diff options
-rw-r--r-- | AUTHORS | 1 | ||||
-rw-r--r-- | ChangeLog | 5 | ||||
-rw-r--r-- | etc/backupninja.conf.in | 4 | ||||
-rwxr-xr-x | src/backupninja.in | 44 |
4 files changed, 43 insertions, 11 deletions
@@ -15,3 +15,4 @@ cmccallum@thecsl.org Daniel.Bonniot@inria.fr Brad Fritz <brad@fritzfam.com> -- trac patch garcondumonde@riseup.net +Martin Krafft madduck@debian.org -- admingroup patch
\ No newline at end of file @@ -3,6 +3,11 @@ version 0.9.4 -- unreleased . Fixed bug in toint(), and thus isnow(), which caused it to not work when run from cron. . Recursively ignore subdirs in /etc/backup.d (Closes: #361102) + . Add admingroup option to configuration to allow a group that can + read/write configurations (instead of only allowing root). Checks + and complains about group-readable files only when the group differs + from the one in the configuration file (default is root as before). + Thanks to Martin Krafft for the patch (Closes: #370396). handler changes Added tar handler mysql: diff --git a/etc/backupninja.conf.in b/etc/backupninja.conf.in index 362eb59..10ac2bb 100644 --- a/etc/backupninja.conf.in +++ b/etc/backupninja.conf.in @@ -25,6 +25,10 @@ reportsuccess = yes # even if there was no error. (default = yes) reportwarning = yes +# set to the administration group that is allowed to +# read/write configuration files in /etc/backup.d +admingroup = root + ####################################################### # for most installations, the defaults below are good # ####################################################### diff --git a/src/backupninja.in b/src/backupninja.in index 2835a3c..57936da 100755 --- a/src/backupninja.in +++ b/src/backupninja.in @@ -130,17 +130,37 @@ function msg { # function check_perms() { - local file=$1 - local perms=`ls -ld $file` - perms=${perms:4:6} - if [ "$perms" != "------" ]; then - echo "Configuration files must not be group or world writable/readable! Dying on file $file" - fatal "Configuration files must not be group or world writable/readable! Dying on file $file" - fi - if [ `ls -ld $file | awk '{print $3}'` != "root" ]; then - echo "Configuration files must be owned by root! Dying on file $file" - fatal "Configuration files must be owned by root! Dying on file $file" - fi + local file=$1 + local perms + perms=($(stat -L --printf='%a %g %G %u %U' $file)) + local gperm=${perms[0]:1:1} + local wperm=${perms[0]:2:1} + local gid=${perms[1]} + local group=${perms[2]} + local owner=${perms[3]} + + if [ "$owner" != 0 ]; then + echo "Configuration files must be owned by root! Dying on file $file" + fatal "Configuration files must be owned by root! Dying on file $file" + fi + + if [ $wperm -gt 0 ]; then + echo "Configuration files must not be world writable/readable! Dying on file $file" + fatal "Configuration files must not be world writable/readable! Dying on file $file" + fi + + if [ $gperm -gt 0 ]; then + case "$admingroup" in + $gid|$group) :;; + + *) + if [ "$gid" != 0 ]; then + echo "Configuration files must writable/readable by group ${perms[2]}! Dying on file $file" + fatal "Configuration files must writable/readable by group ${perms[2]}! Dying on file $file" + fi + ;; + esac + fi } # simple lowercase function @@ -423,6 +443,7 @@ getconf PGSQLDUMP /usr/bin/pg_dump getconf PGSQLDUMPALL /usr/bin/pg_dumpall getconf GZIP /bin/gzip getconf RSYNC /usr/bin/rsync +getconf admingroup root # initialize vservers support # (get config variables and check real vservers availability) @@ -461,6 +482,7 @@ fi for file in $files; do [ -f "$file" ] || continue + check_perms ${file%/*} # check containing dir check_perms $file suffix="${file##*.}" base=`basename $file` |