Fix debian9 compat: setpriv is missing --init-groups on debian9

Lupul · Lupul · commit 0aed60fa6ab3 · 2019-11-14T23:38:17.000+02:00
Added a function that handles dropping priv when running cli commands as a normal Hestia user
diff --git a/bin/v-add-fs-archive b/bin/v-add-fs-archive
@@ -52,7 +52,7 @@ for src in $*; do
         src=$(echo "$src"| sed -e "s|/home/$user/||")
 
         # Creating tar.gz archive
-        setpriv --init-groups --reuid "$user" --regid "$user" -- tar -rf "${archive/.gz/}" -C /home/$user $src >/dev/null 2>&1
+        user_exec tar -rf "${archive/.gz/}" -C /home/$user $src >/dev/null 2>&1
         if [ "$?" -ne 0 ]; then
             echo "Error: archive $archive was not created"
             exit 3
@@ -63,7 +63,7 @@ done
 
 # Checking gzip
 if [[ "$archive" =~ \.gz$ ]]; then
-    setpriv --init-groups --reuid "$user" --regid "$user" -- gzip "${archive/.gz/}" >/dev/null 2>&1
+    user_exec gzip "${archive/.gz/}" >/dev/null 2>&1
     if [ "$?" -ne 0 ]; then
         echo "Error: archive $archive was not gziped"
         exit 3
diff --git a/bin/v-add-fs-directory b/bin/v-add-fs-directory
@@ -33,7 +33,7 @@ if [ -z "$(echo $rpath |egrep "^/tmp|^$homedir")" ]; then
 fi
 
 # Adding directory
-setpriv --init-groups --reuid "$user" --regid "$user" -- mkdir -p "$dst_dir" >/dev/null 2>&1
+user_exec mkdir -p "$dst_dir" >/dev/null 2>&1
 if [ $? -ne 0 ]; then
     echo "Error: directory $dst_dir was not created"
     exit 3
diff --git a/bin/v-add-fs-file b/bin/v-add-fs-file
@@ -33,7 +33,7 @@ if [ -z "$(echo $rpath |egrep "^/tmp|^$homedir")" ]; then
 fi
 
 # Creating file
-setpriv --init-groups --reuid "$user" --regid "$user" -- touch "$dst_file" >/dev/null 2>&1
+user_exec touch "$dst_file" >/dev/null 2>&1
 if [ $? -ne 0 ]; then 
     echo "Error: file $dst_file was not created"
     exit 3
diff --git a/bin/v-add-web-domain b/bin/v-add-web-domain
@@ -83,7 +83,7 @@ ln -f -s /var/log/$WEB_SYSTEM/domains/$domain.*log \
     $HOMEDIR/$user/web/$domain/logs/
 
 # Adding domain skeleton
-setpriv --init-groups --reuid "$user" --regid "$user" -- cp -r $WEBTPL/skel/* "$HOMEDIR/$user/web/$domain/" >/dev/null 2>&1
+user_exec cp -r $WEBTPL/skel/* "$HOMEDIR/$user/web/$domain/" >/dev/null 2>&1
 for file in $(find "$HOMEDIR/$user/web/$domain/" -type f); do
     sed -i "s/%domain%/$domain/g" $file
 done
diff --git a/bin/v-change-fs-file-permission b/bin/v-change-fs-file-permission
@@ -40,7 +40,7 @@ if [ -z "$(echo $rpath |egrep "^/tmp|^$homedir")" ]; then
 fi
 
 # Changing file permissions
-setpriv --init-groups --reuid "$user" --regid "$user" -- chmod -R $permissions "$src_file" >/dev/null 2>&1
+user_exec chmod -R $permissions "$src_file" >/dev/null 2>&1
 if [ $? -ne 0 ]; then
     echo "Error: access permission on $src_file was not changed"
     exit 3
diff --git a/bin/v-check-fs-permission b/bin/v-check-fs-permission
@@ -35,7 +35,7 @@ if [ ! -z "$src" ]; then
 fi
 
 # Checking if file has readable permission
-setpriv --init-groups --reuid "$user" --regid "$user" -- ls "$src" > /dev/null 2>&1
+user_exec ls "$src" > /dev/null 2>&1
 if [ $? -ne 0 ]; then
     echo "Error: can't read $src"
     exit 1
diff --git a/bin/v-copy-fs-directory b/bin/v-copy-fs-directory
@@ -47,7 +47,7 @@ if [ -z "$(echo $rpath |egrep "^/tmp|^$homedir")" ]; then
 fi
 
