +++ b/src/lib/Bcfg2/Server/Core.py @@ -665,6 +665,8 @@ class BaseCore(object): os.chmod(piddir, 420) # 0644 if not self._daemonize(): return False + else: + os.umask(int(self.setup['umask'], 8)) if not self._run(): self.shutdown() -- cgit v1.2.3-1-g7c22