All new accounts created on Gitlab now require administrator approval. If you invite any collaborators, please let Flux staff know so they can approve the accounts.

Commit 550fe7da authored by Leigh B Stoller's avatar Leigh B Stoller

Changes for setting the sunlnk flag when OPSVM_ENABLE=1; has to be done

on boss cause that is where the actual file systems are.
parent 5edc45cc
......@@ -132,6 +132,7 @@ my $FSPROJROOT = "@FSDIR_PROJ@";
my $FSGROUPROOT = "@FSDIR_GROUPS@";
my $FSSCRATCHROOT = "@FSDIR_SCRATCH@";
# These are duplicated in db/Project.pm.in ...
# Project subdir list
my @DIRLIST = ("exp", "images", "logs", "deltas", "tarfiles", "rpms",
"groups", "tiplogs", "images/sigs", "templates");
......
......@@ -25,10 +25,10 @@ package Project;
use strict;
use Exporter;
use vars qw(@ISA @EXPORT);
use vars qw(@ISA @EXPORT @PROJDIRECTORIES @GROUPDIRECTORIES);
@ISA = "Exporter";
@EXPORT = qw ( );
@EXPORT = qw ();
use libdb;
use libtestbed;
......@@ -60,6 +60,11 @@ my $MAILMANSUPPORT = @MAILMANSUPPORT@;
my $ADDPROJADMINLIST = "$TB/sbin/addprojadminlist";
my $EXPORTS_SETUP = "$TB/sbin/exports_setup";
# These are duplicated in account/accountsetup.in ...
@PROJDIRECTORIES = ("exp", "images", "logs", "deltas", "tarfiles", "rpms",
"groups", "tiplogs", "images/sigs", "templates");
@GROUPDIRECTORIES = ("exp", "images", "logs", "tarfiles", "rpms", "tiplogs");
# Cache of instances to avoid regenerating them.
my %projects = ();
BEGIN { use emutil; emutil::AddCache(\%projects); }
......
......@@ -47,7 +47,9 @@ use Data::Dumper;
use POSIX qw(:signal_h);
# Configure variables.
my $TB = "@prefix@";
my $TB = "@prefix@";
my $OPSVM_ENABLE = @OPSVM_ENABLE@;
my $CHFLAGS = "/bin/chflags";
#
# Store up the list of caches to flush
......@@ -1086,5 +1088,61 @@ sub ReadFile($)
return $contents;
}
#
# Use chflags on certain directories to prevent users from deleting things.
# Just a bandaid on the real problem.
#
sub SetNoDelete($)
{
my ($filename) = @_;
my $useflags = 0;
#
# We use flags to prevent deletion of certain dirs, on FreeBSD 10
# or greater. Note that when OPSVM_ENABLE=1, the file systems are
# actually on boss, not on ops, so have to this here on boss instead.
#
if ($OPSVM_ENABLE) {
if (`uname -r` =~ /^(\d+)\.(\d+)/) {
if ($1 >= 10) {
$useflags = 1;
}
}
}
return 0
if (!$useflags);
system("$CHFLAGS sunlink $filename");
return ($? ? -1 : 0);
}
sub ClearNoDelete($)
{
my ($filename) = @_;
my $useflags = 0;
return 0
if (! -e $filename);
#
# We use flags to prevent deletion of certain dirs, on FreeBSD 10
# or greater. Note that when OPSVM_ENABLE=1, the file systems are
# actually on boss, not on ops, so have to this here on boss instead.
#
if ($OPSVM_ENABLE) {
if (`uname -r` =~ /^(\d+)\.(\d+)/) {
if ($1 >= 10) {
$useflags = 1;
}
}
}
return 0
if (!$useflags);
# Do a recursive change here since we tend to do deletions on the
# top level directories.
system("$CHFLAGS -R nosunlink $filename");
return ($? ? -1 : 0);
}
# _Always_ make sure that this 1 is at the end of the file...
1;
#!/usr/bin/perl -wT
#
# Copyright (c) 2000-2016 University of Utah and the Flux Group.
# Copyright (c) 2000-2016, 2018 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -57,6 +57,7 @@ my $BUGDBSUPPORT= @BUGDBSUPPORT@;
my $OPSDBSUPPORT= @OPSDBSUPPORT@;
my $TBBASE = "@TBBASE@";
my $TBWWW = "@TBWWW@";
my $OPSVM_ENABLE= @OPSVM_ENABLE@;
my $WITHZFS = @WITHZFS@;
my $ZFS_NOEXPORT= @ZFS_NOEXPORT@;
my $WITHAMD = @WITHAMD@;
......@@ -66,7 +67,6 @@ my $OPSDBCONTROL= "$TB/sbin/opsdb_control";
my $GROUPADD = "/usr/sbin/pw groupadd";
my $ACCOUNTPROXY= "$TB/sbin/accountsetup";
my $EXPORTSSETUP= "$TB/sbin/exports_setup";
my @DIRLIST = ("exp", "images", "logs", "tarfiles", "rpms", "tiplogs");
my $SAVEUID = $UID;
# Locals
......@@ -96,6 +96,7 @@ use libaudit;
use libdb;
use libtestbed;
use User;
use Project;
use Group;
use emutil;
......@@ -272,10 +273,15 @@ if ($pid ne $gid) {
if (! -e $groupdir) {
