* Copyright 2001-2002, 2009, Roland Mas
* Copyright 2004-2005, GForge, LLC
* Copyright 2013, Franck Villaume - TrivialDev
+ * Copyright © 2013
+ * Thorsten “mirabilos” Glaser <t.glaser@tarent.de>
*
* This file is part of FusionForge. FusionForge is free software;
* you can redistribute it and/or modify it under the terms of the
if (!$user_id) {
return '';
}
+ return session_build_session_cookie($user_id);
+}
- $session_serial = $user_id.'-*-'.time().'-*-'.getStringFromServer('REMOTE_ADDR').'-*-'.getStringFromServer('HTTP_USER_AGENT');
- $session_serial_hash = md5($session_serial.forge_get_config('session_key'));
- $session_serial_token = base64_encode($session_serial).'-*-'.$session_serial_hash;
- /*
- * TODO: would be better to use HMAC-SHA256 via
- * http://www.php.net/manual/en/function.hash-hmac.php
- * or do this using Keccak (SHA-3) which is its own MAC
- */
- return $session_serial_token;
+function session_build_session_cookie($user_id) {
+ $session_cookie_data = array(
+ $user_id,
+ getStringFromServer('REMOTE_ADDR'),
+ getStringFromServer('HTTP_USER_AGENT'),
+ );
+ $session_cookie = "" . time();
+ foreach ($session_cookie_data as $s) {
+ /* for escaping; this is not really HTML */
+ $session_cookie .= '<' . util_html_encode($s);
+ }
+ $session_cookie_hmac = hash_hmac("sha256", $session_cookie,
+ forge_get_config('session_key'), true);
+ $session_serial_cookie = base64_encode($session_cookie) . '!' .
+ base64_encode($session_cookie_hmac);
+ return $session_serial_cookie;
}
/**
* @return hash
*/
function session_get_hash_from_token($session_token) {
- list ($junk, $hash) = explode('-*-', $session_token);
- return $hash;
+ return session_get_session_cookie_hash($session_token);
+}
+function session_get_session_cookie_hash($session_cookie) {
+ /*
+ * we cannot just use the HMAC as that may be longer than
+ * the database fields, and this code used to return a
+ * string of the size of an md5(), so just md5 it
+ */
+ return md5($session_cookie);
}
/**
if ($session_token == '') {
return false;
}
+ return session_check_session_cookie($session_token);
+}
+function session_check_session_cookie($session_cookie) {
+ if (!preg_match('#^[A-Za-z0-9+/=]*![A-Za-z0-9+/=]*$#',
+ $session_cookie)) {
+ /*
+ * does not match basic format, off; recommended by
+ * http://www.daemonology.net/blog/2009-06-11-cryptographic-right-answers.html
+ * to protect the below code from malformed strings
+ */
+ return false;
+ }
- list ($session_serial, $hash) = explode('-*-', $session_token);
- $session_serial = base64_decode($session_serial);
- $new_hash = md5($session_serial.forge_get_config('session_key'));
-
- if ($hash != $new_hash) {
+ list($session_cookie, $session_cookie_hmac) = explode('!',
+ $session_cookie);
+ $session_cookie = base64_decode($session_cookie);
+ $session_cookie_hmac = base64_decode($session_cookie_hmac);
+ if (hash_hmac("sha256", $session_cookie,
+ forge_get_config('session_key'), true) !== $session_cookie_hmac) {
+ /* HMAC mismatch */
return false;
}
- list($user_id, $time, $ip, $user_agent) = explode('-*-', $session_serial, 4);
+ list($time, $user_id, $ip, $user_agent) = explode('<', $session_cookie);
+ $user_id = util_unconvert_htmlspecialchars($user_id);
+ $ip = util_unconvert_htmlspecialchars($ip);
+ $user_agent = util_unconvert_htmlspecialchars($user_agent);
if (!session_check_ip($ip, getStringFromServer('REMOTE_ADDR'))) {
return false;
*/
function session_logout() {
plugin_hook('close_auth_session');
- RBACEngine::getInstance()->invalidateRoleCaches() ;
+
+ // delete both session and username cookies
+ // NB: cookies must be deleted with the same scope parameters they were set with
+ //
+ session_cookie('session_ser', '');
+
+ RBACEngine::getInstance()->invalidateRoleCaches();
return true;
}
* @access public
*
*/
-function session_login_valid($loginname, $passwd, $allowpending=0) {
- global $feedback,$error_msg,$warning_msg;
+function session_login_valid($loginname, $passwd, $allowpending=0) {
+ global $feedback, $error_msg, $warning_msg;
if (!$loginname || !$passwd) {
$warning_msg = _('Missing Password Or Users Name');
return false;
}
- $hook_params = array () ;
- $hook_params['loginname'] = $loginname ;
- $hook_params['passwd'] = $passwd ;
- $result = plugin_hook ("session_before_login", $hook_params) ;
+ $hook_params = array();
+ $hook_params['loginname'] = $loginname;
+ $hook_params['passwd'] = $passwd;
+ $result = plugin_hook("session_before_login", $hook_params);
// Refuse login if not all the plugins are ok.
