From 9566c297d975348257f2c74a71fabee3cbb1a1d1 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 18:40:56 +0100 Subject: [PATCH 1/2] Don't do it as root --- webmails/start.py | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/webmails/start.py b/webmails/start.py index f87ac55f..bd395e5d 100755 --- a/webmails/start.py +++ b/webmails/start.py @@ -2,6 +2,7 @@ import os import logging +from pwd import getpwnam import sys import subprocess import shutil @@ -77,10 +78,17 @@ conf.jinja("/conf/config.inc.php", context, "/var/www/roundcube/config/config.in # create dirs os.system("mkdir -p /data/gpg") +def demote(user_uid, user_gid): + def result(): + os.setgid(user_gid) + os.setuid(user_uid) + return result +id_mailu = getpwnam('mailu') + print("Initializing database") try: result = subprocess.check_output(["/var/www/roundcube/bin/initdb.sh", "--dir", "/var/www/roundcube/SQL"], - stderr=subprocess.STDOUT) + stderr=subprocess.STDOUT, preexec_fn=demote(id_mailu.pw_uid,id_mailu.pw_gid)) print(result.decode()) except subprocess.CalledProcessError as exc: err = exc.stdout.decode() @@ -92,13 +100,13 @@ except subprocess.CalledProcessError as exc: print("Upgrading database") try: - subprocess.check_call(["/var/www/roundcube/bin/update.sh", "--version=?", "-y"], stderr=subprocess.STDOUT) + subprocess.check_call(["/var/www/roundcube/bin/update.sh", "--version=?", "-y"], stderr=subprocess.STDOUT, preexec_fn=demote(id_mailu.pw_uid,id_mailu.pw_gid)) except subprocess.CalledProcessError as exc: exit(4) else: print("Cleaning database") try: - subprocess.check_call(["/var/www/roundcube/bin/cleandb.sh"], stderr=subprocess.STDOUT) + subprocess.check_call(["/var/www/roundcube/bin/cleandb.sh"], stderr=subprocess.STDOUT, preexec_fn=demote(id_mailu.pw_uid,id_mailu.pw_gid)) except subprocess.CalledProcessError as exc: exit(5) From c4595fddca5a9a5515266d3b1ed4bf46da806ec4 Mon Sep 17 00:00:00 2001 From: Florent Daigniere Date: Thu, 24 Nov 2022 19:08:30 +0100 Subject: [PATCH 2/2] Change perms first --- webmails/start.py | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/webmails/start.py b/webmails/start.py index bd395e5d..f6dd4d56 100755 --- a/webmails/start.py +++ b/webmails/start.py @@ -78,6 +78,18 @@ conf.jinja("/conf/config.inc.php", context, "/var/www/roundcube/config/config.in # create dirs os.system("mkdir -p /data/gpg") +base = "/data/_data_/_default_/" +shutil.rmtree(base + "domains/", ignore_errors=True) +os.makedirs(base + "domains", exist_ok=True) +os.makedirs(base + "configs", exist_ok=True) + +conf.jinja("/defaults/default.json", context, "/data/_data_/_default_/domains/default.json") +conf.jinja("/defaults/application.ini", context, "/data/_data_/_default_/configs/application.ini") +conf.jinja("/defaults/php.ini", context, "/etc/php81/php.ini") + +# setup permissions +os.system("chown -R mailu:mailu /data") + def demote(user_uid, user_gid): def result(): os.setgid(user_gid) @@ -110,18 +122,6 @@ else: except subprocess.CalledProcessError as exc: exit(5) -base = "/data/_data_/_default_/" -shutil.rmtree(base + "domains/", ignore_errors=True) -os.makedirs(base + "domains", exist_ok=True) -os.makedirs(base + "configs", exist_ok=True) - -conf.jinja("/defaults/default.json", context, "/data/_data_/_default_/domains/default.json") -conf.jinja("/defaults/application.ini", context, "/data/_data_/_default_/configs/application.ini") -conf.jinja("/defaults/php.ini", context, "/etc/php81/php.ini") - -# setup permissions -os.system("chown -R mailu:mailu /data") - # Configure nginx conf.jinja("/conf/nginx-webmail.conf", context, "/etc/nginx/http.d/webmail.conf") if os.path.exists("/var/run/nginx.pid"):