Report processor worker refactored to run under another user (nobody) and have its own mysql credentials.

2017-04-27 16:35:53 -04:00 · 2017-04-27 16:35:53 -04:00 · 2ac89f3365
commit 2ac89f3365
parent c3edf42ada
13 changed files with 159 additions and 204 deletions
--- a/lib/db.js
+++ b/lib/db.js
@ -6,7 +6,7 @@ let redis = require('redis');
 let Lock = require('redfour');

 module.exports = mysql.createPool(config.mysql);
-if (config.redis.enabled) {
+if (config.redis && config.redis.enabled) {

    module.exports.redis = redis.createClient(config.redis);

--- a/lib/file-helpers.js
+++ b/lib/file-helpers.js
@ -12,22 +12,21 @@ function nameToFileName(name) {
 }


-function getReportDir(report) {
+function getReportFileBase(report) {
    return path.join(__dirname, '..', 'protected', 'reports', report.id + '-' + nameToFileName(report.name));
 }

 function getReportContentFile(report) {
-    return path.join(getReportDir(report), 'report');
+    return getReportFileBase(report) + '.out';
 }

 function getReportOutputFile(report) {
-    return getReportDir(report) + '.output';
+    return getReportFileBase(report) + '.err';
 }


 module.exports = {
    getReportContentFile,
-    getReportDir,
    getReportOutputFile,
    nameToFileName
 };
--- a/lib/privilege-helpers.js
+++ b/lib/privilege-helpers.js
@ -2,52 +2,52 @@

 const log = require('npmlog');
 const config = require('config');
-const path = require('path');

-const promise = require('bluebird');
-const fsExtra = promise.promisifyAll(require('fs-extra'));
-const fs = promise.promisifyAll(require('fs'));
-const walk = require('walk');
+const fs = require('fs');

 const tryRequire = require('try-require');
 const posix = tryRequire('posix');

+function _getConfigUidGid(prefix) {
+    let uid = process.getuid();
+    let gid = process.getgid();
+
+    if (posix) {
+        try {
+            if (config.user) {
+                uid = posix.getpwnam(config[prefix + 'user']).uid;
+            }
+        } catch (err) {
+            log.info('PrivilegeHelpers', 'Failed to resolve user id "%s"', config[prefix + 'user']);
+        }
+
+        try {
+            if (config.user) {
+                gid = posix.getpwnam(config[prefix + 'group']).gid;
+            }
+        } catch (err) {
+            log.info('PrivilegeHelpers', 'Failed to resolve group id "%s"', config[prefix + 'group']);
+        }
+    } else {
+        log.info('PrivilegeHelpers', 'Posix module not installed. Cannot resolve uid/gid');
+    }
+
+    return { uid, gid };
+}
+
+function getConfigUidGid() {
+    return _getConfigUidGid('');
+}
+
+function getConfigROUidGid() {
+    return _getConfigUidGid('ro');
+}

 function ensureMailtrainOwner(file, callback) {
-    try {
-        const uid = config.user ? posix.getpwnam(config.user).uid : 0;
-        const gid = config.group ? posix.getgrnam(config.group).gid : 0;
-
-        fs.chown(file, uid, gid, callback);
-
-    } catch (err) {
-        return callback(err);
-    }
+    const ids = getConfigUidGid();
+    fs.chown(file, ids.uid, ids.gid, callback);
 }

-function ensureMailtrainOwnerRecursive(dir, callback) {
-    try {
-        const uid = config.user ? posix.getpwnam(config.user).uid : 0;
-        const gid = config.group ? posix.getgrnam(config.group).gid : 0;
-
-        fs.chown(dir, uid, gid, err => {
-            if (err) {
-                return callback(err);
-            }
-
-            walk.walk(dir)
-                .on('node', (root, stat, next) => {
-                    fs.chown(path.join(root, stat.name), uid, gid, next);
-                })
-                .on('end', callback);
-        });
-    } catch (err) {
-        return callback(err);
-    }
-}
-
-const ensureMailtrainOwnerRecursiveAsync = promise.promisify(ensureMailtrainOwnerRecursive);
-
 function dropRootPrivileges() {
    if (config.group) {
        try {
@ -68,64 +68,9 @@ function dropRootPrivileges() {
    }
 }

-function setupChrootDir(newRoot, callback) {
-    try {
-        fsExtra.emptyDirAsync(newRoot)
-            .then(() => fsExtra.ensureDirAsync(path.join(newRoot, 'etc')))
-            .then(() => fsExtra.copyAsync('/etc/hosts', path.join(newRoot, 'etc', 'hosts')))
-            .then(() => ensureMailtrainOwnerRecursiveAsync(newRoot))
-            .then(() => {
-                log.info('PrivilegeHelpers', 'Chroot directory "%s" set up', newRoot);
-                callback();
-            })
-            .catch(err => {
-                log.info('PrivilegeHelpers', 'Failed to setup chroot directory "%s"', newRoot);
-                callback(err);
-            });
-
-    } catch(err) {
-        log.info('PrivilegeHelpers', 'Failed to setup chroot directory "%s"', newRoot);
-    }
-}
-
-function tearDownChrootDir(root, callback) {
-    if (posix) {
-        fsExtra.removeAsync(path.join('/', 'etc'))
-            .then(() => {
-                log.info('PrivilegeHelpers', 'Chroot directory "%s" torn down', root);
-                callback();
-            })
-            .catch(err => {
-                log.info('PrivilegeHelpers', 'Failed to tear down chroot directory "%s"', root);
-                callback(err);
-            });
-    }
-}
-
-function chrootAndDropRootPrivileges(newRoot) {
-
-    try {
-        const uid = config.user ? posix.getpwnam(config.user).uid : 0;
-        const gid = config.group ? posix.getgrnam(config.group).gid : 0;
-
-        posix.chroot(newRoot);
-        process.chdir('/');
-
-        process.setgid(gid);
-        process.setuid(uid);
-
-        log.info('PrivilegeHelpers', 'Changed root to "%s" and privileges to %s.%s', newRoot, uid, gid);
-    } catch(err) {
-        log.info('PrivilegeHelpers', 'Failed to change root to "%s" and set privileges', newRoot);
-    }
-
-}
-
 module.exports = {
    dropRootPrivileges,
-    chrootAndDropRootPrivileges,
-    setupChrootDir,
-    tearDownChrootDir,
    ensureMailtrainOwner,
-    ensureMailtrainOwnerRecursive
+    getConfigUidGid,
+    getConfigROUidGid
 };