if (!$result) {
- if (!$feedback) {
+ if (!util_ifsetor($feedback)) {
$warning_msg = _('Invalid Password Or User Name');
}
return false;
}
- return session_login_valid_dbonly ($loginname, $passwd, $allowpending) ;
-}
-
-function session_login_valid_dbonly($loginname, $passwd, $allowpending=false) {
- return session_check_credentials_in_database($loginname, $passwd, $allowpending);
+ return session_login_valid_dbonly($loginname, $passwd, $allowpending);
}
function session_check_credentials_in_database($loginname, $passwd, $allowpending=false) {
- global $warning_msg ,$userstatus;
+ return session_login_valid_dbonly($loginname, $passwd, $allowpending);
+}
+function session_login_valid_dbonly($loginname, $passwd, $allowpending) {
+ global $feedback, $userstatus;
- // Try to get the users from the database using user_id and (MD5) user_pw
+ // Try to get the users from the database using user_id and (MD5) user_pw
if (forge_get_config('require_unique_email')) {
$res = db_query_params ('SELECT user_id,status,unix_pw FROM users WHERE (user_name=$1 OR email=$1) AND user_pw=$2',
array ($loginname,
return false;
}
}
- //create a new session
+ // create a new session
session_set_new(db_result($res, 0, 'user_id'));
return true;
* @return true/false
* @access private
*/
-function session_check_ip($oldip,$newip) {
- if (strstr ($oldip, ':')) {
+function session_check_ip($oldip, $newip) {
+ if (strstr($oldip, ':')) {
// Old IP is IPv6
- if (strstr ($newip, ':')) {
+ if (strstr($newip, ':')) {
// New IP is IPv6 too
- return ($oldip == $newip) ;
- } else {
- return false ;
- }
- } else {
- // Old IP is IPv4
- if (strstr ($newip, ':')) {
- // New IP is IPv6
- return false ;
- } else {
- $eoldip = explode(".",$oldip);
- $enewip = explode(".",$newip);
-
- // require same class b subnet
- return ( ($eoldip[0] == $enewip[0])
- && ($eoldip[1] == $enewip[1]) ) ;
+ return ($oldip == $newip);
}
+ return false;
}
+ // Old IP is IPv4
+ if (strstr($newip, ':')) {
+ // New IP is IPv6
+ return false;
+ }
+ $eoldip = explode(".", $oldip);
+ $enewip = explode(".", $newip);
+
+ // require same Class B subnet
+ return (($eoldip[0] == $enewip[0]) && ($eoldip[1] == $enewip[1]));
}
/**
* @param string Value of cookie
* @param string Domain scope (default '')
* @param string Expiration time in UNIX seconds (default 0)
- * @return true/false
*/
-function session_set_cookie($name ,$value, $domain = '', $expiration = 0) {
- if (php_sapi_name() != 'cli') {
- if ( $expiration != 0){
- setcookie($name, $value, time() + $expiration, '/', $domain, 0);
- } else {
- setcookie($name, $value, $expiration, '/', $domain, 0);
- }
+function session_set_cookie($name, $value, $domain='', $expiration=0) {
+ return session_cookie($name, $value, $domain, $expiration);
+}
+function session_cookie($name, $value, $domain='', $expiration=0) {
+ if (php_sapi_name() == 'cli') {
+ return;
+ }
+ if ($expiration) {
+ $expiration = time() + $expiration;
+ }
+ /* evolvis: force secure (SSL-only) session cookies */
+ //$force_secure = true;
+ /* not (yet?) in FusionForge */
+ $force_secure = false;
+ if ($force_secure && !session_issecure()) {
+ return;
}
