Attachment #11111 for bug #56505

View | Details | Raw Unified | Return to bug 56505
Collapse All | Expand All

Lines 1-3 Link Here

(-)a/services/univention-samba4/debian/changelog (+6 lines)
		1	univention-samba4 (9.0.13-8) unstable; urgency=low
		2
		3	* Bug #: Fix copyright violation in univention-samba4-backup
		4
		5	-- Philipp Hahn <hahn@univention.de> Wed, 30 Aug 2023 11:04:07 +0200
		6
1	univention-samba4 (9.0.13-7) unstable; urgency=medium	7	univention-samba4 (9.0.13-7) unstable; urgency=medium
2		8
3	* Bug #56499: Restrict access to /var/univention-backup/samba	9	* Bug #56499: Restrict access to /var/univention-backup/samba




# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <https://www.gnu.org/licenses/>.
#
# Copyright (C) Matthieu Patou <mat@matws.net> 2010-2011
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.
#
# Revised 2013-09-25, Brian Martin, as follows:
#    - Allow retention period ("DAYS") to be specified as a parameter.
#    - Allow individual positional parameters to be left at the default
#      by specifying "-"
#    - Use IS0 8601 standard dates (yyyy-mm-dd instead of mmddyyyy).
#    - Display tar exit codes when reporting errors.
#    - Don't send error messages to /dev/null, so we know what failed.
#    - Suppress useless tar "socket ignored" message.
#    - Fix retention period bug when deleting old backups ($DAYS variable
#      could be set, but was ignored).

set -e -u
umask 0077

FROMWHERE='/var/lib/samba'
WHERE='/var/univention-backup/samba'
DAYS=''
WHEN="$(date +%Y-%m-%d)"

display_help () {
	cat <<-EOL
		${0##*/} backups the Samba provision directory

		Syntax:
		    ${0##*/} [options]

		Options:
		    --help|-h                   display this message
		    --where|-w <DIR>            backup directory (default: $WHERE)
		    --from-where|-f <DIR>       Samba provision directory (default: $FROMWHERE)
		    --days|-d <INT>             retention period for old backups in days
	EOL
	exit "${1:-0}"
}

die () {
	echo "$*" >&2
	exit 1
}

opts="$(getopt -o 'f:w:d:h' -l 'from-where:,where:,days:,help' -- "$@")" ||
	display_help 2
eval set -- "$opts"
while true
do
IGNORE_TDBS=()
IGNORE_TDBS+=(netlogon_creds_cli.tdb)

while [ $# -gt 0 ]; do
	case "$1" in
		--from-where|-f)
			FROMWHERE="$2"
			shift 2
			;;
		--where|-w)
			WHERE="$2"
			shift 2
			;;
		--days|-d)
			DAYS="$2"
			[ "$DAYS" -ge 0 ] 2>/dev/null ||
				die "--days: number expected"
			shift 2
				exit 1
			fi
			shift 2 || exit 2
			;;
		--help|-h)
			display_help 0
			;;
		--)
			shift
			break
			;;
		*)
			display_help 1
			exit 1
			;;
	esac
done

cd "$FROMWHERE" ||
	die "Missing or wrong provision directory $FROMWHERE"

install -o root -g root -m 700 -d "$WHERE" ||
	die "Missing backup directory $WHERE"

# shellcheck source=/dev/null
. /usr/share/univention-lib/backup.sh

backup () {
	local out="${WHERE}/samba4_${name//\//_}.${WHEN}.tar.bz2"
	# Run the backup.
	#    --warning=no-file-ignored set to suppress "socket ignored" messages.
	#    --warning=no-file-changed set to suppress "file changed as we read it" messages.
	tar -c -j -f "${out}" \
		--warning=no-file-ignored \
		--warning=no-file-changed \
		"$@"
	# Ignore 1 - sysvol may change
	case "$?" in
	0|1) return 0 ;;
	*) die "Error while archiving ${out} - status = $?"
	esac
}

for name in private sysvol
do
	dir="$(find . -type d -name "$name" -printf '%P' -quit)"
	[ -d "$dir" ] ||
		continue
	if [ "$dir" = "private" ]; then
		find "$dir" -name "*.[tl]db.bak" -delete
		find "$PWD/$dir" -name "*.[tl]db" -not -name netlogon_creds_cli.tdb -exec tdbbackup {} + ||
			die "Error while backing up $PWD/$dir with tdbbackup - status $?"
		backup \
					test "$(basename $file)" = "$i" && ignore=true && break
				done
				if ! $ignore; then
					tdbbackup $file
					Status=$?
					if [ $Status -ne 0 ]; then
						terminate_on_error "Error while backing up $file with tdbbackup - status $Status"
					fi
				fi
			done
		done
		# Run the backup.
		#    --warning=no-file-ignored set to suppress "socket ignored" messages.
		#    --warning=no-file-changed set to suppress "file changed as we read it" messages.
		install -o root -g root -m 600 /dev/null "${WHERE}/samba4_${n}.${WHEN}.tar.bz2"
		tar cjf ${WHERE}/samba4_${n}.${WHEN}.tar.bz2 \
			--exclude=smbd.tmp \
			--exclude='*.ldb' \
			--exclude='*.tdb' \
			--warning=no-file-ignored \
			--warning=no-file-changed \
			--transform 's/.ldb.bak$/.ldb/' \
			--transform 's/.tdb.bak$/.tdb/' \
			"$dir"
		find "$dir" -name "*.[tl]db.bak" -delete
		if [ $Status -ne 0 -a $Status -ne 1 ]; then
			# Ignore 1 - private dir is always changing.
			terminate_on_error "Error while archiving ${WHERE}/samba4_${n}.${WHEN}.tar.bz2 - status = $Status"
		fi
		for db in tdb ldb; do
			find $relativedirname -name "*.$db.bak" -exec rm {} \;
		done
	else
		backup "$dir"
		#    --warning=no-file-ignored set to suppress "socket ignored" messages.
		#    --warning=no-file-changed set to suppress "file changed as we read it" messages.
		install -o root -g root -m 600 /dev/null "${WHERE}/${n}.${WHEN}.tar.bz2"
		tar cjf ${WHERE}/${n}.${WHEN}.tar.bz2  $relativedirname \
			--warning=no-file-ignored \
			--warning=no-file-changed
		Status=$?
		if [ $Status -ne 0 -a $Status -ne 1 ]; then
			# Ignore 1 - sysvol may change
			terminate_on_error "Error while archiving ${WHERE}/${n}.${WHEN}.tar.bz2 - status = $Status"
		fi
	fi
done

