run pveproxy as unpriviledged user (www-data)
We log to /var/log/pveproxy/access.log. Extra directory is needed because we run as www-data (no permissions to write into /var/log/pve/).
This commit is contained in:
Dietmar Maurer
parent
026fd9cf6e
commit
3dad8dc716
2
Makefile
2
Makefile
@ -72,6 +72,8 @@ aplupload:
|
||||
|
||||
.PHONY: install
|
||||
install: country.dat vznet.conf vzdump.conf vzdump-hook-script.pl
|
||||
install -d -m 0700 -o www-data -g www-data ${DESTDIR}/var/log/pveproxy
|
||||
install -D -m 0644 debian/pve.logrotate ${DESTDIR}/etc/logrotate.d/pve
|
||||
install -d ${DESTDIR}/usr/share/${PACKAGE}
|
||||
install -d ${DESTDIR}/usr/share/man/man1
|
||||
install -d ${DOCDIR}/examples
|
||||
|
||||
@ -704,10 +704,11 @@ sub start_workers {
|
||||
sleep (1);
|
||||
} elsif ($pid) { #parent
|
||||
$workers->{$pid} = 1;
|
||||
$0 = "$0 worker";
|
||||
syslog('info', "worker $pid started");
|
||||
$need--;
|
||||
} else {
|
||||
$0 = "$0 worker";
|
||||
|
||||
$SIG{TERM} = $SIG{QUIT} = sub {
|
||||
$child_terminate = 1;
|
||||
};
|
||||
|
||||
@ -15,13 +15,18 @@ PATH=/sbin:/bin:/usr/bin:/usr/sbin
|
||||
DAEMON=/usr/bin/pveproxy
|
||||
NAME=pveproxy
|
||||
DESC="PVE API Proxy Server"
|
||||
PIDFILE=/var/run/pveproxy.pid
|
||||
RUNDIR=/var/run/pveproxy
|
||||
PIDFILE=${RUNDIR}/pveproxy.pid
|
||||
|
||||
test -f $DAEMON || exit 0
|
||||
|
||||
# avoid warnings about uninstalled locales when pveproxy executes commands
|
||||
export LC_ALL="C"
|
||||
|
||||
mkdir -p ${RUNDIR} || true
|
||||
chmod 0700 ${RUNDIR} || true
|
||||
chown www-data:www-data ${RUNDIR} || true
|
||||
|
||||
case "$1" in
|
||||
start)
|
||||
log_daemon_msg "Starting $DESC" "$NAME"
|
||||
|
||||
@ -49,9 +49,7 @@ eval {
|
||||
lockfile => $lockfile,
|
||||
keep_alive => 100,
|
||||
max_conn => 500,
|
||||
max_requests => 1000,
|
||||
logfile => '/var/log/pve/pvedaemon.log', # fixme?
|
||||
);
|
||||
max_requests => 1000);
|
||||
};
|
||||
|
||||
my $err = $@;
|
||||
|
||||
16
bin/pveproxy
16
bin/pveproxy
@ -6,6 +6,7 @@ delete @ENV{qw(IFS CDPATH ENV BASH_ENV)};
|
||||
|
||||
use lib '..'; # fixme
|
||||
use strict;
|
||||
use English;
|
||||
use Getopt::Long;
|
||||
use POSIX ":sys_wait_h";
|
||||
use Socket;
|
||||
@ -21,7 +22,7 @@ use File::Find;
|
||||
use Data::Dumper;
|
||||
|
||||
|
||||
my $pidfile = "/var/run/pveproxy.pid";
|
||||
my $pidfile = "/var/run/pveproxy/pveproxy.pid";
|
||||
my $lockfile = "/var/lock/pveproxy.lck";
|
||||
|
||||
my $opt_debug;
|
||||
@ -42,6 +43,16 @@ $SIG{'__WARN__'} = sub {
|
||||
|
||||
$0 = "pveproxy";
|
||||
|
||||
# run as www-data
|
||||
my $gid = getgrnam('www-data') || die "getgrnam failed - $!\n";
|
||||
POSIX::setgid($gid) || die "setgid $gid failed - $!\n";
|
||||
$EGID = "$gid $gid"; # this calls setgroups
|
||||
my $uid = getpwnam('www-data') || die "getpwnam failed - $!\n";
|
||||
POSIX::setuid($uid) || die "setuid $uid failed - $!\n";
|
||||
|
||||
# just to be sure
|
||||
die "detected strange uid/gid\n" if !($UID == $uid && $EUID == $uid && $GID eq "$gid $gid" && $EGID eq "$gid $gid");