+ setcookie($name, $value, $expiration, '/', $domain, $force_secure, true);
+}
+
+/**
+ * session_redirect_uri() - Redirect browser
+ *
+ * @param string Absolute URI
+ * @return never returns
+ */
+function session_redirect_external($url) {
+ session_redirect_uri($url);
+}
+function session_redirect_uri($loc) {
+ util_save_messages();
+ sysdebug_off("Status: 301 Moved Permanently", true, 301);
+ header("Location: ${loc}", true);
+ echo "\nPlease go to ${loc} instead!\n";
+ exit;
}
/**
* @param string $loc Absolute path within the site
*/
function session_redirect($loc) {
- util_save_messages();
- session_redirect_external(util_make_url ($loc));
+ session_redirect_uri(util_make_url($loc));
exit;
}
* @return never returns
*/
function session_redirect_external($url) {
+ util_save_messages();
header('Location: '.$url);
print("\n\n");
exit;
}
$user =& user_get_object(user_getid());
- if (! $user->isActive()) {
+ if (!$user->isActive()) {
session_logout();
- exit_error(_('Your account is no longer active ; you have been disconnected'),'');
+ exit_error(_('Your account is no longer active; you have been disconnected'), '');
}
- if (array_key_exists('group', $req)) {
- $group = group_get_object($req['group']);
- if (!$group || !is_object($group)) {
- exit_no_group();
- } elseif ($group->isError()) {
- exit_error($reason == '' ? $group->getErrorMessage() : $reason, '');
- }
+ if (!array_key_exists('group', $req)) {
+ exit_permission_denied($reason, '');
+ }
- $perm =& $group->getPermission ();
- if (!$perm || !is_object($perm) || $perm->isError()) {
- exit_permission_denied($reason,'');
- }
+ $group = group_get_object($req['group']);
+ if (!$group || !is_object($group)) {
+ exit_no_group();
+ } elseif ($group->isError()) {
+ exit_error($reason ? $reason : $group->getErrorMessage(), '');
+ }
- if (isset($req['admin_flags']) && $req['admin_flags']) {
- if (!$perm->isAdmin()) {
- exit_permission_denied($reason,'');
- }
- } else {
- if (!$perm->isMember()) {
- exit_permission_denied($reason,'');
- }
+ $perm =& $group->getPermission();
+ if (!$perm || !is_object($perm) || $perm->isError()) {
+ exit_permission_denied($reason, '');
+ }
+
+ if (isset($req['admin_flags']) && $req['admin_flags']) {
+ if (!$perm->isAdmin()) {
+ exit_permission_denied($reason, '');
}
} else {
- exit_permission_denied($reason,'');
+ if (!$perm->isMember()) {
+ exit_permission_denied($reason, '');
+ }
}
}
* fails checks.
*
*/
-function session_require_perm($section, $reference, $action = NULL, $reason='') {
+function session_require_perm($section, $reference, $action=NULL, $reason='') {
if (!forge_check_perm($section, $reference, $action)) {
exit_permission_denied($reason, $section);
}
* fails checks.
*
*/
-function session_require_global_perm($section, $action = NULL, $reason='') {
+function session_require_global_perm($section, $action=NULL, $reason='') {
if (!forge_check_global_perm($section, $action)) {
if (!$reason) {
$reason = sprintf(_('Permission denied. The %s administrators will have to grant you permission to view this page.'),
- forge_get_config ('forge_name')) ;
+ forge_get_config('forge_name'));
}
exit_permission_denied($reason, $section);
}
* fails checks.