 # Copying directory
-setpriv --init-groups --reuid "$user" --regid "$user" -- cp -rf "$src_dir" "$dst_dir" >/dev/null 2>&1
+user_exec cp -rf "$src_dir" "$dst_dir" >/dev/null 2>&1
 if [ $? -ne 0 ]; then
     echo "Error: directory $src_dir was not copied"
     exit 3
diff --git a/bin/v-copy-fs-file b/bin/v-copy-fs-file
@@ -47,7 +47,7 @@ if [ -z "$(echo $rpath |egrep "^/tmp|^$homedir")" ]; then
 fi
 
 # Copying file
-setpriv --init-groups --reuid "$user" --regid "$user" -- cp "$src_file" "$dst_file" >/dev/null 2>&1
+user_exec cp "$src_file" "$dst_file" >/dev/null 2>&1
 if [ $? -ne 0 ]; then
     echo "Error: file $src_file was not copied"
     exit 3
diff --git a/bin/v-delete-fs-directory b/bin/v-delete-fs-directory
@@ -34,7 +34,7 @@ if [ -z "$(echo $rpath |egrep "^/tmp|^$homedir")" ]; then
 fi
 
 # Deleting directory
-setpriv --init-groups --reuid "$user" --regid "$user" -- rm -rf "$dst_dir" # >/dev/null 2>&1
+user_exec rm -rf "$dst_dir" # >/dev/null 2>&1
 if [ $? -ne 0 ]; then
     echo "Error: directory $dst_dir was not deleted"
     exit 3
diff --git a/bin/v-delete-fs-file b/bin/v-delete-fs-file
@@ -34,7 +34,7 @@ if [ -z "$(echo $rpath |egrep "^/tmp|^$homedir")" ]; then
 fi
 
 # Deleting file
-setpriv --init-groups --reuid "$user" --regid "$user" -- rm -f "$dst_file" >/dev/null 2>&1
+user_exec rm -f "$dst_file" >/dev/null 2>&1
 if [ $? -ne 0 ]; then
     echo "Error: file $dst_file was not deleted"
     exit 3
diff --git a/bin/v-extract-fs-archive b/bin/v-extract-fs-archive
@@ -57,11 +57,11 @@ fi
 if [ ! -z "$(echo $src_file |egrep -i  '.tgz|.tar.gz')" ]; then
     x='yes'
     if [ -z "$test" ] || [ "$test" = "no" ]; then
-        setpriv --init-groups --reuid "$user" --regid "$user" -- mkdir -p "$dst_dir" >/dev/null 2>&1
-        setpriv --init-groups --reuid "$user" --regid "$user" -- tar -xzf "$src_file" -C "$dst_dir" --no-wildcards "$selected_dir" $tar_strip_level >/dev/null 2>&1
+        user_exec mkdir -p "$dst_dir" >/dev/null 2>&1
+        user_exec tar -xzf "$src_file" -C "$dst_dir" --no-wildcards "$selected_dir" $tar_strip_level >/dev/null 2>&1
         rc=$?
     else
-        setpriv --init-groups --reuid "$user" --regid "$user" -- tar -tf "$src_file" --no-wildcards "$selected_dir" >/dev/null 2>&1
+        user_exec tar -tf "$src_file" --no-wildcards "$selected_dir" >/dev/null 2>&1
         rc=$?
     fi
 
@@ -71,63 +71,63 @@ fi
 if [ ! -z "$(echo $src_file |egrep -i  '.tbz|.tar.bz')" ]; then
     x='yes'
     if [ -z "$test" ] || [ "$test" = "no" ]; then
-        setpriv --init-groups --reuid "$user" --regid "$user" -- mkdir -p "$dst_dir" >/dev/null 2>&1
-        setpriv --init-groups --reuid "$user" --regid "$user" -- tar -xjf "$src_file" -C "$dst_dir" --no-wildcards "$selected_dir" $tar_strip_level >/dev/null 2>&1
+        user_exec mkdir -p "$dst_dir" >/dev/null 2>&1
+        user_exec tar -xjf "$src_file" -C "$dst_dir" --no-wildcards "$selected_dir" $tar_strip_level >/dev/null 2>&1
         rc=$?
     else
-        setpriv --init-groups --reuid "$user" --regid "$user" -- tar -tf "$src_file" --no-wildcards "$selected_dir" >/dev/null 2>&1
+        user_exec tar -tf "$src_file" --no-wildcards "$selected_dir" >/dev/null 2>&1
         rc=$?
     fi
 fi
 
