Skip to content

Commit

Permalink
Don't write service temporary files in areas that might be noexec. #1436
Browse files Browse the repository at this point in the history
  • Loading branch information
mfeit-internet2 committed Jun 5, 2024
1 parent 316c73e commit 58305d8
Show file tree
Hide file tree
Showing 5 changed files with 29 additions and 19 deletions.
17 changes: 12 additions & 5 deletions pscheduler-server/pscheduler-server/daemons/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,8 @@
# PGSERVICE - Name of the PostgreSQL systemd service
# PGUSER - Name of pScheduler PostgreSQL account
# PSUSER - Name of pScheduler user account
# RUNDIR - Location of run directory (nominally /run)
# STORAGEDIR - Location of temporary storage. Must not be
# in a directory where 'noexec' is in effect.
# VAR - Location of /var directory
#

Expand Down Expand Up @@ -60,7 +61,7 @@ ifndef PSUSER
endif
sed \
-e 's|__PSUSER__|$(PSUSER)|g' \
-e 's|__RUNDIR__|$(RUNDIR)|g' \
-e 's|__STORAGEDIR__|$(STORAGEDIR)|g' \
< $< > $@
@if egrep -e '__[A-Z_]+__' $@ ; then \
echo "Found un-substituted values in processed file $@" ; \
Expand Down Expand Up @@ -150,8 +151,8 @@ ifndef PGSERVICE
@echo No PGSERVICE specified for build
@false
endif
ifndef RUNDIR
@echo No RUNDIR specified for build
ifndef STORAGEDIR
@echo No STORAGEDIR specified for build
@false
endif
ifndef VAR
Expand All @@ -164,7 +165,7 @@ endif
-e 's|__DSN__|$(DSNFILE)|g' \
-e 's|__PROG__|$(@:service-%=%)|g' \
-e 's|__PSUSER__|$(PSUSER)|g' \
-e 's|__RUNDIR__|$(RUNDIR)|g' \
-e 's|__STORAGEDIR__|$(STORAGEDIR)|g' \
-e 's|__VAR__|$(VAR)|g' \
-e 's|__LOGDIR__|$(LOGDIR)|g' \
-e 's|__PGSERVICE__|$(PGSERVICE)|g' \
Expand Down Expand Up @@ -215,6 +216,10 @@ endif
ifndef INTERNALSDIR
@echo No INTERNALSDIR specified for installation
@false
endif
ifndef STORAGEDIR
@echo No STORAGEDIR specified for installation
@false
endif
mkdir -p $(CONFIGDIR)
cp -f $(CONFIGS) $(CONFIGDIR)
Expand All @@ -228,6 +233,8 @@ endif
mkdir -p $(INTERNALSDIR)
cp -f $(INTERNALS) $(INTERNALSDIR)
chmod 555 $(INTERNALS:%=$(INTERNALSDIR)/%)
mkdir -p $(STORAGEDIR)
chmod 700 $(STORAGEDIR)
mkdir -p $(UNITDIR)
@for SCRIPT in $(DAEMONS) ; \
do \
Expand Down
2 changes: 1 addition & 1 deletion pscheduler-server/pscheduler-server/daemons/debug.raw
Original file line number Diff line number Diff line change
Expand Up @@ -82,7 +82,7 @@ do
continue
fi

PID_FILE="__RUNDIR__/${SERVICE}/pid"
PID_FILE="__STORAGEDIR__/${SERVICE}/pid"
if [ ! -r "${PID_FILE}" ]
then
echo "Warning: ${SERVICE} does not appear to be running." 1>&2
Expand Down
18 changes: 9 additions & 9 deletions pscheduler-server/pscheduler-server/daemons/service-template.raw
Original file line number Diff line number Diff line change
Expand Up @@ -14,31 +14,31 @@ LimitNPROC=32768
Restart=always

# Create the run directory
ExecStartPre=-/bin/mkdir -p __RUNDIR__/__PROG__
ExecStartPre=-/bin/chmod 755 __RUNDIR__/__PROG__
ExecStartPre=-/bin/mkdir -p __STORAGEDIR__/__PROG__
ExecStartPre=-/bin/chmod 755 __STORAGEDIR__/__PROG__

# Set up some temporary space and export its location
ExecStartPre=-/bin/mkdir -p __RUNDIR__/__PROG__/tmp
ExecStartPre=-/bin/chmod 700 __RUNDIR__/__PROG__/tmp
Environment=TMPDIR=__RUNDIR__/__PROG__/tmp
ExecStartPre=-/bin/mkdir -p __STORAGEDIR__/__PROG__/tmp
ExecStartPre=-/bin/chmod 700 __STORAGEDIR__/__PROG__/tmp
Environment=TMPDIR=__STORAGEDIR__/__PROG__/tmp