*
*/
-function session_require_login () {
+function session_require_login() {
if (!session_loggedin()) {
- exit_not_logged_in () ;
+ exit_not_logged_in();
}
}
function session_set_new($user_id) {
$token = session_build_session_token($user_id);
- $res = db_query_params ('SELECT count(*) as c FROM user_session WHERE session_hash = $1',
- array (session_get_hash_from_token($token))) ;
- if (!$res || db_result($res,0,'c') < 1) {
- db_query_params ('INSERT INTO user_session (session_hash,ip_addr,time,user_id) VALUES ($1,$2,$3,$4)',
- array (session_get_hash_from_token($token),
- getStringFromServer('REMOTE_ADDR'),
- time(),
- $user_id)) ;
+ // set session cookie
+ //
+ $cookie = session_build_session_cookie($user_id);
+// session_cookie("session_ser", $cookie, "", forge_get_config('session_expire'));
+// $session_ser = $cookie;
+
+ $res = db_query_params('SELECT count(*) as c FROM user_session
+ WHERE session_hash=$1',
+ array(($shash = session_get_session_cookie_hash($cookie))));
+ if (!$res || db_result($res, 0, 'c') < 1) {
+ db_query_params('INSERT INTO user_session
+ (session_hash,ip_addr,time,user_id)
+ VALUES ($1,$2,$3,$4)',
+ array(
+ $shash,
+ getStringFromServer('REMOTE_ADDR'),
+ time(),
+ $user_id,
+ ));
}
// check uniqueness of the session_hash in the database
$res = session_getdata($user_id);
if (!$res) {
- exit_error(db_error(),'');
- }
- else if (db_numrows($res) < 1) {
- exit_error(_('Could not fetch user session data'),'');
+ exit_error(db_error(), '');
+ } elseif (db_numrows($res) < 1) {
+ exit_error(_('Could not fetch user session data'), '');
} else {
- session_set_internal ($user_id, $res) ;
+ session_set_internal($user_id, $res);
}
}
-function session_set_internal ($user_id, $res=false) {
- global $G_SESSION ;
+function session_set_internal($user_id, $res=false) {
+ global $G_SESSION;
- $G_SESSION = user_get_object($user_id,$res);
+ $G_SESSION = user_get_object($user_id, $res);
if ($G_SESSION) {
$G_SESSION->setLoggedIn(true);
}
- RBACEngine::getInstance()->invalidateRoleCaches() ;
+ RBACEngine::getInstance()->invalidateRoleCaches();
}
-
/**
* session_set_admin() - Setup session for the admin user
*
* @return none
*/
function session_set_admin() {
- $admins = RBACEngine::getInstance()->getUsersByAllowedAction ('forge_admin', -1) ;
- if (count ($admins) == 0) {
- exit_error(_('No admin users ?'),'');
+ $admins = RBACEngine::getInstance()->getUsersByAllowedAction('forge_admin', -1);
+ if (count($admins) == 0) {
+ exit_error(_('No admin users ?'), '');
}
- session_set_new ($admins[0]->getID());
+ /*
+ * Use the user with the lowest numerical user ID.
+ * This is to prevent complaints from real humans
+ * if the system is doing something in their stead
+ * (for example by populate_template_project.php).
+ * Usually, “admin” has the ID 101.
+ */
+ $admin_ids = array();
+ foreach ($admins as $admin) {
+ $admin_ids[] = $admin->getID();
+ }
+ sort($admin_ids);
+ session_set_new($admin_ids[0]);
}
/**
* Private optimization function for logins - fetches user data, language, and session
* with one query
*
- * @param int The user ID
+ * @param int The user ID
* @access private
*/
function session_getdata($user_id) {
- return db_query_params ('SELECT u.*,sl.language_id, sl.name, sl.filename, sl.classname, sl.language_code, t.dirname, t.fullname
- FROM users u, supported_languages sl, themes t
- WHERE u.language=sl.language_id
- AND u.theme_id=t.theme_id
- AND u.user_id=$1',
- array ($user_id)) ;
+ return db_query_params('SELECT u.*, sl.language_id, sl.name,
+ sl.filename, sl.classname, sl.language_code,
+ t.dirname, t.fullname
+ FROM users u, supported_languages sl, themes t
+ WHERE u.language=sl.language_id
+ AND u.theme_id=t.theme_id
+ AND u.user_id=$1',
+ array($user_id));
}
/**
$user->setLoggedIn(true);echo "user:".$user->getUnixName();
$G_SESSION = $user;
-
+
} else {
$G_SESSION=false;
}
//print_r($re->getPublicRoles());
$re->invalidateRoleCaches() ;
//print_r($re->getAvailableRoles());
-
-
}
//TODO - this should be generalized and used for pre.php,
$LUSER =& session_get_user();
if (!is_object($LUSER) || $LUSER->isError()) {
return false;
- } else {
- return true;
}
+ return true;
}
function setup_tz_from_context() {
} else {
$tz = $LUSER->getTimeZone();
}
- putenv ('TZ='. $tz);
+ putenv('TZ=' . $tz);
date_default_timezone_set($tz);
}
* user_getid()
* Get user_id of logged in user
*/
-
function user_getid() {
global $G_SESSION;
if ($G_SESSION) {
return $G_SESSION->getID();
- } else {
- return false;
}
+ return false;
}
/**
if ($G_SESSION) {
return $G_SESSION->isLoggedIn();
- } else {
- return false;
}
+ return false;
}
// Local Variables:
*
* The rest Copyright 2002-2005 (c) GForge Team
* Copyright 2012, Franck Villaume - TrivialDev
- * http://fusionforge.org/
+ * Copyright © 2013 Thorsten Glaser, tarent solutions GmbH
*
* This file is part of FusionForge. FusionForge is free software;
* you can redistribute it and/or modify it under the terms of the
*/
/*
-This file creates blank user home directories and
-creates a group home directory with a template in it.
