From 926c5e530b5c0d1319c362d9a757628bf67b2e13 Mon Sep 17 00:00:00 2001 From: Andriy Utkin Date: Thu, 23 Nov 2023 23:08:00 +0000 Subject: [PATCH 1/3] scripts/check_dir_permission.sh: mark executable --- scripts/check_dir_permission.sh | 0 1 file changed, 0 insertions(+), 0 deletions(-) mode change 100644 => 100755 scripts/check_dir_permission.sh diff --git a/scripts/check_dir_permission.sh b/scripts/check_dir_permission.sh old mode 100644 new mode 100755 From 23eb3963564b34afcafa23a71264d1d0cdbc32ff Mon Sep 17 00:00:00 2001 From: Andriy Utkin Date: Fri, 24 Nov 2023 00:16:00 +0000 Subject: [PATCH 2/3] Add sudoers rule for check_dir_permission.sh --- misc/postinstall.sh | 4 +--- misc/sudoers.d/www-data | 2 ++ 2 files changed, 3 insertions(+), 3 deletions(-) create mode 100644 misc/sudoers.d/www-data diff --git a/misc/postinstall.sh b/misc/postinstall.sh index 12157cbe..a00c5684 100755 --- a/misc/postinstall.sh +++ b/misc/postinstall.sh @@ -150,9 +150,7 @@ case "$1" in # Allow update_subdomain_certs.sh script to run as www-data chown root:www-data /usr/share/bluecherry/scripts/update_subdomain_certs.sh chmod 550 /usr/share/bluecherry/scripts/update_subdomain_certs.sh - echo "www-data ALL=(ALL) NOPASSWD: /usr/share/bluecherry/scripts/update_subdomain_certs.sh" \ - > /etc/sudoers.d/www-data - chmod 0440 /etc/sudoers.d/www-data + install --mode ug=r,o= /usr/share/bluecherry/sudoers.d/www-data /etc/sudoers.d/www-data mkdir -p /usr/share/bluecherry/ssl cp /etc/ssl/certs/ssl-cert-snakeoil.pem /usr/share/bluecherry/ssl/bluecherry-snakeoil.pem diff --git a/misc/sudoers.d/www-data b/misc/sudoers.d/www-data new file mode 100644 index 00000000..f3f197f0 --- /dev/null +++ b/misc/sudoers.d/www-data @@ -0,0 +1,2 @@ +www-data ALL=(ALL) NOPASSWD: /usr/share/bluecherry/scripts/update_subdomain_certs.sh +www-data ALL=(ALL) NOPASSWD: /usr/share/bluecherry/scripts/check_dir_permission.sh From ec776688ba93daaa76a4cb22193511843c5b63cd Mon Sep 17 00:00:00 2001 From: Andriy Utkin Date: Fri, 24 Nov 2023 01:40:26 +0000 Subject: [PATCH 3/3] Make default recordings dir writable also for webserver Issue https://github.com/bluecherrydvr/bluecherry-apps/issues/620 arises because the dir exists, is owned by bluecherry:bluecherry, but is by default writable only by owning user, but not the owning group. Fix this here in docker image building code. root@df79d5606903:~# sudo -u www-data php -r "echo is_writable('/var/lib/bluecherry/recordings') ? 'writable' : 'not writable';"; echo not writable root@df79d5606903:~# sudo -u www-data touch /var/lib/bluecherry/recordings/www-data.was.here touch: cannot touch '/var/lib/bluecherry/recordings/www-data.was.here': Permission denied root@df79d5606903:~# id uid=0(root) gid=0(root) groups=0(root) root@df79d5606903:~# id www-data uid=33(www-data) gid=33(www-data) groups=33(www-data),4(adm),20(dialout),29(audio),44(video),999(bluecherry) root@df79d5606903:~# ls -l /var/lib/bluecherry/recordings -d drwxr-xr-x 2 bluecherry bluecherry 4096 Nov 24 00:36 /var/lib/bluecherry/recordings root@df79d5606903:~# chmod g+w /var/lib/bluecherry/recordings root@df79d5606903:~# ls -l /var/lib/bluecherry/recordings -d drwxrwxr-x 2 bluecherry bluecherry 4096 Nov 24 00:36 /var/lib/bluecherry/recordings root@df79d5606903:~# sudo -u www-data touch /var/lib/bluecherry/recordings/www-data.was.here root@df79d5606903:~# sudo -u www-data php -r "echo is_writable('/var/lib/bluecherry/recordings') ? 'writable' : 'not writable';"; echo writable --- actions/Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/actions/Dockerfile b/actions/Dockerfile index 7caad5c5..15d232b6 100644 --- a/actions/Dockerfile +++ b/actions/Dockerfile @@ -175,7 +175,8 @@ RUN /usr/sbin/groupadd -rf \ || echo "bluecherry user already exists" RUN mkdir /recordings \ - && chown bluecherry:bluecherry /recordings + && chown bluecherry:bluecherry /recordings \ + && chmod ug=rwx,o=rx /recordings EXPOSE 7001/tcp 7002/tcp