From 63bc4c4ee0ab2f343a713a8f8467c8ace31dc0bc Mon Sep 17 00:00:00 2001 From: Alex Malinovich Date: Wed, 30 Nov 2016 16:48:03 -0800 Subject: [PATCH] Force better security for cron setup --- extras/cronwrapper | 8 ++++++++ extras/installer.sh | 37 +++++++++++++++++++------------------ plexupdate.sh | 5 ++++- 3 files changed, 31 insertions(+), 19 deletions(-) diff --git a/extras/cronwrapper b/extras/cronwrapper index 1b1d52d..f0c4677 100755 --- a/extras/cronwrapper +++ b/extras/cronwrapper @@ -29,6 +29,14 @@ fi if [ -z "${SCRIPT}" -o ! -f "${SCRIPT}" ]; then echo "ERROR: Cannot find plexupdate.sh (tried ${SCRIPT})" >&2 exit 255 +elif [ ${EUID} -eq 0 ]; then + UNSAFE_FILES=$(find -L "$(dirname "${SCRIPT}")" -perm /002 -or -not -uid 0 -or -not -gid 0) + if [ ! -z "${UNSAFE_FILES}" ]; then + echo "ERROR: Permissions on some files are too lax for running as root. Files must be owned by root:root and not world-writeable." >&2 + echo "Unsafe files found:" >&2 + echo "${UNSAFE_FILES}" >&2 + exit 255 + fi fi if [ ! -z "$CONF" ]; then diff --git a/extras/installer.sh b/extras/installer.sh index 7f268c5..1683c15 100755 --- a/extras/installer.sh +++ b/extras/installer.sh @@ -19,9 +19,7 @@ install() { [ -z "$DISTRO_INSTALL" ] && check_distro if [ $EUID -ne 0 ]; then - sudo $DISTRO_INSTALL $1 - else - $DISTRO_INSTALL $1 + sudo $DISTRO_INSTALL $1 || abort "Failed while trying to install '$1'. Please install it manually and try again." fi } @@ -243,6 +241,17 @@ configure_cron() { echo echo -n "Would you like to set up automatic daily updates for Plex? " if yesno $CRON; then + if [ $(stat -c %u "${FULL_PATH}") -ne 0 ]; then + echo + echo "WARNING: For security reasons, plexupdate needs to be installed as root in order to run automatically. In order to finish setting up automatic updates, we will change the ownership of '${FULL_PATH}' to root:root." + echo -n "Do you wish to continue? " + yesno || return 1 + echo + echo -n "Changing ownership of '${FULL_PATH}'... " + sudo chown -R root:root "${FULL_PATH}" || abort "Unable to change ownership, cannot continue" + echo "done" + fi + CONF="$CONFIGFILE" SCRIPT="${FULL_PATH}/plexupdate.sh" LOGGING=${LOGGING:-false} @@ -257,13 +266,7 @@ configure_cron() { echo echo -n "Installing daily cron job... " - if [ $EUID -ne 0 ]; then - sudo chown root:root "${FULL_PATH}/extras/cronwrapper" - sudo ln -sf "${FULL_PATH}/extras/cronwrapper" "$CRONWRAPPER" - else - chown root:root "${FULL_PATH}/extras/cronwrapper" - ln -sf "${FULL_PATH}/extras/cronwrapper" "$CRONWRAPPER" - fi + sudo ln -sf "${FULL_PATH}/extras/cronwrapper" "$CRONWRAPPER" echo "done" elif [ -f "$CRONWRAPPER" -o -f "$CONFIGCRON" ]; then echo @@ -288,13 +291,11 @@ save_config() { echo echo -n "Writing configuration file '$2'... " - if [ $EUID -ne 0 ]; then - # make sure that new file is owned by root instead of owner of CONFIGTEMP - sudo tee "$2" > /dev/null < "$CONFIGTEMP" - rm "$CONFIGTEMP" - else - mv "$CONFIGTEMP" "$2" - fi + + # make sure that new file is owned by root instead of owner of CONFIGTEMP + sudo tee "$2" > /dev/null < "$CONFIGTEMP" + rm "$CONFIGTEMP" + echo "done" } @@ -339,7 +340,7 @@ configure_cron echo echo -n "Configuration complete. Would you like to run plexupdate with these settings now? " if yesno; then - if [ "$AUTOINSTALL" == "yes" -a $EUID -ne 0 ]; then + if [ "$AUTOINSTALL" == "yes" ]; then sudo "$FULL_PATH/plexupdate.sh" -P --config "$CONFIGFILE" else "$FULL_PATH/plexupdate.sh" -P --config "$CONFIGFILE" diff --git a/plexupdate.sh b/plexupdate.sh index 8711c0c..8a447c5 100755 --- a/plexupdate.sh +++ b/plexupdate.sh @@ -81,6 +81,9 @@ URL_DOWNLOAD_PUBLIC='https://plex.tv/api/downloads/1.json' #URL for new version check UPSTREAM_GIT_URL='https://raw.githubusercontent.com/demonbane/plexupdate/reworklog/plexupdate.sh' #FIXME +#Branch to fetch updates from +BRANCHNAME="reworklog" #FIXME + FILE_POSTDATA=$(mktemp /tmp/plexupdate.postdata.XXXX) FILE_RAW=$(mktemp /tmp/plexupdate.raw.XXXX) FILE_FAILCAUSE=$(mktemp /tmp/plexupdate.failcause.XXXX) @@ -331,7 +334,7 @@ if [ "${AUTOUPDATE}" = "yes" ]; then exit 1 fi - if git fetch --quiet && ! git diff --quiet FETCH_HEAD; then + if git fetch origin $BRANCHNAME --quiet && ! git diff --quiet FETCH_HEAD; then info "Auto-updating..." if ! git merge --quiet FETCH_HEAD; then error 'Unable to update git, try running "git pull" manually to see what is wrong'