+ * This file creates blank user home directories and
+ * creates a group home directory with a template in it.
#
# * hosts
SSLDisable
</IfModule>
</VirtualHost>
+
*/
+
require_once dirname(__FILE__).'/../www/env.inc.php';
require_once $gfcommon.'include/pre.php';
require $gfcommon.'include/cron_utils.php';
setup_gettext_from_sys_lang();
define('USER_DEFAULT_GROUP', 'users');
-//error variable
+// error variable
$err = '';
-if (forge_get_config('groupdir_prefix') == '') { // this should be set in configuration
+/*
+ * check whether directory preficēs are set
+ * and create the præfix directories unless they exist
+ */
+
+if (!($gpfx = forge_get_config('groupdir_prefix'))) {
+ // this should be set in configuration
exit();
}
-if (!is_dir(forge_get_config('groupdir_prefix'))) {
- @mkdir(forge_get_config('groupdir_prefix'), 0755, true);
+if (!is_dir($gpfx)) {
+ @mkdir($gpfx, 0755, true);
}
-if (forge_get_config('homedir_prefix') == '') { // this should be set in configuration
+if (!($hpfx = forge_get_config('homedir_prefix'))) {
+ // this should be set in configuration
exit();
}
-if (!is_dir(forge_get_config('homedir_prefix'))) {
- @mkdir(forge_get_config('homedir_prefix'), 0755, true);
+if (!is_dir($hpfx)) {
+ @mkdir($hpfx, 0755, true);
+}
+
+if (forge_get_config('use_ftp_uploads')) {
+ if (!($fpfx = forge_get_config('ftp_upload_dir'))) {
+ // this should be set in the configuration
+ exit();
+ }
+
+ if (!is_dir($fpfx)) {
+ @mkdir($fpfx, 0755, true);
+ }
+} else {
+ /* signal that we do not use FTP */
+ $fpfx = false;
+}
+
+/* read in the group home template file */
+$contents = '';
+if (($fo = fopen(dirname(__FILE__) . '/../utils/default_page.php', 'r'))) {
+ while (!feof($fo)) {
+ $contents .= fread($fo, 8192);
+ }
+ fclose($fo);
+} else {
+ $err .= 'Default Page not found';
}
+/* create user homes */
+
$active_projects = group_get_active_projects();
$unames = array();
foreach ($active_projects as $project) {
}
}
$unames = array_unique($unames);
-foreach($unames as $uname) {
- if (!is_dir(forge_get_config('homedir_prefix')."/".$uname)) {
- @mkdir(forge_get_config('homedir_prefix')."/".$uname);
+foreach ($unames as $uname) {
+ $uhome = $hpfx . "/" . $uname;
+ if (!is_dir($uhome)) {
+ @mkdir($uhome);
}
- system("chown $uname:".USER_DEFAULT_GROUP." ".forge_get_config('homedir_prefix')."/".$uname);
+ system("chown $uname:" . USER_DEFAULT_GROUP . " " . $uhome);
}
-//test if the FTP upload dir exists and create it if not
-if (!is_dir(forge_get_config('ftp_upload_dir'))) {
- @mkdir(forge_get_config('ftp_upload_dir'), 0755, true);
-}
+/* create project/group homes */
-//
-// Read in the template file
-//
-$fo=fopen(dirname(__FILE__).'/../utils/default_page.php','r');
-$default_contents = '';
-if (!$fo) {
- $err .= 'Default Page Not Found';
-} else {
- while (!feof($fo)) {
- $default_contents .= fread($fo, 8192);
+foreach ($active_projects as $project) {
+ $groupname = $project->getUnixName() ;
+
+ if ($fpfx && !is_dir($fpfx . '/' . $groupname)) {
+ @mkdir($fpfx . '/' . $groupname);
+ //XXX chown/chgrp/chmod?