 # Extracting gziped file
 if [ ! -z "$(echo $src_file |grep -i  '.gz')" ] && [ -z "$x" ]; then
-    setpriv --init-groups --reuid "$user" --regid "$user" -- mkdir -p "$dst_dir" >/dev/null 2>&1
-    setpriv --init-groups --reuid "$user" --regid "$user" -- mv "$src_file" "$dst_dir" >/dev/null 2>&1
-    setpriv --init-groups --reuid "$user" --regid "$user" -- gzip -d "$dst_dir/$(basename $src_file)" >/dev/null 2>&1
+    user_exec mkdir -p "$dst_dir" >/dev/null 2>&1
+    user_exec mv "$src_file" "$dst_dir" >/dev/null 2>&1
+    user_exec gzip -d "$dst_dir/$(basename $src_file)" >/dev/null 2>&1
     rc=$?
 fi
 
 # Extracting bziped file
 if [ ! -z "$(echo $src_file |grep -i  '.bz')" ] && [ -z "$x" ]; then
-    setpriv --init-groups --reuid "$user" --regid "$user" -- mkdir -p "$dst_dir" >/dev/null 2>&1
-    setpriv --init-groups --reuid "$user" --regid "$user" -- mv "$src_file" "$dst_dir"# >/dev/null 2>&1
-    setpriv --init-groups --reuid "$user" --regid "$user" -- bzip2 -d "$dst_dir/$(basename $src_file)" >/dev/null 2>&1
+    user_exec mkdir -p "$dst_dir" >/dev/null 2>&1
+    user_exec mv "$src_file" "$dst_dir"# >/dev/null 2>&1
+    user_exec bzip2 -d "$dst_dir/$(basename $src_file)" >/dev/null 2>&1
     rc=$?
 fi
 
 # Extracting ziped archive
 if [ ! -z "$(echo $src_file |grep -i  '.zip')" ]; then
-    setpriv --init-groups --reuid "$user" --regid "$user" -- mkdir -p "$dst_dir" >/dev/null 2>&1
-    setpriv --init-groups --reuid "$user" --regid "$user" -- unzip "$src_file" -d "$dst_dir" >/dev/null 2>&1
+    user_exec mkdir -p "$dst_dir" >/dev/null 2>&1
+    user_exec unzip "$src_file" -d "$dst_dir" >/dev/null 2>&1
     rc=$?
 fi
 
 # Extracting ziped archive
 if [ ! -z "$(echo $src_file |grep -i  '.7z')" ]; then
-    setpriv --init-groups --reuid "$user" --regid "$user" -- mkdir -p "$dst_dir" >/dev/null 2>&1
-    setpriv --init-groups --reuid "$user" --regid "$user" -- mv "$src_file" "$dst_dir" >/dev/null 2>&1
-    setpriv --init-groups --reuid "$user" --regid "$user" -- p7zip -d "$src_file" >/dev/null 2>&1
+    user_exec mkdir -p "$dst_dir" >/dev/null 2>&1
+    user_exec mv "$src_file" "$dst_dir" >/dev/null 2>&1
+    user_exec p7zip -d "$src_file" >/dev/null 2>&1
     rc=$?
 fi
 
 # Extracting tared archive
 if [ ! -z "$(echo $src_file |grep -i '.tar')" ] && [ -z "$x" ]; then
     x='yes'
     if [ -z "$test" ] || [ "$test" = "no" ]; then
-        setpriv --init-groups --reuid "$user" --regid "$user" -- mkdir -p "$dst_dir" >/dev/null 2>&1
-        setpriv --init-groups --reuid "$user" --regid "$user" -- tar -xf "$src_file" -C "$dst_dir" --no-wildcards "$selected_dir" $tar_strip_level >/dev/null 2>&1
+        user_exec mkdir -p "$dst_dir" >/dev/null 2>&1
+        user_exec tar -xf "$src_file" -C "$dst_dir" --no-wildcards "$selected_dir" $tar_strip_level >/dev/null 2>&1
         rc=$?
     else
-        setpriv --init-groups --reuid "$user" --regid "$user" -- tar -tf "$src_file" --no-wildcards "$selected_dir" >/dev/null 2>&1
+        user_exec tar -tf "$src_file" --no-wildcards "$selected_dir" >/dev/null 2>&1
         rc=$?
     fi
 fi
 
 # Extracting rared archive
 if [ ! -z "$(echo $src_file |grep -i  '.rar')" ]; then
-    setpriv --init-groups --reuid "$user" --regid "$user" -- mkdir -p "$dst_dir" >/dev/null 2>&1
-    setpriv --init-groups --reuid "$user" --regid "$user" -- unrar "$src_file"  "$dst_dir" >/dev/null 2>&1
+    user_exec mkdir -p "$dst_dir" >/dev/null 2>&1
+    user_exec unrar "$src_file"  "$dst_dir" >/dev/null 2>&1
     rc=$?
 fi
 
diff --git a/bin/v-get-fs-file-type b/bin/v-get-fs-file-type
@@ -33,7 +33,7 @@ if [ -z "$(echo $rpath |grep $homedir)" ]; then
 fi
 