fatal("Could not access directory $groupdir");
}
foreach my $dir (@DIRLIST) {
emutil::SetNoDelete("$groupdir")
if ($OPSVM_ENABLE);
foreach my $dir (@Project::GROUPDIRECTORIES) {
if (! -e "$groupdir/$dir") {
fatal("Could not access directory $groupdir/$dir");
}
emutil::SetNoDelete("$groupdir/$dir")
if ($OPSVM_ENABLE);
}
# Exotic features
......@@ -295,6 +301,16 @@ if ($pid ne $gid) {
$EUID = 0;
}
}
elsif ($OPSVM_ENABLE) {
emutil::SetNoDelete("$projdir");
emutil::SetNoDelete("$GRPROOT/$pid");
# Also the symlink.
emutil::SetNoDelete("$GRPROOT/$pid/$pid");
foreach my $dir (@Project::PROJDIRECTORIES) {
emutil::SetNoDelete("$projdir/$dir");
}
}
# No email when the project group being created.
if (!$silent && !$group->IsProjectGroup()) {
......
#!/usr/bin/perl -wT
#
# Copyright (c) 2000-2015 University of Utah and the Flux Group.
# Copyright (c) 2000-2018 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -82,9 +82,6 @@ my $ADDMMLIST = "$TB/sbin/addmmlist";
my $OPSDBCONTROL = "$TB/sbin/opsdb_control";
my $CLOSEPROJADMINLIST = "$TB/sbin/closeprojadminlist";
my @DIRLIST = ("exp", "images", "logs", "deltas", "tarfiles", "rpms",
"groups", "tiplogs", "images/sigs", "templates");
#
# Untaint the path
#
......@@ -349,10 +346,11 @@ if (! -e "$PROJROOT/$pid") {
fatal("Could not access directory $PROJROOT/$pid");
}
}
foreach my $dir (@DIRLIST) {
foreach my $dir (@Project::PROJDIRECTORIES) {
if (! -e "$PROJROOT/$pid/$dir") {
fatal("Could not access directory $PROJROOT/$pid/$dir");
}
emutil::SetNoDelete("$PROJROOT/$pid/$dir");
}
if (! -e "$GRPROOT/$pid") {
......
#!/usr/bin/perl -wT
#
# Copyright (c) 2000-2016 University of Utah and the Flux Group.
# Copyright (c) 2000-2018 University of Utah and the Flux Group.
#
# {{{EMULAB-LICENSE
#
......@@ -67,6 +67,7 @@ my $ELABINELAB = @ELABINELAB@;
my $MAILMANSUPPORT= @MAILMANSUPPORT@;
my $BUGDBSUPPORT = @BUGDBSUPPORT@;
my $OPSDBSUPPORT = @OPSDBSUPPORT@;
my $OPSVM_ENABLE = @OPSVM_ENABLE@;
my $SSH = "$TB/bin/sshtb";
my $GROUPDEL = "/usr/sbin/pw groupdel";
......@@ -74,6 +75,7 @@ my $DELMMLIST = "$TB/sbin/delmmlist";
my $MODGROUPS = "$TB/sbin/modgroups";
my $OPSDBCONTROL = "$TB/sbin/opsdb_control";
my $ACCOUNTPROXY = "$TB/sbin/accountsetup";
my $EXPORTSSETUP = "$TB/sbin/exports_setup";
#
# Untaint the path
......@@ -95,6 +97,7 @@ use libdb;
use emutil;
use libtestbed;
use User;
use Project;
use Group;
use EmulabFeatures;
......@@ -123,6 +126,7 @@ my $group = Group->Lookup($ARGV[0]);
if (!defined($group)) {
fatal("Could not lookup group object for $ARGV[0]");
}
my $project = $group->GetProject();
my $unix_gid = $group->unix_gid();
my $unix_name = $group->unix_name();
my $pid = $group->pid();
......@@ -220,18 +224,38 @@ if (system("grep -q '^${unix_gid}:' /etc/group")) {
#
$UID = 0;
if ($CONTROL ne $BOSSNODE) {
my $cmdstr;
if ($OPSVM_ENABLE) {
if ($pid eq $gid) {
$cmdstr = "delproject $gid $unix_name";
} else {
$cmdstr = "delgroup $gid $unix_name $pid";
}
emutil::ClearNoDelete("$PROJROOT/$pid");
emutil::ClearNoDelete("$GRPROOT/$pid");
# Also the symlink.
emutil::ClearNoDelete("$GRPROOT/$pid/$pid");
print "Removing group $unix_name ($unix_gid) on $CONTROL.\n";
if (system("$SSH -host $CONTROL $ACCOUNTPROXY $cmdstr")) {
fatal("Could not remove group $unix_name from $CONTROL!");
foreach my $dir (@Project::PROJDIRECTORIES) {
emutil::ClearNoDelete("$PROJROOT/$pid/$dir");
}
}
else {
emutil::ClearNoDelete("$GRPROOT/$pid/$gid");
foreach my $dir (@Project::GROUPDIRECTORIES) {
emutil::ClearNoDelete("$GRPROOT/$pid/$gid/$dir")
}
}
}
print "Removing group $unix_name ($unix_gid) on $CONTROL.\n";
my $cmdstr;
if ($pid eq $gid) {
$cmdstr = "delproject $gid $unix_name";
} else {
$cmdstr = "delgroup $gid $unix_name $pid";
}
print "Removing group $unix_name ($unix_gid) on $CONTROL.\n";
if (system("$SSH -host $CONTROL $ACCOUNTPROXY $cmdstr")) {
fatal("Could not remove group $unix_name from $CONTROL!");
}
#
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment