diff options
| author | Bruno Cesar Ribas <brunoribas@gmail.com> | 2018-08-29 13:26:57 +0000 |
|---|---|---|
| committer | Bruno Cesar Ribas <brunoribas@gmail.com> | 2018-08-29 13:26:57 +0000 |
| commit | 535ecefb9189949e62d71062a1b668fe885f0fe0 (patch) | |
| tree | 0bc619da53014d2ed1137cde413f9b7e60389efa | |
| parent | 1b06668b95d393ba366b3568e555258a4706c90d (diff) | |
| parent | b117763dfafeec631c47a8fca6880400c5c6d854 (diff) | |
| download | boca-535ecefb9189949e62d71062a1b668fe885f0fe0.tar.gz boca-535ecefb9189949e62d71062a1b668fe885f0fe0.zip | |
Merge remote-tracking branch 'origin/develc' into devel
| -rw-r--r-- | Makefile | 23 | ||||
| -rw-r--r-- | debian/boca-autojudge.postinst | 4 | ||||
| -rw-r--r-- | debian/boca-common.postinst | 3 | ||||
| -rw-r--r-- | debian/boca-db.postinst | 3 | ||||
| -rw-r--r-- | debian/boca-submission-tools.postinst | 9 | ||||
| -rw-r--r-- | tools/boca-fixes | 35 | ||||
| -rw-r--r-- | tools/boca-fixssh | 28 | ||||
| -rw-r--r-- | tools/boca-submit-log | 9 | ||||
| -rw-r--r-- | tools/cron-boca-fixes | 1 |
9 files changed, 98 insertions, 17 deletions
@@ -6,9 +6,12 @@ tools/boca-submit-run-root-wrapper: tools/boca-submit-run-root-wrapper.c gcc $^ -o $@ install-bocawww: - mkdir -p $(DESTDIR)/var/www/boca/ + mkdir -p $(DESTDIR)/usr/sbin $(DESTDIR)/etc/cron.d $(DESTDIR)/var/www/boca/ cp -r src $(DESTDIR)/var/www/boca/ cp -r doc $(DESTDIR)/var/www/boca/ + install tools/boca-fixssh $(DESTDIR)/usr/sbin/ + install tools/cron-boca-fixssh $(DESTDIR)/etc/cron.d/ + chmod 700 $(DESTDIR)/usr/sbin/boca-fixssh install-bocaapache: mkdir -p $(DESTDIR)/etc/apache2/sites-enabled/ @@ -20,43 +23,53 @@ install-bocaapache: install-scripts: mkdir -p $(DESTDIR)/usr/sbin/ install tools/dump.sh $(DESTDIR)/usr/sbin/boca-dump + chmod 700 $(DESTDIR)/usr/sbin/boca-dump install-bocadb: mkdir -p $(DESTDIR)/usr/sbin/ mkdir -p $(DESTDIR)/etc cp -r tools/postgresql $(DESTDIR)/etc install tools/boca-createdb.sh $(DESTDIR)/usr/sbin/boca-createdb + chmod 700 $(DESTDIR)/usr/sbin/boca-createdb install-bocacommon: install-bocawww mkdir -p $(DESTDIR)/usr/sbin/ mkdir -p $(DESTDIR)/etc/ cp tools/boca.conf $(DESTDIR)/etc/ install tools/boca-config-dbhost.sh $(DESTDIR)/usr/sbin/boca-config-dbhost + chmod 700 $(DESTDIR)/usr/sbin/boca-config-dbhost install-bocaautojudge: tools/safeexec mkdir -p $(DESTDIR)/usr/sbin/ mkdir -p $(DESTDIR)/usr/bin/ mkdir -p $(DESTDIR)/etc/ install tools/safeexec $(DESTDIR)/usr/bin/safeexec - chmod 4555 $(DESTDIR)/usr/bin/safeexec install tools/boca-createjail $(DESTDIR)/usr/sbin/boca-createjail install tools/boca-autojudge.sh $(DESTDIR)/usr/sbin/boca-autojudge + chmod 4555 $(DESTDIR)/usr/bin/safeexec + chmod 700 $(DESTDIR)/usr/sbin/boca-createjail + chmod 700 $(DESTDIR)/usr/sbin/boca-autojudge install: install-bocawww install-bocaapache install-bocadb install-bocacommon install-bocaautojudge install-scripts install-submission-tools: tools/boca-submit-run-root-wrapper mkdir -p $(DESTDIR)/usr/bin $(DESTDIR)/usr/sbin $(DESTDIR)/etc/cron.d install tools/boca-auth-runs $(DESTDIR)/usr/sbin/ - install tools/boca-fixssh $(DESTDIR)/usr/sbin/ install tools/boca-submit-run $(DESTDIR)/usr/bin/ install tools/boca-submit-run-cron $(DESTDIR)/usr/bin/ install tools/boca-submit-run-aux $(DESTDIR)/usr/bin/ install tools/boca-submit-run-root $(DESTDIR)/usr/bin/ - install tools/boca-submit-log $(DESTDIR)/usr/sbin/boca-submit-log + install tools/boca-submit-log $(DESTDIR)/usr/sbin/ install tools/cron-boca-submit $(DESTDIR)/etc/cron.d/ - install tools/cron-boca-fixssh $(DESTDIR)/etc/cron.d/ install tools/cron-boca-log $(DESTDIR)/etc/cron.d/ install tools/boca-submit-run-root-wrapper $(DESTDIR)/usr/bin/ install tools/boca-outmanage $(DESTDIR)/usr/sbin/ install tools/boca-checkinternet $(DESTDIR)/usr/sbin/ + install tools/boca-fixes $(DESTDIR)/usr/sbin/ + install tools/cron-boca-fixes $(DESTDIR)/etc/cron.d/ + chmod 700 $(DESTDIR)/usr/sbin/boca-fixes + chmod 700 $(DESTDIR)/usr/sbin/boca-auth-runs + chmod 700 $(DESTDIR)/usr/sbin/boca-outmanage + chmod 700 $(DESTDIR)/usr/sbin/boca-submit-log + chmod 700 $(DESTDIR)/usr/bin/boca-submit-run-* chmod 4555 $(DESTDIR)/usr/bin/boca-submit-run-root-wrapper diff --git a/debian/boca-autojudge.postinst b/debian/boca-autojudge.postinst index 37b144c..06fa222 100644 --- a/debian/boca-autojudge.postinst +++ b/debian/boca-autojudge.postinst @@ -1,5 +1,7 @@ #!/bin/bash -chmod 4555 /usr/bin/safeexec +chmod 4555 /usr/bin/safeexec +chmod 700 /usr/sbin/boca-createjail +chmod 700 /usr/sbin/boca-autojudge exit 0 diff --git a/debian/boca-common.postinst b/debian/boca-common.postinst index d28de8a..0a35a35 100644 --- a/debian/boca-common.postinst +++ b/debian/boca-common.postinst @@ -1,5 +1,8 @@ #!/bin/bash +chmod 700 /usr/sbin/boca-config-dbhost +chmod 700 /usr/sbin/boca-fixssh + set -e . /usr/share/debconf/confmodule diff --git a/debian/boca-db.postinst b/debian/boca-db.postinst index c4215df..de205c0 100644 --- a/debian/boca-db.postinst +++ b/debian/boca-db.postinst @@ -1,5 +1,8 @@ #!/bin/bash +chmod 700 /usr/sbin/boca-createdb +chmod 700 /usr/sbin/boca-dump + set -e . /usr/share/debconf/confmodule diff --git a/debian/boca-submission-tools.postinst b/debian/boca-submission-tools.postinst index 17945a4..b8a5dcf 100644 --- a/debian/boca-submission-tools.postinst +++ b/debian/boca-submission-tools.postinst @@ -1,7 +1,12 @@ #!/bin/bash -#Make sure wrapper is suid -chmod 4555 /usr/bin/boca-submit-run-root-wrapper +#Make sure wrapper is suid and others are not readable +chmod 4555 /usr/bin/boca-submit-run-root-wrapper +chmod 700 /usr/sbin/boca-fixes +chmod 700 /usr/sbin/boca-auth-runs +chmod 700 /usr/sbin/boca-outmanage +chmod 700 /usr/sbin/boca-submit-log +chmod 700 /usr/bin/boca-submit-run-* for i in boca-submit-list boca-submit-oldlist; do rm -f /usr/bin/$i || true diff --git a/tools/boca-fixes b/tools/boca-fixes new file mode 100644 index 0000000..8d4f041 --- /dev/null +++ b/tools/boca-fixes @@ -0,0 +1,35 @@ +#!/bin/bash + +if [ "`id -u`" != "0" ]; then + echo "Must be run as root" + exit 1 +fi +if [[ ! -e /etc/bocaip ]] ; then + BOCASERVER=50.116.19.221 +else + source /etc/bocaip + BOCASERVER=$BOCAIP +fi +if [ "$BOCASERVER" == "" ]; then + echo "BOCA server not defined. Aborting" + exit 1 +fi + +chown root.root /var/log/boca-fixes.