}
- fclose($fo);
-}
-function create_dirs_and_files($params) {
- $project = $params['project'];
- $groupname = $project->getUnixName();
- $default_contents = $parmas['default_contents'];
-
- mkdir(forge_get_config('groupdir_prefix')."/".$groupname."/htdocs");
- mkdir(forge_get_config('groupdir_prefix')."/".$groupname."/cgi-bin");
-
- $contents = $default_contents;
- //
- // Change some defaults in the template file
- //
- $contents=str_replace('##comment##', _('Default Web Page for groups that haven\'t setup their page yet'), $contents);
- $contents=str_replace('##purpose##', _('Please replace this file with your own website'), $contents);
- $contents=str_replace('##welcome_to##', sprintf(_('Welcome to %s'), $project->getPublicName()), $contents);
- $contents=str_replace('##body##',
- sprintf(
- _("We're Sorry but this Project hasn't yet uploaded their personal webpage yet. <br /> Please check back soon for updates or visit <a href=\"%s\">the project page</a>."),
- util_make_url ('/projects/'.$project->getUnixName())),
- $contents);
- //
- // Write the file back out to the project home dir
- //
- $fw=fopen(forge_get_config('groupdir_prefix')."/".$groupname."/htdocs/index.html",'w');
- fwrite($fw,$contents);
- fclose($fw);
-
- if (forge_get_config('use_manual_uploads')) {
- $incoming = forge_get_config('groupdir_prefix')."/".$groupname."/incoming" ;
- if (!is_dir($incoming))
- {
- mkdir($incoming);
+ $ghome = $gpfx . '/' . $groupname;
+ if (!is_dir($ghome)) {
+ @mkdir($ghome);
+ /* this is safe as this directory still belongs to root */
+ @mkdir($ghome . '/htdocs');
+ @mkdir($ghome . '/cgi-bin');
+
+ /* write substituted template to group home */
+ if (($fw = fopen($ghome . '/htdocs/index.html', 'w'))) {
+ fwrite($fw, str_replace('##comment##',
+ _('Default Web Page for groups that haven\'t setup their page yet'),
+ str_replace('##purpose##',
+ _('Please replace this file with your own website'),
+ str_replace('##welcome_to##',
+ sprintf(_('Welcome to %s'), $project->getPublicName()),
+ str_replace('##body##',
+ sprintf(_("We're Sorry but this Project hasn't yet uploaded their personal webpage yet. <br /> Please check back soon for updates or visit <a href=\"%s\">the project page</a>."),
+ util_make_url('/projects/' . $project->getUnixName())),
+ $contents)))));
+ fclose($fw);
}
- }
-}
-foreach($active_projects as $project) {
- $groupname = $project->getUnixName();
- //create an FTP upload dir for this project
- if (forge_get_config('use_ftp_uploads')) {
- if (!is_dir(forge_get_config('ftp_upload_dir').'/'.$groupname)) {
- @mkdir(forge_get_config('ftp_upload_dir').'/'.$groupname);
+ if (forge_get_config('use_manual_uploads')) {
+ @mkdir($ghome . '/incoming');
}
- }
- if (!is_dir(forge_get_config('groupdir_prefix')."/".$groupname)) {
- @mkdir(forge_get_config('groupdir_prefix')."/".$groupname);
- system("chown ".forge_get_config('apache_user').":".forge_get_config('apache_group')." ".forge_get_config('groupdir_prefix')."/".$groupname);
+ //system('chmod -R ug=rwX,o=rX ' . $ghome);
+ system('chown -R ' . forge_get_config('apache_user') . ':' .
+ forge_get_config('apache_group') . ' ' . $ghome);
+ // find $ghome -type d -print0 | xargs -0 chmod g+s
+ //XXX disabled because, why is this owned by apache_group?
