From 58305d8734d744f9cc22718266d0f7f0d806c5dd Mon Sep 17 00:00:00 2001 From: Mark Feit Date: Wed, 5 Jun 2024 11:39:16 +0000 Subject: [PATCH 1/2] Don't write service temporary files in areas that might be noexec. #1436 --- .../pscheduler-server/daemons/Makefile | 17 ++++++++++++----- .../pscheduler-server/daemons/debug.raw | 2 +- .../daemons/service-template.raw | 18 +++++++++--------- .../unibuild-packaging/deb/rules | 5 +++-- .../rpm/pscheduler-server.spec | 6 ++++-- 5 files changed, 29 insertions(+), 19 deletions(-) diff --git a/pscheduler-server/pscheduler-server/daemons/Makefile b/pscheduler-server/pscheduler-server/daemons/Makefile index c7710f1c22..4ba44fc895 100644 --- a/pscheduler-server/pscheduler-server/daemons/Makefile +++ b/pscheduler-server/pscheduler-server/daemons/Makefile @@ -11,7 +11,8 @@ # PGSERVICE - Name of the PostgreSQL systemd service # PGUSER - Name of pScheduler PostgreSQL account # PSUSER - Name of pScheduler user account -# RUNDIR - Location of run directory (nominally /run) +# STORAGEDIR - Location of temporary storage. Must not be +# in a directory where 'noexec' is in effect. # VAR - Location of /var directory # @@ -60,7 +61,7 @@ ifndef PSUSER endif sed \ -e 's|__PSUSER__|$(PSUSER)|g' \ - -e 's|__RUNDIR__|$(RUNDIR)|g' \ + -e 's|__STORAGEDIR__|$(STORAGEDIR)|g' \ < $< > $@ @if egrep -e '__[A-Z_]+__' $@ ; then \ echo "Found un-substituted values in processed file $@" ; \ @@ -150,8 +151,8 @@ ifndef PGSERVICE @echo No PGSERVICE specified for build @false endif -ifndef RUNDIR - @echo No RUNDIR specified for build +ifndef STORAGEDIR + @echo No STORAGEDIR specified for build @false endif ifndef VAR @@ -164,7 +165,7 @@ endif -e 's|__DSN__|$(DSNFILE)|g' \ -e 's|__PROG__|$(@:service-%=%)|g' \ -e 's|__PSUSER__|$(PSUSER)|g' \ - -e 's|__RUNDIR__|$(RUNDIR)|g' \ + -e 's|__STORAGEDIR__|$(STORAGEDIR)|g' \ -e 's|__VAR__|$(VAR)|g' \ -e 's|__LOGDIR__|$(LOGDIR)|g' \ -e 's|__PGSERVICE__|$(PGSERVICE)|g' \ @@ -215,6 +216,10 @@ endif ifndef INTERNALSDIR @echo No INTERNALSDIR specified for installation @false +endif +ifndef STORAGEDIR + @echo No STORAGEDIR specified for installation + @false endif mkdir -p $(CONFIGDIR) cp -f $(CONFIGS) $(CONFIGDIR) @@ -228,6 +233,8 @@ endif mkdir -p $(INTERNALSDIR) cp -f $(INTERNALS) $(INTERNALSDIR) chmod 555 $(INTERNALS:%=$(INTERNALSDIR)/%) + mkdir -p $(STORAGEDIR) + chmod 700 $(STORAGEDIR) mkdir -p $(UNITDIR) @for SCRIPT in $(DAEMONS) ; \ do \ diff --git a/pscheduler-server/pscheduler-server/daemons/debug.raw b/pscheduler-server/pscheduler-server/daemons/debug.raw index e0a6c3fd27..bafd89c28d 100755 --- a/pscheduler-server/pscheduler-server/daemons/debug.raw +++ b/pscheduler-server/pscheduler-server/daemons/debug.raw @@ -82,7 +82,7 @@ do continue fi - PID_FILE="__RUNDIR__/${SERVICE}/pid" + PID_FILE="__STORAGEDIR__/${SERVICE}/pid" if [ ! -r "${PID_FILE}" ] then echo "Warning: ${SERVICE} does not appear to be running." 