This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "FusionForge".
The branch, feature/run-wui-as-fusionforge-user has been created
at cb162b09ed9c71863db9ca08061c8a69e441d0a8 (commit)
- Log -----------------------------------------------------------------
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=cb162b09ed9c71863db9ca08061c8a69e441d0a8
commit cb162b09ed9c71863db9ca08061c8a69e441d0a8
Author: Roland Mas <[email protected]>
Date: Tue Oct 11 11:08:28 2016 +0200
Document run-wui-as-fusionforge-user changes
diff --git a/src/CHANGES b/src/CHANGES
index 63abdaf..16029b8 100644
--- a/src/CHANGES
+++ b/src/CHANGES
@@ -11,6 +11,7 @@ FusionForge 6.X:
* Docman: support document versioning. (TrivialDev)
* Docman: support cross ref. forum, documents, task or artifact. (TrivialDev)
* FRS: link package release to tracker roadmap. (TrivialDev)
+* General: web UI now runs as a dedicated user, for better isolation (Roland
Mas)
* Layout: new dynamic quickNav menu: based on user activity to select 5 more
visited projects (TrivialDev)
* Plugin AuthBuiltin: add captcha after 3 attempts with the same login [#795]
(TrivialDev)
* Plugin AuthLDAP: support X_FORWARD_USER to delegate authentication and then
retry user from LDAP (TrivialDev)
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=d4f1ffe3a4a2152cb09f1db259612e3c583c4464
commit d4f1ffe3a4a2152cb09f1db259612e3c583c4464
Author: Roland Mas <[email protected]>
Date: Tue Oct 11 11:07:12 2016 +0200
Removed now-obsolete code
diff --git a/src/common/include/pre.php b/src/common/include/pre.php
index 24c7199..380e6cb 100644
--- a/src/common/include/pre.php
+++ b/src/common/include/pre.php
@@ -39,37 +39,6 @@ if (getStringFromServer('HTTP_X_moz') === 'prefetch'){
exit;
}
-// Database access and other passwords when on the web
-function setconfigfromenv ($sec, $var, $serv, $env) {
- if (getenv ('SERVER_SOFTWARE')) {
- if (function_exists ('apache_request_headers')) {
- $headers = apache_request_headers() ;
- } else {
- $headers = array () ;
- }
-
- if (isset ($headers[$serv])) {
- forge_define_config_item ($var, $sec,
- $headers[$serv]) ;
- return true;
- }
- }
- if (isset ($_ENV[$env])) {
- forge_define_config_item ($var, $sec,
- getenv($env)) ;
- return true;
- }
- return false;
-}
-
-setconfigfromenv('core', 'database_host', 'FusionForgeDbhost', 'sys_gfdbhost');
-setconfigfromenv('core', 'database_port', 'FusionForgeDbport', 'sys_gfdbport');
-setconfigfromenv('core', 'database_name', 'FusionForgeDbname', 'sys_gfdbname');
-setconfigfromenv('core', 'database_user', 'FusionForgeDbuser', 'sys_gfdbuser');
-setconfigfromenv('core', 'database_password', 'FusionForgeDbpasswd',
'sys_gfdbpasswd');
-setconfigfromenv('core', 'ldap_password', 'FusionForgeLdapPasswd',
'sys_gfldap_passwd');
-setconfigfromenv('core', 'session_key', 'FusionForgeSessionKey',
'sys_session_key');
-
forge_read_config_file($gfconfig.'/'.$gfcgfile);
if (($ecf = forge_get_config ('extra_config_files')) != NULL) {
diff --git a/src/plugins/sysauthldap/bin/install.sh
b/src/plugins/sysauthldap/bin/install.sh
index 38f1adc..08ae732 100755
--- a/src/plugins/sysauthldap/bin/install.sh
+++ b/src/plugins/sysauthldap/bin/install.sh
@@ -9,18 +9,11 @@ if [ -x /usr/sbin/slapd ] && [ -x /usr/bin/ldapadd ] ; then
fi
c=$(forge_get_config config_path)/config.ini.d/sysauthldap-secrets.ini
+system_user=$(forge_get_config system_user)
if ! [ -e "$c" ] ; then
touch $c
chmod 600 $c
+ chown $system_user $c
echo [sysauthldap] >> $c
echo ldap_password = CHANGEME >> $c
fi
-
-f=$(forge_get_config config_path)/httpd.conf.d/plugin-sysauthldap-secrets.inc
-if [ ! -e $f ] ; then
- cp $(forge_get_config
source_path)/etc/httpd.conf.d-fhs/plugin-sysauthldap-secrets.inc $f
- chmod 600 $f
- PATH=$(forge_get_config binary_path):$PATH manage-apache-config.sh install
- mv $f.generated $f
-fi
-
diff --git a/src/plugins/sysauthldap/common/SysAuthLDAPPlugin.class.php
b/src/plugins/sysauthldap/common/SysAuthLDAPPlugin.class.php
index 7ffad4e..18e8188 100644
--- a/src/plugins/sysauthldap/common/SysAuthLDAPPlugin.class.php
+++ b/src/plugins/sysauthldap/common/SysAuthLDAPPlugin.class.php
@@ -31,9 +31,6 @@ forge_define_config_item('base_dn', 'sysauthldap',
'fromhost:$core/web_host');
forge_define_config_item('bind_dn', 'sysauthldap',
'cn=admin,$sysauthldap/base_dn');
forge_define_config_item('password', 'sysauthldap', '');
-setconfigfromenv ('sysauthldap', 'ldap_password',
- 'GForgePluginSysAuthLdapPasswd', NULL);
-
require_once $gfcommon.'include/SysAuthPlugin.class.php';
class SysAuthLDAPPlugin extends SysAuthPlugin {
diff --git
a/src/plugins/sysauthldap/etc/httpd.conf.d/plugin-sysauthldap-secrets.inc
b/src/plugins/sysauthldap/etc/httpd.conf.d/plugin-sysauthldap-secrets.inc
deleted file mode 100644
index 6c3692a..0000000
--- a/src/plugins/sysauthldap/etc/httpd.conf.d/plugin-sysauthldap-secrets.inc
+++ /dev/null
@@ -1,2 +0,0 @@
-RequestHeader unset GForgePluginSysAuthLdapPasswd
-RequestHeader append GForgePluginSysAuthLdapPasswd
"${FF__sysauthldap__ldap_password}"
https://scm.fusionforge.org/anonscm/gitweb/?p=fusionforge/fusionforge.git;a=commitdiff;h=d5892be8de33a344cdd444479a76c197b38669a0
commit d5892be8de33a344cdd444479a76c197b38669a0
Author: Roland Mas <[email protected]>
Date: Tue Oct 11 10:51:18 2016 +0200
Run web UI as a dedicated user
The web interface now runs as a dedicated "fusionforge" user, using ITK.