# Set ownership
ExecStartPre=-/bin/chown -R __PSUSER__:__PSUSER__ __RUNDIR__/__PROG__
ExecStartPre=-/bin/chown -R __PSUSER__:__PSUSER__ __STORAGEDIR__/__PROG__


# Generate options file
ExecStartPre=-/bin/sh -c "if [ -r __CONFIGDIR__/__PROG__.conf ]; then opts=$(sed -e 's/#.*$//' __CONFIGDIR__/__PROG__.conf); echo OPTIONS=$opts > __RUNDIR__/__PROG__/options; chown __PSUSER__:__PSUSER__ __RUNDIR__/__PROG__/options; fi"
ExecStartPre=-/bin/sh -c "if [ -r __CONFIGDIR__/__PROG__.conf ]; then opts=$(sed -e 's/#.*$//' __CONFIGDIR__/__PROG__.conf); echo OPTIONS=$opts > __STORAGEDIR__/__PROG__/options; chown __PSUSER__:__PSUSER__ __STORAGEDIR__/__PROG__/options; fi"

# Redirections
StandardOutput=journal
StandardError=journal

# Start service
EnvironmentFile=-__RUNDIR__/__PROG__/options
EnvironmentFile=-__STORAGEDIR__/__PROG__/options
ExecStart=__DAEMONDIR__/__PROG__ --dsn @__DSN__ $OPTIONS

# Stop service
ExecStopPost=/bin/rm -rf __RUNDIR__/__PROG__
ExecStopPost=/bin/rm -rf __STORAGEDIR__/__PROG__

[Install]
WantedBy=multi-user.target
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ override_dh_auto_build:
PGUSER=pscheduler \
PSUSER=pscheduler \
ARCHIVERDEFAULTDIR=/etc/pscheduler/default-archives \
RUNDIR=/var/run/pscheduler-server \
STORAGEDIR=/var/pscheduler-server \
VAR=/var

make -C utilities \
Expand Down Expand Up @@ -69,6 +69,7 @@ override_dh_auto_install:
DAEMONDIR=$(ROOT)/usr/lib/pscheduler/daemons \
COMMANDDIR=$(ROOT)/usr/lib/pscheduler/commands \
INTERNALSDIR=$(ROOT)/usr/lib/pscheduler/internals \
STORAGEDIR=$(ROOT)/usr/lib/pscheduler/internals \
install

make -C utilities \
Expand All @@ -91,7 +92,7 @@ override_dh_auto_install:
PREFIX=$(ROOT) \
DSN_FILE=/etc/pscheduler/database/database-dsn \
LIMITS_FILE=/etc/pscheduler/limits.conf \
RUN_DIR=/var/run/pscheduler-server \
RUN_DIR=/var/pscheduler-server \
PYTHON=$(PYTHON) \
install
cp api-server/*.py api-server/*.wsgi $(ROOT)/usr/share/pscheduler/api-server/
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ The pScheduler server

%define server_conf_dir %{_pscheduler_sysconfdir}
# Runtime space for PID files and debug flags.
%define run_dir %{_rundir}/%{name}
%define storage_dir %{_localstatedir}/%{name}

# Note that we want this here because it seems to work well without
# assistance on systems where selinux is enabled. Anywhere else and
Expand Down Expand Up @@ -160,7 +160,7 @@ make -C daemons \
PGUSER=%{_pscheduler_database_user} \
PSUSER=%{_pscheduler_user} \
ARCHIVERDEFAULTDIR=%{archiver_default_dir} \
RUNDIR=%{run_dir} \
STORAGEDIR=%{storage_dir} \
VAR=%{_var}

#
Expand Down Expand Up @@ -245,6 +245,7 @@ make -C daemons \
DAEMONDIR=$RPM_BUILD_ROOT/%{_pscheduler_daemons} \
COMMANDDIR=$RPM_BUILD_ROOT/%{_pscheduler_commands} \
INTERNALSDIR=$RPM_BUILD_ROOT/%{_pscheduler_internals} \
STORAGEDIR=$RPM_BUILD_ROOT/%{storage_dir} \
install

mkdir -p $RPM_BUILD_ROOT/%{archiver_default_dir}
Expand Down Expand Up @@ -612,6 +613,7 @@ systemctl reload-or-try-restart postgresql

%defattr(-,root,root,-)
%license LICENSE
%attr(700,%{_pscheduler_user},%{_pscheduler_group})%verify(user group mode) %{storage_dir}
%attr(755,%{_pscheduler_user},%{_pscheduler_group})%verify(user group mode) %{daemon_config_dir}
%attr(600,%{_pscheduler_user},%{_pscheduler_group})%verify(user group mode) %config(noreplace) %{daemon_config_dir}/*
%{_unitdir}/*
Expand Down

0 comments on commit 58305d8

Please sign in to comment.