1>&2 diff --git a/pscheduler-server/pscheduler-server/daemons/service-template.raw b/pscheduler-server/pscheduler-server/daemons/service-template.raw index 1d1d5b7f64..4107ebf785 100644 --- a/pscheduler-server/pscheduler-server/daemons/service-template.raw +++ b/pscheduler-server/pscheduler-server/daemons/service-template.raw @@ -14,31 +14,31 @@ LimitNPROC=32768 Restart=always # Create the run directory -ExecStartPre=-/bin/mkdir -p __RUNDIR__/__PROG__ -ExecStartPre=-/bin/chmod 755 __RUNDIR__/__PROG__ +ExecStartPre=-/bin/mkdir -p __STORAGEDIR__/__PROG__ +ExecStartPre=-/bin/chmod 755 __STORAGEDIR__/__PROG__ # Set up some temporary space and export its location -ExecStartPre=-/bin/mkdir -p __RUNDIR__/__PROG__/tmp -ExecStartPre=-/bin/chmod 700 __RUNDIR__/__PROG__/tmp -Environment=TMPDIR=__RUNDIR__/__PROG__/tmp +ExecStartPre=-/bin/mkdir -p __STORAGEDIR__/__PROG__/tmp +ExecStartPre=-/bin/chmod 700 __STORAGEDIR__/__PROG__/tmp +Environment=TMPDIR=__STORAGEDIR__/__PROG__/tmp # Set ownership -ExecStartPre=-/bin/chown -R __PSUSER__:__PSUSER__ __RUNDIR__/__PROG__ +ExecStartPre=-/bin/chown -R __PSUSER__:__PSUSER__ __STORAGEDIR__/__PROG__ # Generate options file -ExecStartPre=-/bin/sh -c "if [ -r __CONFIGDIR__/__PROG__.conf ]; then opts=$(sed -e 's/#.*$//' __CONFIGDIR__/__PROG__.conf); echo OPTIONS=$opts > __RUNDIR__/__PROG__/options; chown __PSUSER__:__PSUSER__ __RUNDIR__/__PROG__/options; fi" +ExecStartPre=-/bin/sh -c "if [ -r __CONFIGDIR__/__PROG__.conf ]; then opts=$(sed -e 's/#.*$//' __CONFIGDIR__/__PROG__.conf); echo OPTIONS=$opts > __STORAGEDIR__/__PROG__/options; chown __PSUSER__:__PSUSER__ __STORAGEDIR__/__PROG__/options; fi" # Redirections StandardOutput=journal StandardError=journal # Start service -EnvironmentFile=-__RUNDIR__/__PROG__/options +EnvironmentFile=-__STORAGEDIR__/__PROG__/options ExecStart=__DAEMONDIR__/__PROG__ --dsn @__DSN__ $OPTIONS # Stop service -ExecStopPost=/bin/rm -rf __RUNDIR__/__PROG__ +ExecStopPost=/bin/rm -rf __STORAGEDIR__/__PROG__ [Install] WantedBy=multi-user.target diff --git a/pscheduler-server/pscheduler-server/unibuild-packaging/deb/rules b/pscheduler-server/pscheduler-server/unibuild-packaging/deb/rules index 2c555da5e8..5c55975978 100755 --- a/pscheduler-server/pscheduler-server/unibuild-packaging/deb/rules +++ b/pscheduler-server/pscheduler-server/unibuild-packaging/deb/rules @@ -40,7 +40,7 @@ override_dh_auto_build: PGUSER=pscheduler \ PSUSER=pscheduler \ ARCHIVERDEFAULTDIR=/etc/pscheduler/default-archives \ - RUNDIR=/var/run/pscheduler-server \ + STORAGEDIR=/var/pscheduler-server \ VAR=/var make -C utilities \ @@ -69,6 +69,7 @@ override_dh_auto_install: DAEMONDIR=$(ROOT)/usr/lib/pscheduler/daemons \ COMMANDDIR=$(ROOT)/usr/lib/pscheduler/commands \ INTERNALSDIR=$(ROOT)/usr/lib/pscheduler/internals \ + STORAGEDIR=$(ROOT)/usr/lib/pscheduler/internals \ install make -C utilities \ @@ -91,7 +92,7 @@ override_dh_auto_install: PREFIX=$(ROOT) \ DSN_FILE=/etc/pscheduler/database/database-dsn \ LIMITS_FILE=/etc/pscheduler/limits.conf \ - RUN_DIR=/var/run/pscheduler-server \ + RUN_DIR=/var/pscheduler-server \ PYTHON=$(PYTHON) \ install cp api-server/*.py api-server/*.wsgi $(ROOT)/usr/share/pscheduler/api-server/ diff --git a/pscheduler-server/pscheduler-server/unibuild-packaging/rpm/pscheduler-server.spec b/pscheduler-server/pscheduler-server/unibuild-packaging/rpm/pscheduler-server.spec index 2b516a14c4..df5fc4ba1b 100644 --- a/pscheduler-server/pscheduler-server/unibuild-packaging/rpm/pscheduler-server.spec +++ b/pscheduler-server/pscheduler-server/unibuild-packaging/rpm/pscheduler-server.spec @@ -111,7 +111,7 @@ The pScheduler server %define server_conf_dir %{_pscheduler_sysconfdir} # Runtime space for PID files and debug flags. -%define run_dir %{_rundir}/%{name} +%define storage_dir %{_localstatedir}/%{name} # Note that we want this here because it seems to work well without # assistance on systems where selinux is enabled. Anywhere else and @@ -160,7 +160,7 @@ make -C daemons \ PGUSER=%{_pscheduler_database_user} \ PSUSER=%{_pscheduler_user} \ ARCHIVERDEFAULTDIR=%{archiver_default_dir} \ - RUNDIR=%{run_dir} \ + STORAGEDIR=%{storage_dir} \ VAR=%{_var} # @@ -245,6 +245,7 @@ make -C daemons \ DAEMONDIR=$RPM_BUILD_ROOT/%{_pscheduler_daemons} \ COMMANDDIR=$RPM_BUILD_ROOT/%{_pscheduler_commands} \ INTERNALSDIR=$RPM_BUILD_ROOT/%{_pscheduler_internals} \ + STORAGEDIR=$RPM_BUILD_ROOT/%{storage_dir} \ install mkdir -p $RPM_BUILD_ROOT/%{archiver_default_dir} @@ -612,6 +613,7 @@ systemctl reload-or-try-restart postgresql %defattr(-,root,root,-) %license LICENSE +%attr(700,%{_pscheduler_user},%{_pscheduler_group})%verify(user group mode) %{storage_dir} %attr(755,%{_pscheduler_user},%{_pscheduler_group})%verify(user group mode) %{daemon_config_dir} %attr(600,%{_pscheduler_user},%{_pscheduler_group})%verify(user group mode) %config(noreplace) %{daemon_config_dir}/* %{_unitdir}/* From 201bd32e6c3fe99d909aa952f4ac66cdca563de3 Mon Sep 17 00:00:00 2001 From: Mark Feit Date: Wed, 5 Jun 2024 12:57:17 +0000 Subject: [PATCH 2/2] Remove ChainedExecRunner temp files when finished. Found during #1436. --- python-pscheduler/pscheduler/pscheduler/program.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-pscheduler/pscheduler/pscheduler/program.py b/python-pscheduler/pscheduler/pscheduler/program.py index a579dbca5c..bfa2585fc1 100644 --- a/python-pscheduler/pscheduler/pscheduler/program.py +++ b/python-pscheduler/pscheduler/pscheduler/program.py @@ -422,7 +422,7 @@ def run(self, for remove in self.stages: try: - pass # os.unlink(remove) + os.unlink(remove) except IOError: pass # This is best effort only.