By giving that user read permissions to the *.ini files, including the
ones containing secrets, this removes the need for HTTP header trick to
securely pass secrets from config files to the PHP code. This means
that we no longer need to regenerate an Apache config snippet and reload
Apache whenever a secret changes.
diff --git a/src/etc/httpd.conf.d/vhost-main.inc
b/src/etc/httpd.conf.d/vhost-main.inc
index 740d0f6..a183481 100644
--- a/src/etc/httpd.conf.d/vhost-main.inc
+++ b/src/etc/httpd.conf.d/vhost-main.inc
@@ -10,6 +10,11 @@ DirectoryIndex index.html index.php
SetEnv FF__core__config_path "${FF__core__config_path}"
+SetEnvIf Request_URI . ITKUID=${FF__core__system_user}
+SetEnvIf Request_URI . ITKGID=${FF__core__apache_group}
+AssignUserIDExpr %{reqenv:ITKUID}
+AssignGroupIDExpr %{reqenv:ITKGID}
+
<IfModule mod_userdir.c>
UserDir disabled
</IfModule>
@@ -38,25 +43,6 @@ SetEnv FF__core__config_path "${FF__core__config_path}"
# ...but log the errors to error.log
php_admin_value log_errors 1
-
- # Define configuration/env variables for passing passwords and other secrets
to PHP
- RequestHeader unset FusionForgeDbhost
- RequestHeader append FusionForgeDbhost "${FF__core__database_host}"
-
- RequestHeader unset FusionForgeDbport
- RequestHeader append FusionForgeDbport "${FF__core__database_port}"
-
- RequestHeader unset FusionForgeDbname
- RequestHeader append FusionForgeDbname "${FF__core__database_name}"
-
- RequestHeader unset FusionForgeDbuser
- RequestHeader append FusionForgeDbuser "${FF__core__database_user}"
-
- RequestHeader unset FusionForgeDbpasswd
- RequestHeader append FusionForgeDbpasswd "${FF__core__database_password}"
-
- RequestHeader unset FusionForgeSessionKey
- RequestHeader append FusionForgeSessionKey "${FF__core__session_key}"
</Directory>
# Directory options for vendor dir (${FF__core__source_path}/vendor
diff --git a/src/post-install.d/common/common.sh
b/src/post-install.d/common/common.sh
index 9c6e479..9af1771 100755
--- a/src/post-install.d/common/common.sh
+++ b/src/post-install.d/common/common.sh
@@ -20,6 +20,6 @@
source_path=$(forge_get_config source_path)
-$source_path/post-install.d/common/ini.sh $1 $2
$source_path/post-install.d/common/user.sh $1 $2
+$source_path/post-install.d/common/ini.sh $1 $2
$source_path/post-install.d/common/systasksd.sh $1 $2
diff --git a/src/post-install.d/common/ini.sh b/src/post-install.d/common/ini.sh
index d8d7923..997515e 100755
--- a/src/post-install.d/common/ini.sh
+++ b/src/post-install.d/common/ini.sh
@@ -23,6 +23,7 @@ set -e
source_path=$(forge_get_config source_path)
config_path=$(forge_get_config config_path)
+system_user=$(forge_get_config system_user)
case "$1" in
configure)
@@ -83,6 +84,7 @@ case "$1" in
-e "s,@database_user@,$database_user," \
> $DESTDIR$config_path/config.ini.d/post-install-secrets.ini
chmod 600 $DESTDIR$config_path/config.ini.d/post-install-secrets.ini
+ chown $system_user
$DESTDIR$config_path/config.ini.d/post-install-secrets.ini
sed -i -e '/^@secrets@/ { ' -e 'ecat' -e 'd }' \
$DESTDIR$config_path/config.ini.d/post-install-secrets.ini
<<-EOF
session_key=$session_key
-----------------------------------------------------------------------
hooks/post-receive
--
FusionForge
_______________________________________________
Fusionforge-commits mailing list
[email protected]
http://lists.fusionforge.org/cgi-bin/mailman/listinfo/fusionforge-commits