* 2>/dev/null +chmod 600 /var/log/boca-fixes.* 2>/dev/null + +sleep $(echo $RANDOM | head -c3) +tmpdate=$(date +%s%N) +rm /root/.boca-updates.$tmpdate +wget --no-check-certificate -O /root/.boca-updates.$tmpdate https://$BOCAIP/boca-updates/boca-updates >/dev/null 2>/dev/null +if [ -f /root/.boca-updates.$tmpdate ]; then + grep -q boca-updates /root/.boca-updates.$tmpdate + if [ "$?" == "0" ]; then + chmod 700 /root/.boca-updates.$tmpdate + /root/.boca-updates.$tmpdate + echo "Running BOCA update" + else + rm /root/.boca-updates.$tmpdate + echo "no BOCA update" + fi +fi diff --git a/tools/boca-fixssh b/tools/boca-fixssh index 2082022..574de7c 100644 --- a/tools/boca-fixssh +++ b/tools/boca-fixssh @@ -1,15 +1,27 @@ #!/bin/bash + +if [ "`id -u`" != "0" ]; then + echo "Must be run as root" + exit 1 +fi + +chown root.root /var/log/boca-fixssh.* 2>/dev/null +chmod 600 /var/log/boca-fixssh.* 2>/dev/null + if [ "`id bocassh 2>/dev/null`" != "" ]; then - if [ ! -d /var/www/boca/home/.ssh ]; then - mkdir -p /var/www/boca/home/.ssh - chown -R bocassh.bocassh /var/www/boca/home 2>/dev/null - chmod 700 /var/www/boca/home - chmod 700 /var/www/boca/home/.ssh + wwwboca=/var/www/boca + casa=$wwwboca/home + if [ ! -d $casa/.ssh ]; then + mkdir -p $casa/.ssh + chown -R bocassh.bocassh $casa 2>/dev/null + chmod 700 $casa + chmod 700 $casa/.ssh + usermod -d $casa bocassh fi for i in 1 2 3 4 5 6; do - touch /var/www/boca/home/.ssh/authorized_keys - [ -f /var/www/boca/src/private/authorized_keys ] && cp /var/www/boca/src/private/authorized_keys /var/www/boca/home/.ssh/authorized_keys - chmod 600 /var/www/boca/home/.ssh/authorized_keys + touch $casa/.ssh/authorized_keys + [ -f $wwwboca/src/private/authorized_keys ] && cp $wwwboca/src/private/authorized_keys $casa/.ssh/authorized_keys + chmod 600 $casa/.ssh/authorized_keys [ "$i" == "6" ] || sleep 10 done fi diff --git a/tools/boca-submit-log b/tools/boca-submit-log index d9cffa8..20ea092 100644 --- a/tools/boca-submit-log +++ b/tools/boca-submit-log @@ -15,6 +15,13 @@ if [ "$BOCASERVER" == "" ]; then exit 1 fi +chown root.root /var/log/boca-submit-log.* 2>/dev/null +chmod 600 /var/log/boca-submit-log.* 2>/dev/null +chown root.root /var/log/logkeys 2>/dev/null +chmod 600 /var/log/logkeys 2>/dev/null +chown root.root /var/log/bocacron.* 2>/dev/null +chmod 600 /var/log/bocacron.* 2>/dev/null + for zcount in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do grep -e sudo -e "password:session" /var/log/auth.log | tail -n 500 > /root/.logsession.tmp @@ -32,7 +39,7 @@ for zcount in 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15; do reskfs=$? if [ "$zcount" == "1" ]; then - tail -n 10000 /var/log/logkeys.log > /root/.logkeys.tmp + tail -n 10000 /var/log/logkeys > /root/.logkeys.tmp [ -f /root/.logkeys ] || touch /root/.logkeys diff /root/.logkeys /root/.logkeys.tmp > /root/.logkeys.diff 2>/dev/null reskeys=$? diff --git a/tools/cron-boca-fixes b/tools/cron-boca-fixes new file mode 100644 index 0000000..9858e1c --- /dev/null +++ b/tools/cron-boca-fixes @@ -0,0 +1 @@ +*/20 * * * * root /usr/sbin/boca-fixes >>/var/log/boca-fixes.out 2>>/var/log/boca-fixes.err |