2558: Don't do it as root r=mergify[bot] a=nextgens

A naive attempt to ensure we don't run the PHP stuff as root; without it we mess the permissions up and fail to upgrade the database schema of roundcube

Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
main
bors[bot] 2 years ago committed by GitHub
commit 0e0ac201fc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -2,6 +2,7 @@
import os import os
import logging import logging
from pwd import getpwnam
import sys import sys
import subprocess import subprocess
import shutil import shutil
@ -77,31 +78,6 @@ conf.jinja("/conf/config.inc.php", context, "/var/www/roundcube/config/config.in
# create dirs # create dirs
os.system("mkdir -p /data/gpg") os.system("mkdir -p /data/gpg")
print("Initializing database")
try:
result = subprocess.check_output(["/var/www/roundcube/bin/initdb.sh", "--dir", "/var/www/roundcube/SQL"],
stderr=subprocess.STDOUT)
print(result.decode())
except subprocess.CalledProcessError as exc:
err = exc.stdout.decode()
if "already exists" in err:
print("Already initialized")
else:
print(err)
exit(3)
print("Upgrading database")
try:
subprocess.check_call(["/var/www/roundcube/bin/update.sh", "--version=?", "-y"], stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as exc:
exit(4)
else:
print("Cleaning database")
try:
subprocess.check_call(["/var/www/roundcube/bin/cleandb.sh"], stderr=subprocess.STDOUT)
except subprocess.CalledProcessError as exc:
exit(5)
base = "/data/_data_/_default_/" base = "/data/_data_/_default_/"
shutil.rmtree(base + "domains/", ignore_errors=True) shutil.rmtree(base + "domains/", ignore_errors=True)
os.makedirs(base + "domains", exist_ok=True) os.makedirs(base + "domains", exist_ok=True)
@ -114,6 +90,38 @@ conf.jinja("/defaults/php.ini", context, "/etc/php81/php.ini")
# setup permissions # setup permissions
os.system("chown -R mailu:mailu /data") os.system("chown -R mailu:mailu /data")
def demote(user_uid, user_gid):
def result():
os.setgid(user_gid)
os.setuid(user_uid)
return result
id_mailu = getpwnam('mailu')
print("Initializing database")
try:
result = subprocess.check_output(["/var/www/roundcube/bin/initdb.sh", "--dir", "/var/www/roundcube/SQL"],
stderr=subprocess.STDOUT, preexec_fn=demote(id_mailu.pw_uid,id_mailu.pw_gid))
print(result.decode())
except subprocess.CalledProcessError as exc:
err = exc.stdout.decode()
if "already exists" in err:
print("Already initialized")
else:
print(err)
exit(3)
print("Upgrading database")
try:
subprocess.check_call(["/var/www/roundcube/bin/update.sh", "--version=?", "-y"], stderr=subprocess.STDOUT, preexec_fn=demote(id_mailu.pw_uid,id_mailu.pw_gid))
except subprocess.CalledProcessError as exc:
exit(4)
else:
print("Cleaning database")
try:
subprocess.check_call(["/var/www/roundcube/bin/cleandb.sh"], stderr=subprocess.STDOUT, preexec_fn=demote(id_mailu.pw_uid,id_mailu.pw_gid))
except subprocess.CalledProcessError as exc:
exit(5)
# Configure nginx # Configure nginx
conf.jinja("/conf/nginx-webmail.conf", context, "/etc/nginx/http.d/webmail.conf") conf.jinja("/conf/nginx-webmail.conf", context, "/etc/nginx/http.d/webmail.conf")
if os.path.exists("/var/run/nginx.pid"): if os.path.exists("/var/run/nginx.pid"):

Loading…
Cancel
Save