From 5938698d13c326114857aaebb34a0f7081e1d486 Mon Sep 17 00:00:00 2001 From: "justdave%syndicomm.com" <> Date: Wed, 13 Feb 2002 09:35:28 +0000 Subject: Fix for bug 99024: checksetup was not giving proper permissions to the contents of the template directory. This patch also adds an .htaccess file that blocks access to the template folder by the web server. Patch by Dave Miller r= zach x 2 --- checksetup.pl | 72 +++++++++++++++++++++++++++++++++++++++++------------------ 1 file changed, 50 insertions(+), 22 deletions(-) diff --git a/checksetup.pl b/checksetup.pl index 59f9859c5..05dcc8607 100755 --- a/checksetup.pl +++ b/checksetup.pl @@ -627,6 +627,17 @@ END close HTACCESS; chmod $fileperm, "data/.htaccess"; } + if (!-e "template/.htaccess") { + print "Creating template/.htaccess...\n"; + open HTACCESS, ">template/.htaccess"; + print HTACCESS <<'END'; +# nothing in this directory is retrievable unless overriden by an .htaccess +# in a subdirectory +deny from all +END + close HTACCESS; + chmod $fileperm, "template/.htaccess"; + } if (!-e "data/webdot/.htaccess") { if (!-d "data/webdot") { mkdir "data/webdot", $dirperm; @@ -751,22 +762,36 @@ sub isExecutableFile { # fix file (or files - wildcards ok) permissions sub fixPerms { - my $file; - my @files = glob($_[0]); - my $exeperm = 0777 & ~ $_[1]; - my $normperm = 0666 & ~ $_[1]; - foreach $file (@files) { - # do not change permissions on directories here - if (!(-d $file)) { - # check if the file is executable. - if (isExecutableFile($file)) { - #printf ("Changing $file to %o",$exeperm); - chmod $exeperm, $file; - } else { - #print ("Changing $file to %o", $normperm); - chmod $normperm, $file; + my ($file_pattern, $owner, $group, $umask, $do_dirs) = @_; + my @files = glob($file_pattern); + my $execperm = 0777 & ~ $umask; + my $normperm = 0666 & ~ $umask; + foreach my $file (@files) { + next if (!-e $file); + # do not change permissions on directories here unless $do_dirs is set + if (!(-d $file)) { + chown $owner, $group, $file; + # check if the file is executable. + if (isExecutableFile($file)) { + #printf ("Changing $file to %o\n", $execperm); + chmod $execperm, $file; + } else { + #printf ("Changing $file to %o\n", $normperm); + chmod $normperm, $file; + } + } + elsif ($do_dirs) { + chown $owner, $group, $file; + if ($file =~ /CVS$/) { + chmod 0700, $file; + } + else { + #printf ("Changing $file to %o\n", $execperm); + chmod $execperm, $file; + fixPerms("$file/.htaccess", $owner, $group, $umask, $do_dirs); + fixPerms("$file/*", $owner, $group, $umask, $do_dirs); # do the contents of the directory + } } - } } } @@ -790,11 +815,11 @@ EOF # chown needs to be called with a valid uid, not 0. $< returns the # caller's uid. Maybe there should be a $bugzillauid, and call with that # userid. - chown $<, $webservergid, glob('*'); - if (-e ".htaccess") { chown $<, $webservergid, ".htaccess" } # glob('*') doesn't catch dotfiles - if (-e "data/.htaccess") { chown $<, $webservergid, "data/.htaccess" } - if (-e "data/webdot/.htaccess") { chown $<, $webservergid, "data/webdot/.htaccess" } - fixPerms('*',027); + fixPerms('.htaccess', $<, $webservergid, 027); # glob('*') doesn't catch dotfiles + fixPerms('data/.htaccess', $<, $webservergid, 027); + fixPerms('data/webdot/.htaccess', $<, $webservergid, 027); + fixPerms('*', $<, $webservergid, 027); + fixPerms('template', $<, $webservergid, 027, 1); chmod 0644, 'globals.pl'; chmod 0644, 'RelationSet.pm'; chmod 0771, 'data'; @@ -802,8 +827,11 @@ EOF } else { # get current gid from $( list my $gid = (split " ", $()[0]; - chown $<, $gid, glob('*'); - fixPerms('*',022); + fixPerms('.htaccess', $<, $gid, 022); # glob('*') doesn't catch dotfiles + fixPerms('data/.htaccess', $<, $gid, 022); + fixPerms('data/webdot/.htaccess', $<, $gid, 022); + fixPerms('*', $<, $gid, 022); + fixPerms('template', $<, $gid, 022, 1); chmod 01777, 'data', 'graphs'; } -- cgit v1.2.3-24-g4f1b