|
||||
|
||||
PVE::APIDaemon::enable_debug() if $opt_debug;
|
||||
|
||||
sub add_dirs {
|
||||
@ -77,7 +88,7 @@ eval {
|
||||
max_conn => 500,
|
||||
max_requests => 1000,
|
||||
trusted_env => 0, # not trusted, anyone can connect
|
||||
logfile => '/var/log/pve/access.log',
|
||||
logfile => '/var/log/pveproxy/access.log',
|
||||
lockfile => $lockfile,
|
||||
ssl => {
|
||||
key_file => '/etc/pve/local/pve-ssl.key',
|
||||
@ -103,6 +114,7 @@ if ($err) {
|
||||
exit (-1);
|
||||
}
|
||||
|
||||
|
||||
if ($opt_debug || !($cpid = fork ())) {
|
||||
|
||||
$SIG{PIPE} = 'IGNORE';
|
||||
|
||||
1
debian/conffiles
vendored
1
debian/conffiles
vendored
@ -7,3 +7,4 @@
|
||||
/etc/cron.daily/pve
|
||||
/etc/vz/vznet.conf
|
||||
/etc/vzdump.conf
|
||||
/etc/logrotate.d/pve
|
||||
|
||||
2
debian/control.in
vendored
2
debian/control.in
vendored
@ -3,7 +3,7 @@ Version: @VERSION@-@PACKAGERELEASE@
|
||||
Section: admin
|
||||
Priority: optional
|
||||
Architecture: amd64
|
||||
Depends: perl5, libtimedate-perl, libauthen-pam-perl, libintl-perl, rsync, libjson-perl, liblockfile-simple-perl, vncterm, qemu-server (>= 1.1-1), libwww-perl (>= 6.04-1), libnet-http-perl (>= 6.06-1), libhttp-daemon-perl, wget, libnet-dns-perl, vlan, ifenslave-2.6 (>= 1.1.0-10), liblinux-inotify2-perl, debconf (>= 0.5) | debconf-2.0, netcat-traditional, pve-cluster (>= 1.0-29), libpve-common-perl, libpve-storage-perl, libterm-readline-gnu-perl, libpve-access-control, libio-socket-ssl-perl, libfilesys-df-perl, libfile-readbackwards-perl, libfile-sync-perl, redhat-cluster-pve, resource-agents-pve, fence-agents-pve, cstream, postfix | mail-transport-agent, libxml-parser-perl, lzop, dtach, libanyevent-perl, libio-compress-perl, liburi-perl
|
||||
Depends: perl5, libtimedate-perl, libauthen-pam-perl, libintl-perl, rsync, libjson-perl, liblockfile-simple-perl, vncterm, qemu-server (>= 1.1-1), libwww-perl (>= 6.04-1), libnet-http-perl (>= 6.06-1), libhttp-daemon-perl, wget, libnet-dns-perl, vlan, ifenslave-2.6 (>= 1.1.0-10), liblinux-inotify2-perl, debconf (>= 0.5) | debconf-2.0, netcat-traditional, pve-cluster (>= 1.0-29), libpve-common-perl, libpve-storage-perl, libterm-readline-gnu-perl, libpve-access-control, libio-socket-ssl-perl, libfilesys-df-perl, libfile-readbackwards-perl, libfile-sync-perl, redhat-cluster-pve, resource-agents-pve, fence-agents-pve, cstream, postfix | mail-transport-agent, libxml-parser-perl, lzop, dtach, libanyevent-perl, libio-compress-perl, liburi-perl, logrotate
|
||||
Conflicts: netcat-openbsd, vzdump
|
||||
Replaces: vzdump
|
||||
Provides: vzdump
|
||||
|
||||
13
debian/pve.logrotate
vendored
Normal file
13
debian/pve.logrotate
vendored
Normal file
@ -0,0 +1,13 @@
|
||||
/var/log/pveproxy/access.log {
|
||||
rotate 7
|
||||
daily
|
||||
missingok
|
||||
compress
|
||||
delaycompress
|
||||
notifempty
|
||||
create 640 www-data www-data
|
||||
sharedscripts
|
||||
postrotate
|
||||
/etc/init.d/pveproxy reload > /dev/null
|
||||
endscript
|
||||
}
|
||||
Loading…
x
Reference in New Issue
Block a user