popufare/busunit/scripts/fix_pkg_perm.sh

#!/bin/sh
#
# Copyright (c) 2019 Clementine Computing LLC.
#
# This file is part of PopuFare.
#
# PopuFare is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# PopuFare is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with PopuFare.  If not, see <https://www.gnu.org/licenses/>.
#

. /home/bus/bin/common_values.sh

#    This script takes two parameters, first is a tarball, and the second is the target directory it was extracted to.
#when supplied with this information, this script updates the ownership and permissions on everything to be correct.  This
#is pretty much only done for things which live in /home/bus/bin/ and for special SSH related files and directores.
#
#    See common_values.sh:
#       PACKAGE_*_PATTERN, PACKAGE_*_PERMISSIONS contain regexes to match each filespec from the
#     tarball against.  If they match, the matching _PERMISSIONS variable holds the permissions that will
#     be set.  Also, each file coming out of the tarball is given (with chown) to the user and group specified
#     by PACKAGE_OWNER_STRING.
#
# When called with parameters, it processes the tarball first, and even without parameters it will examine the environment
#and iterate through any existing files defined in ALWAYS_*_LIST and apply PACKAGE_*_PERMISSIONS to them.  This is an insurance
#policy against forgotten execute bits and overly permissive settings on directories containing ssh authorized_keys or id_rsa 
#files which might cause ssh or sshd to refuse to allow us to make or accept connections (bye-bye updates!).  Thus we want to
#be extremely careful to prevent this snafu and have the scripts fix it right away if it occurs.

tarball="$1"
reldir="$2"

olddir="`pwd`"

pat_vars="`set | egrep '^PACKAGE_[A-Z_]+_PATTERN=' | sed -r 's/^PACKAGE_([A-Z_]+)_PATTERN=.*$/\1/'`"
always_vars="`set | egrep '^ALWAYS_[A-Z_]+_LIST=' | sed -r 's/^ALWAYS_([A-Z_]+)_LIST=.*$/\1/'`"

if [ -f "$olddir/$tarball" ]; then

  cd $reldir
  tar -ztf $olddir/$tarball |
  while read filespec; do

    if [ -n "$PACKAGE_OWNER_STRING" ]; then
      chown $PACKAGE_OWNER_STRING $filespec
    fi

    for i in $pat_vars; do
      patvar="PACKAGE_${i}_PATTERN";
      permvar="PACKAGE_${i}_PERMISSIONS";

      if (echo "$filespec" | egrep -q "${!patvar}"); then
        chmod ${!permvar} $filespec
      fi
    done
  done
fi

cd /

for grp in $always_vars; do
  filesvar="ALWAYS_${grp}_LIST";
  permvar="PACKAGE_${grp}_PERMISSIONS";

  for fil in ${!filesvar}; do

    if [ -e "$fil" ]; then
      if [ -n "$PACKAGE_OWNER_STRING" ]; then
        chown $PACKAGE_OWNER_STRING $fil
      fi

      chmod ${!permvar} $fil
    fi

  done

done

cd $olddir