From d6fe11c8e3d7c0879974323b395b269af50fe3f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=95=D0=B2=D0=B3=D0=B5=D0=BD=D0=B8=D0=B9=20=28=D0=A5?= =?UTF-8?q?=D1=80=D0=B0=D0=BC=D1=8B=D1=87=D0=AA=29=20=D0=A5=D1=80=D0=B0?= =?UTF-8?q?=D0=BC=D0=BE=D0=B2?= Date: Mon, 22 Sep 2025 19:54:44 +0300 Subject: [PATCH] =?UTF-8?q?=D0=98=D1=81=D0=BF=D1=80=D0=B0=D0=B2=D0=BB?= =?UTF-8?q?=D0=B5=D0=BD=D0=B8=D0=B5=20=D1=80=D0=B0=D0=B1=D0=BE=D1=82=D1=8B?= =?UTF-8?q?=20=D1=81=20=D0=BF=D1=80=D0=B0=D0=B2=D0=B0=D0=BC=D0=B8=20=D0=BA?= =?UTF-8?q?=D0=B0=D1=82=D0=B0=D0=BB=D0=BE=D0=B3=D0=BE=D0=B2=20+=20=D1=81?= =?UTF-8?q?=D0=BA=D1=80=D0=B8=D0=BF=D1=82=20=D1=83=D1=81=D1=82=D0=B0=D0=BD?= =?UTF-8?q?=D0=BE=D0=B2=D0=BA=D0=B8=202?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- main.go | 36 +++++++++++++++++++++++++++++------- scripts/install.sh | 30 ++++++++++++++++-------------- 2 files changed, 45 insertions(+), 21 deletions(-) diff --git a/main.go b/main.go index 57fd282..adcb3cd 100644 --- a/main.go +++ b/main.go @@ -77,6 +77,23 @@ func parseRepositoryFromPlugin(filePath string) (string, error) { return "", scanner.Err() } +// fixRepoPermissions рекурсивно устанавливает права 775 для директорий и 664 для файлов +func fixRepoPermissions(path string) error { + return filepath.Walk(path, func(filePath string, info os.FileInfo, err error) error { + if err != nil { + return err + } + + if info.IsDir() { + // Устанавливаем права 2775 для директорий (setgid) + return os.Chmod(filePath, 0o2775) + } else { + // Устанавливаем права 664 для файлов + return os.Chmod(filePath, 0o664) + } + }) +} + func main() { configPath := pflag.StringP("config", "c", "/etc/alr-updater/config.toml", "Path to config file") dbPath := pflag.StringP("database", "d", "/var/lib/alr-updater/db", "Path to database file") @@ -145,12 +162,12 @@ func main() { // Создаем директорию для базы данных, если её нет dbDir := filepath.Dir(*dbPath) if _, err := os.Stat(dbDir); os.IsNotExist(err) { - err = os.MkdirAll(dbDir, 0o755) + err = os.MkdirAll(dbDir, 0o2775) if err != nil { log.Fatal("Error creating database directory"). Err(err). Str("path", dbDir). - Str("hint", "Run as root or create directory manually: sudo mkdir -p "+dbDir+" && sudo chown alr-updater:alr-updater "+dbDir). + Str("hint", "Run as root or create directory manually: sudo mkdir -p "+dbDir+" && sudo chown root:wheel "+dbDir+" && sudo chmod 2775 "+dbDir). Send() } log.Info("Created database directory").Str("path", dbDir).Send() @@ -167,12 +184,12 @@ func main() { } if _, err := os.Stat(cfg.ReposBaseDir); os.IsNotExist(err) { - err = os.MkdirAll(cfg.ReposBaseDir, 0o755) + err = os.MkdirAll(cfg.ReposBaseDir, 0o2775) if err != nil { log.Fatal("Error creating repositories base directory"). Err(err). Str("path", cfg.ReposBaseDir). - Str("hint", "Run as root or create directory manually: sudo mkdir -p "+cfg.ReposBaseDir+" && sudo chown alr-updater:alr-updater "+cfg.ReposBaseDir). + Str("hint", "Run as root or create directory manually: sudo mkdir -p "+cfg.ReposBaseDir+" && sudo chown root:wheel "+cfg.ReposBaseDir+" && sudo chmod 2775 "+cfg.ReposBaseDir). Send() } log.Info("Created repositories base directory").Str("path", cfg.ReposBaseDir).Send() @@ -187,7 +204,7 @@ func main() { if _, err := os.Stat(repoDir); os.IsNotExist(err) { log.Info("Cloning repository").Str("name", repoName).Str("url", repoConfig.RepoURL).Send() - err = os.MkdirAll(repoDir, 0o755) + err = os.MkdirAll(repoDir, 0o2775) if err != nil { log.Fatal("Error creating repository directory").Str("repo", repoName).Err(err).Send() } @@ -200,6 +217,11 @@ func main() { log.Fatal("Error cloning repository").Str("repo", repoName).Err(err).Send() } + // Исправляем права доступа после клонирования + if err := fixRepoPermissions(repoDir); err != nil { + log.Error("Error fixing repository permissions").Str("repo", repoName).Err(err).Send() + } + log.Info("Repository cloned successfully").Str("name", repoName).Send() } else if err != nil { log.Fatal("Cannot stat repository directory").Str("repo", repoName).Err(err).Send() @@ -215,12 +237,12 @@ func main() { // Создаем директорию для плагинов, если её нет if _, err := os.Stat(*pluginDir); os.IsNotExist(err) { - err = os.MkdirAll(*pluginDir, 0o755) + err = os.MkdirAll(*pluginDir, 0o2775) if err != nil { log.Fatal("Error creating plugin directory"). Err(err). Str("path", *pluginDir). - Str("hint", "Run as root or create directory manually: sudo mkdir -p "+*pluginDir+" && sudo chown root:alr-updater "+*pluginDir). + Str("hint", "Run as root or create directory manually: sudo mkdir -p "+*pluginDir+" && sudo chown root:wheel "+*pluginDir+" && sudo chmod 2775 "+*pluginDir). Send() } log.Info("Created plugin directory").Str("path", *pluginDir).Send() diff --git a/scripts/install.sh b/scripts/install.sh index be04c98..3397991 100644 --- a/scripts/install.sh +++ b/scripts/install.sh @@ -20,19 +20,21 @@ fi BINARY_PATH="/usr/local/bin/alr-updater" SERVICE_NAME="alr-updater" SERVICE_USER="alr-updater" -SERVICE_GROUP="alr-updater" +SERVICE_GROUP="wheel" CONFIG_DIR="/etc/alr-updater" DATA_DIR="/var/lib/alr-updater" CACHE_DIR="/var/cache/alr-updater" PLUGIN_DIR="${CONFIG_DIR}/plugins" -# Создание пользователя и группы -echo -e "${YELLOW}Creating user and group...${NC}" +# Создание пользователя и добавление в группу wheel +echo -e "${YELLOW}Creating user and adding to wheel group...${NC}" if ! id -u ${SERVICE_USER} >/dev/null 2>&1; then - useradd -r -s /bin/false -d /var/lib/${SERVICE_USER} ${SERVICE_USER} - echo -e "${GREEN}User ${SERVICE_USER} created${NC}" + useradd -r -s /bin/false -d /var/lib/${SERVICE_USER} -G wheel ${SERVICE_USER} + echo -e "${GREEN}User ${SERVICE_USER} created and added to wheel group${NC}" else - echo -e "${GREEN}User ${SERVICE_USER} already exists${NC}" + # Добавляем существующего пользователя в группу wheel + usermod -a -G wheel ${SERVICE_USER} + echo -e "${GREEN}User ${SERVICE_USER} already exists, added to wheel group${NC}" fi # Создание директорий @@ -42,15 +44,15 @@ mkdir -p ${DATA_DIR} mkdir -p ${CACHE_DIR} mkdir -p ${PLUGIN_DIR} -# Установка прав доступа -echo -e "${YELLOW}Setting permissions...${NC}" -chown -R ${SERVICE_USER}:${SERVICE_GROUP} ${DATA_DIR} -chown -R ${SERVICE_USER}:${SERVICE_GROUP} ${CACHE_DIR} +# Установка прав доступа с setgid битом +echo -e "${YELLOW}Setting permissions with setgid...${NC}" +chown -R root:${SERVICE_GROUP} ${DATA_DIR} +chown -R root:${SERVICE_GROUP} ${CACHE_DIR} chown -R root:${SERVICE_GROUP} ${CONFIG_DIR} -chmod 755 ${CONFIG_DIR} -chmod 755 ${PLUGIN_DIR} -chmod 755 ${DATA_DIR} -chmod 755 ${CACHE_DIR} +chmod 2775 ${CONFIG_DIR} +chmod 2775 ${PLUGIN_DIR} +chmod 2775 ${DATA_DIR} +chmod 2775 ${CACHE_DIR} # Копирование бинарника if [ -f "./alr-updater" ]; then