 # Listing file type
-setpriv --init-groups --reuid "$user" --regid "$user" -- file -i -b "$path" 2>/dev/null
+user_exec file -i -b "$path" 2>/dev/null
 
 # Exiting
 exit $?
diff --git a/bin/v-list-fs-directory b/bin/v-list-fs-directory
@@ -37,7 +37,7 @@ else
 fi
 
 # Listing directory
-setpriv --init-groups --reuid "$user" --regid "$user" -- find "$path" -maxdepth 1 \
+user_exec find "$path" -maxdepth 1 \
     -printf "%y|%m|%TY-%Tm-%Td|%TH:%TM|%u|%g|%s|%P\n" 2>/dev/null
 
 # Exiting
diff --git a/bin/v-move-fs-directory b/bin/v-move-fs-directory
@@ -48,7 +48,7 @@ if [ -z "$(echo $rpath |egrep "^/tmp|^$homedir")" ]; then
 fi
 
 # Moving directory
-setpriv --init-groups --reuid "$user" --regid "$user" -- mv "$src_dir" "$dst_dir" >/dev/null 2>&1
+user_exec mv "$src_dir" "$dst_dir" >/dev/null 2>&1
 if [ $? -ne 0 ]; then
     echo "Error: directory $src_dir was not moved"
     exit 3
diff --git a/bin/v-move-fs-file b/bin/v-move-fs-file
@@ -48,7 +48,7 @@ if [ -z "$(echo $rpath |egrep "^/tmp|^$homedir")" ]; then
 fi
 
 # Moving file
-setpriv --init-groups --reuid "$user" --regid "$user" -- mv "$src_file" "$dst_file" >/dev/null 2>&1
+user_exec mv "$src_file" "$dst_file" >/dev/null 2>&1
 if [ $? -ne 0 ]; then
     echo "Error: file $src_file was not moved"
     exit 3
diff --git a/bin/v-open-fs-file b/bin/v-open-fs-file
@@ -40,7 +40,7 @@ if [ ! -z "$src_file" ]; then
 fi
 
 # Reading file
-setpriv --init-groups --reuid "$user" --regid "$user" -- cat "$src_file" 2>/dev/null
+user_exec cat "$src_file" 2>/dev/null
 if [ $? -ne 0 ]; then
     echo "Error: file $src_file was not opened"
     exit 3
diff --git a/bin/v-restore-user b/bin/v-restore-user
@@ -407,7 +407,7 @@ if [ "$web" != 'no' ] && [ ! -z "$WEB_SYSTEM" ]; then
             rm -rf $HOMEDIR/$user/web/$domain/public_html/*
         fi
         chmod u+w "$HOMEDIR/$user/web/$domain"
-        setpriv --init-groups --reuid "$user" --regid "$user" -- tar -xzpf $tmpdir/web/$domain/domain_data.tar.gz \
+        user_exec tar -xzpf $tmpdir/web/$domain/domain_data.tar.gz \
             -C "$HOMEDIR/$user/web/$domain/" \
             --exclude='logs/*'
         if [ "$?" -ne 0 ]; then
diff --git a/bin/v-run-cli-cmd b/bin/v-run-cli-cmd
@@ -44,6 +44,7 @@ if [ "$realcmd" != '/bin/ps'            -a \
      "$realcmd" != '/bin/gunzip'        -a \
      "$realcmd" != '/bin/mkdir'         -a \
      "$realcmd" != '/usr/bin/find'      -a \
+     "$realcmd" != '/usr/bin/id'        -a \
      "$realcmd" != '/bin/grep'          -a \
      "$realcmd" != '/bin/egrep'         -a \
      "$realcmd" != '/bin/sed'           -a \
@@ -64,7 +65,7 @@ for ((I=3; I <= $# ; I++)); do
     cmdArgs="$cmdArgs ${all_scriptargs[${I}-1]}"
 done
 
-setpriv --init-groups --reuid "$user" --regid "$user" -- $realcmd $cmdArgs
+runuser -u "$user" -- $realcmd $cmdArgs
 if [ $? -ne 0 ]; then 
     echo "Error: cmd exited with errors"
     exit 3
diff --git a/bin/v-search-fs-object b/bin/v-search-fs-object
@@ -38,7 +38,7 @@ else
 fi
 
