mailtrain/server/lib/privilege-helpers.js

'use strict';

const log = require('./log');
const config = require('./config');

const fs = require('fs-extra-promise');

const tryRequire = require('try-require');
const posix = tryRequire('posix');

// process.getuid and process.getgid are not supported on Windows 
process.getuid = process.getuid || (() => 100);
process.getgid = process.getuid || (() => 100);

function _getConfigUidGid(userKey, groupKey, defaultUid, defaultGid) {
    let uid = defaultUid;
    let gid = defaultGid;

    if (posix) {
        try {
            if (config[userKey]) {
                uid = posix.getpwnam(config[userKey]).uid;
            }
        } catch (err) {
            log.info('PrivilegeHelpers', 'Failed to resolve user id "%s"', config[userKey]);
        }

        try {
            if (config[groupKey]) {
                gid = posix.getpwnam(config[groupKey]).gid;
            }
        } catch (err) {
            log.info('PrivilegeHelpers', 'Failed to resolve group id "%s"', config[groupKey]);
        }
    } else {
        log.info('PrivilegeHelpers', 'Posix module not installed. Cannot resolve uid/gid');
    }

    return { uid, gid };
}

function getConfigUidGid() {
    return _getConfigUidGid('user', 'group', process.getuid(), process.getgid());
}

function getConfigROUidGid() {
    const rwIds = getConfigUidGid();
    return _getConfigUidGid('roUser', 'roGroup', rwIds.uid, rwIds.gid);
}

function ensureMailtrainOwner(file, callback) {
    const ids = getConfigUidGid();

    if (callback) {
        fs.chown(file, ids.uid, ids.gid, callback);
    } else {
        return fs.chownAsync(file, ids.uid, ids.gid);
    }
}

async function ensureMailtrainDir(dir) {
    await fs.ensureDirAsync(dir);
    await ensureMailtrainOwner(dir);
}

function dropRootPrivileges() {
    if (config.group) {
        try {
            process.setgid(config.group);
            log.info('PrivilegeHelpers', 'Changed group to "%s" (%s)', config.group, process.getgid());
        } catch (E) {
            log.info('PrivilegeHelpers', 'Failed to change group to "%s" (%s)', config.group, E.message);
        }
    }

    if (config.user) {
        try {
            process.setuid(config.user);
            log.info('PrivilegeHelpers', 'Changed user to "%s" (%s)', config.user, process.getuid());
        } catch (E) {
            log.info('PrivilegeHelpers', 'Failed to change user to "%s" (%s)', config.user, E.message);
        }
    }
}

module.exports = {
    dropRootPrivileges,
    ensureMailtrainOwner,
    ensureMailtrainDir,
    getConfigUidGid,
    getConfigROUidGid
};
Work in progress on securing reports. 2017-04-25 22:49:31 +00:00			`'use strict';`

Bugfixes in sending campaigns 2018-09-27 19:32:35 +00:00			`const log = require('./log');`
Added abstraction layer around config. `roles` in config renamed to `defaultRoles`. These are used if no `roles` are provided in production.yaml 2019-07-26 15:05:49 +00:00			`const config = require('./config');`
Work in progress on securing reports. 2017-04-25 22:49:31 +00:00
Fixed bug - files/uploaded had wrong owner Upgrade to React 16 2018-12-26 03:38:02 +00:00			`const fs = require('fs-extra-promise');`
Work in progress on securing reports. 2017-04-25 22:49:31 +00:00
			`const tryRequire = require('try-require');`
			`const posix = tryRequire('posix');`

Implemented basic transactional emails API 2019-03-24 12:27:56 +00:00			`// process.getuid and process.getgid are not supported on Windows`
			`process.getuid = process.getuid \|\| (() => 100);`
			`process.getgid = process.getuid \|\| (() => 100);`

Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`function _getConfigUidGid(userKey, groupKey, defaultUid, defaultGid) {`
config.user/group used if config.rouser/rogroup is not set 2017-04-27 22:25:05 +00:00			`let uid = defaultUid;`
			`let gid = defaultGid;`
Work in progress on securing reports. 2017-04-25 22:49:31 +00:00
Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`if (posix) {`
			`try {`
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`if (config[userKey]) {`
			`uid = posix.getpwnam(config[userKey]).uid;`
Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`}`
			`} catch (err) {`
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`log.info('PrivilegeHelpers', 'Failed to resolve user id "%s"', config[userKey]);`
Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`}`
Work in progress on securing reports. 2017-04-25 22:49:31 +00:00
Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`try {`
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`if (config[groupKey]) {`
			`gid = posix.getpwnam(config[groupKey]).gid;`
Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`}`
			`} catch (err) {`
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`log.info('PrivilegeHelpers', 'Failed to resolve group id "%s"', config[groupKey]);`
Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`}`
			`} else {`
			`log.info('PrivilegeHelpers', 'Posix module not installed. Cannot resolve uid/gid');`
Work in progress on securing reports. 2017-04-25 22:49:31 +00:00			`}`

Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`return { uid, gid };`
			`}`
Work in progress on securing reports. 2017-04-25 22:49:31 +00:00
Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`function getConfigUidGid() {`
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`return _getConfigUidGid('user', 'group', process.getuid(), process.getgid());`
Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`}`
Work in progress on securing reports. 2017-04-25 22:49:31 +00:00
Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`function getConfigROUidGid() {`
Basic support for Mosaico-based email templates. 2018-04-02 09:58:32 +00:00			`const rwIds = getConfigUidGid();`
			`return _getConfigUidGid('roUser', 'roGroup', rwIds.uid, rwIds.gid);`
Work in progress on securing reports. 2017-04-25 22:49:31 +00:00			`}`

Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`function ensureMailtrainOwner(file, callback) {`
			`const ids = getConfigUidGid();`
Further improvements in caching. The state of the cache is now persisted in DB. This persists the cache between server restarts. 2019-04-22 09:41:37 +00:00
			`if (callback) {`
			`fs.chown(file, ids.uid, ids.gid, callback);`
			`} else {`
			`return fs.chownAsync(file, ids.uid, ids.gid);`
			`}`
Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`}`
Work in progress on securing reports. 2017-04-25 22:49:31 +00:00
Further improvements in caching. The state of the cache is now persisted in DB. This persists the cache between server restarts. 2019-04-22 09:41:37 +00:00			`async function ensureMailtrainDir(dir) {`
Further updated on caching. Small change in DB schema to make lookups a bit more performant. Note that if DB migration in the last commit has been run, this commit will need manual update of the database. 2019-04-22 13:41:39 +00:00			`await fs.ensureDirAsync(dir);`
Further improvements in caching. The state of the cache is now persisted in DB. This persists the cache between server restarts. 2019-04-22 09:41:37 +00:00			`await ensureMailtrainOwner(dir);`
Fixed bug - files/uploaded had wrong owner Upgrade to React 16 2018-12-26 03:38:02 +00:00			`}`

Work in progress on securing reports. 2017-04-25 22:49:31 +00:00			`function dropRootPrivileges() {`
			`if (config.group) {`
			`try {`
			`process.setgid(config.group);`
			`log.info('PrivilegeHelpers', 'Changed group to "%s" (%s)', config.group, process.getgid());`
			`} catch (E) {`
			`log.info('PrivilegeHelpers', 'Failed to change group to "%s" (%s)', config.group, E.message);`
			`}`
			`}`

			`if (config.user) {`
			`try {`
			`process.setuid(config.user);`
			`log.info('PrivilegeHelpers', 'Changed user to "%s" (%s)', config.user, process.getuid());`
			`} catch (E) {`
			`log.info('PrivilegeHelpers', 'Failed to change user to "%s" (%s)', config.user, E.message);`
			`}`
			`}`
			`}`

			`module.exports = {`
			`dropRootPrivileges,`
			`ensureMailtrainOwner,`
Fixed bug - files/uploaded had wrong owner Upgrade to React 16 2018-12-26 03:38:02 +00:00			`ensureMailtrainDir,`
Report processor worker refactored to run under another user (nobody) and have its own mysql credentials. 2017-04-27 20:35:53 +00:00			`getConfigUidGid,`
			`getConfigROUidGid`
Work in progress on securing reports. 2017-04-25 22:49:31 +00:00			`};`