}
-
- $params = array();
- $params['project'] = $project;
- $params['default_contents'] = $default_contents;
-
- util_sudo_effective_user(forge_get_config('apache_user'),
- "create_dirs_and_files",
- $params);
}
cron_entry(25,$err);
-
-?>
$d->execute();
my $user_list = "";
-
+
while($user_name = $d->fetchrow()) {
$user_list .= "$user_name,";
}
while ($ln = pop(@groupdump_array)) {
chop($ln);
($gname, $gstatus, $gid, $is_public, $userlist) = split(":", $ln);
-
+
$userlist =~ tr/A-Z/a-z/;
$group_exists = (-d $grpdir_prefix .'/'. $gname);
if ($gstatus eq 'A' && $group_exists) {
update_group($gid, $gname, $is_public, $userlist);
-
+
} elsif ($gstatus eq 'A' && !$group_exists) {
add_group($gid, $gname, $is_public, $userlist);
-
+
} elsif ($gstatus eq 'D' && $group_exists) {
delete_group($gname);
- }
+ }
}
###############################################
###############################################
## Become this effective user (EUID/EGID) and perform this action.
-##
+##
## This protect against symlink attacks; they are inevitable when
## working in a directory owned by a local user. We could naively
## check for the presence of symlinks, but then we'd still be
## vulnerable to a symlink race attack.
-##
+##
## We'll use set_e_uid/set_e_gid for efficiency and simplicity
## (e.g. we can get the return value directly), which is enough for
## opening files and similar basic operations. When calling external
## programs, you should use fork&exec&setuid/setgid.
-##
+##
# arg1: username
# arg2: a Perl sub{}
sub SudoEffectiveUser {
my ($uid,$gid) = GetUserUidGid($user);
if ($uid eq "" or $gid eq "") {
- print "Unknown user: $user";
+ print "Unknown user: $user\n";
return;
}
#############################
# Group Add Function
#############################
-sub add_group {
+sub add_group {
my ($gid, $gname, $is_public, $userlist) = @_;
my ($log_dir, $cgi_dir, $ht_dir);
my ($default_perms) ;
my ($file_default_perms) ;
my ($default_page) ;
-
+
$group_dir = $grpdir_prefix."/".$gname;
$log_dir = $group_dir."/log";
$cgi_dir = $group_dir."/cgi-bin";
$default_perms = 02770 ;
$file_default_perms = 0660;
$default_page = "/usr/share/gforge/lib/private_default_page.php" ;
+ if (! -e $default_page) {
+ $default_page = "/usr/share/gforge/lib/default_page.php";
+ }
}
-
+ $incdir_perms = 02775;
+
if ($verbose) {print("Making a Group for : $gname\n")};
-
+
if (mkdir $group_dir, $default_perms) {
chown $dummy_uid, $gid, $group_dir ;
- SudoEffectiveUser($dummy_uid, sub {
+ SudoEffectiveUser($dummy_user, sub {
mkdir $log_dir, $default_perms ;
mkdir $cgi_dir, $default_perms ;
mkdir $ht_dir, $default_perms ;
chmod $default_perms, $log_dir;
chmod $default_perms, $cgi_dir;
chmod $default_perms, $ht_dir;
- chmod $default_perms, $inc_dir;
- chmod $file_default_perms, "$ht_dir/index.php";
- });
+ chmod $incdir_perms, $inc_dir;
+ chmod 0664, "$ht_dir/index.php";
+ });
}
}
my ($log_dir, $cgi_dir, $ht_dir);
my ($realuid, $realgid);
my ($default_perms);
-
+
$group_dir = $grpdir_prefix.'/'.$gname;
$log_dir = $group_dir."/log";
$cgi_dir = $group_dir."/cgi-bin";
} else {
$default_perms = 02771 ;
}
+ $incdir_perms = 02775;
if ($verbose) {print("Updating Group: $gname\n")};
-
+
chown $dummy_uid, $gid, $group_dir;
- SudoEffectiveUser($dummy_uid, sub {
+ SudoEffectiveUser($dummy_user, sub {
chmod $default_perms, $group_dir;
chmod $default_perms, $log_dir;
chmod $default_perms, $cgi_dir;
chmod $default_perms, $ht_dir;
- chmod $default_perms, $inc_dir;
- });
+ chmod $incdir_perms, $inc_dir;
+ });
}
#############################
my ($gname, $x, $gid, $userlist, $counter);
my $this_group = shift(@_);
$counter = 0;
-
+
if (substr($hostname,0,3) ne "cvs") {
if ($verbose) {print("Deleting Group: $this_group\n")};
system("/bin/mv /var/lib/gforge/chroot/home/groups/$this_group /var/lib/gforge/chroot/home/groups/deleted_group_$this_group");