 # Listing directory
-setpriv --init-groups --reuid "$user" --regid "$user" -- find "$path" -name "$object" \
+user_exec find "$path" -name "$object" \
     -printf "%y|%m|%TY-%Tm-%Td|%TH:%TM|%u|%g|%s|%P\n" 2>/dev/null
 #    -printf "%y|%m|%TY-%Tm-%Td|%TH:%TM:%TS|%u|%g|%s|%P\n" 2>/dev/null
 
diff --git a/func/main.sh b/func/main.sh
@@ -258,7 +258,7 @@ parse_object_kv_list() {
     str=${str//$/\\$}
     IFS=$'\n'
 
-    suboutput=$(setpriv --init-groups --reuid nobody --regid nogroup bash -c "PS4=''; set -xe; eval \"${str}\"" 2>&1)
+    suboutput=$(setpriv --clear-groups --reuid nobody --regid nogroup bash -c "PS4=''; set -xe; eval \"${str}\"" 2>&1)
     check_result $? "Invalid object format: ${str}" $E_INVALID
 
     for objkv in $suboutput; do
@@ -1080,3 +1080,16 @@ multiphp_versions() {
         echo -en '\n'
     fi
 }
+
+# Run arbitrary cli commands with dropped privileges
+# Note: setpriv --init-groups is not available on debian9 (util-linux 2.29.2)
+# Input:
+#     - $user : Vaild hestia user
+user_exec() {
+    is_object_valid 'user' 'USER' "$user"
+
+    local user_groups=$(id -G "$user")
+    user_groups=${user_groups//\ /,}
+
+    setpriv --groups "$user_groups" --reuid "$user" --regid "$user" -- $@
+}
diff --git a/func/rebuild.sh b/func/rebuild.sh
@@ -205,7 +205,7 @@ rebuild_web_domain_conf() {
 
     # Propagating html skeleton
     if [ -d "$WEBTPL/skel/document_errors/" ]; then
-        setpriv --init-groups --reuid "$user" --regid "$user" -- cp -r "$WEBTPL/skel/document_errors/" "$HOMEDIR/$user/web/$domain/"
+        user_exec cp -r "$WEBTPL/skel/document_errors/" "$HOMEDIR/$user/web/$domain/"
     fi
 
     # Set folder permissions
@@ -293,15 +293,15 @@ rebuild_web_domain_conf() {
         if [ ! -z "$STATS_USER" ]; then
             stats_dir="$HOMEDIR/$user/web/$domain/stats"
             if [ "$WEB_SYSTEM" = 'nginx' ]; then
-                echo "auth_basic \"Web Statistics\";"               |setpriv --init-groups --reuid "$user" --regid "$user" -- tee    $stats_dir/auth.conf
-                echo "auth_basic_user_file $stats_dir/.htpasswd;"   |setpriv --init-groups --reuid "$user" --regid "$user" -- tee -a $stats_dir/auth.conf
+                echo "auth_basic \"Web Statistics\";"               |user_exec tee    $stats_dir/auth.conf
+                echo "auth_basic_user_file $stats_dir/.htpasswd;"   |user_exec tee -a $stats_dir/auth.conf
             else
-                echo "AuthUserFile $stats_dir/.htpasswd"    |setpriv --init-groups --reuid "$user" --regid "$user" -- tee    $stats_dir/.htaccess
-                echo "AuthName \"Web Statistics\""          |setpriv --init-groups --reuid "$user" --regid "$user" -- tee -a $stats_dir/.htaccess
-                echo "AuthType Basic"                       |setpriv --init-groups --reuid "$user" --regid "$user" -- tee -a $stats_dir/.htaccess
-                echo "Require valid-user"                   |setpriv --init-groups --reuid "$user" --regid "$user" -- tee -a $stats_dir/.htaccess
+                echo "AuthUserFile $stats_dir/.htpasswd"    |user_exec tee    $stats_dir/.htaccess
+                echo "AuthName \"Web Statistics\""          |user_exec tee -a $stats_dir/.htaccess
+                echo "AuthType Basic"                       |user_exec tee -a $stats_dir/.htaccess
+                echo "Require valid-user"                   |user_exec tee -a $stats_dir/.htaccess
             fi
-            echo "$STATS_USER:$STATS_CRYPT" |setpriv --init-groups --reuid "$user" --regid "$user" -- tee $stats_dir/.htpasswd
+            echo "$STATS_USER:$STATS_CRYPT" |user_exec tee $stats_dir/.htpasswd
         fi
     fi
 