- 

Return to bug 56505

Lines 32-188 Link Here

(-)a/services/univention-samba4/sbin/univention-samba4-backup (-123 / +78 lines)
32	# License with the Debian GNU/Linux or Univention distribution in file	32	# License with the Debian GNU/Linux or Univention distribution in file
33	# /usr/share/common-licenses/AGPL-3; if not, see	33	# /usr/share/common-licenses/AGPL-3; if not, see
34	# <https://www.gnu.org/licenses/>.	34	# <https://www.gnu.org/licenses/>.
35	#
36	# Copyright (C) Matthieu Patou <mat@matws.net> 2010-2011
37	#
38	# This program is free software; you can redistribute it and/or modify
39	# it under the terms of the GNU General Public License as published by
40	# the Free Software Foundation; either version 3 of the License, or
41	# (at your option) any later version.
42	#
43	# This program is distributed in the hope that it will be useful,
44	# but WITHOUT ANY WARRANTY; without even the implied warranty of
45	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
46	# GNU General Public License for more details.
47	#
48	# You should have received a copy of the GNU General Public License
49	# along with this program. If not, see <https://www.gnu.org/licenses/>.
50	#
51	# Revised 2013-09-25, Brian Martin, as follows:
52	# - Allow retention period ("DAYS") to be specified as a parameter.
53	# - Allow individual positional parameters to be left at the default
54	# by specifying "-"
55	# - Use IS0 8601 standard dates (yyyy-mm-dd instead of mmddyyyy).
56	# - Display tar exit codes when reporting errors.
57	# - Don't send error messages to /dev/null, so we know what failed.
58	# - Suppress useless tar "socket ignored" message.
59	# - Fix retention period bug when deleting old backups ($DAYS variable
60	# could be set, but was ignored).
61		35
62	. /usr/share/univention-lib/backup.sh	36	set -e -u
		37	umask 0077
		38
		39	FROMWHERE='/var/lib/samba'
		40	WHERE='/var/univention-backup/samba'
		41	DAYS=''
		42	WHEN="$(date +%Y-%m-%d)"
63		43
64	display_help() {	44	display_help () {
65	cat <<-EOL	45	cat <<-EOL
66	univention-samba4-backup: backups the samba provision directory	46	${0##*/} backups the Samba provision directory
67		47
68	Syntax:	48	Syntax:
69	univention-samba4-backup [options]	49	${0##*/} [options]
70		50
71	Options:	51	Options:
72	--help\|-h display this message	52	--help\|-h display this message
73	--where\|-w <DIR> backup directory	53	--where\|-w <DIR> backup directory (default: $WHERE)
74	--from-where\|-f <DIR> samba provision directory	54	--from-where\|-f <DIR> Samba provision directory (default: $FROMWHERE)
75	--days\|-d <INT> retention period in days	55	--days\|-d <INT> retention period for old backups in days
76	EOL	56	EOL
		57	exit "${1:-0}"
77	}	58	}
78		59
79	terminate_on_error() {	60	die () {
80	>&2 echo "$*"	61	echo "$*" >&2
81	exit 1	62	exit 1
82	}	63	}
83		64
84	FROMWHERE=/var/lib/samba	65	opts="$(getopt -o 'f:w:d:h' -l 'from-where:,where:,days:,help' -- "$@")" \|\|
85	WHERE=/var/univention-backup/samba	66	display_help 2
86	DAYS=""	67	eval set -- "$opts"
87	DIRS="private sysvol"	68	while true
88	WHEN="$(date +%Y-%m-%d)"	69	do
89	IGNORE_TDBS=()
90	IGNORE_TDBS+=(netlogon_creds_cli.tdb)
91
92	while [ $# -gt 0 ]; do
93	case "$1" in	70	case "$1" in
94	"--from-where"\|"-f")	71	--from-where\|-f)
95	FROMWHERE="${2:?missing parameter for $1}"	72	FROMWHERE="$2"
96	shift 2 \|\| exit 2	73	shift 2
97	;;	74	;;
98	"--where"\|"-w")	75	--where\|-w)
99	WHERE="${2:?missing parameter for $1}"	76	WHERE="$2"
100	shift 2 \|\| exit 2	77	shift 2
101	;;	78	;;
102	"--days"\|"-d")	79	--days\|-d)
103	DAYS="${2:?missing parameter for $1}"	80	DAYS="$2"
104	[ $DAYS -eq $DAYS ] 2>/dev/null	81	[ "$DAYS" -ge 0 ] 2>/dev/null \|\|
105	if [ ! $? -eq 0 ]; then	82	die "--days: number expected"
106	display_help	83	shift 2
107	exit 1
108	fi
109	shift 2 \|\| exit 2
110	;;	84	;;
111	"--help"\|"-h"\|"-?")	85	--help\|-h)
112	display_help	86	display_help 0
113	exit 0	87	;;
		88	--)
		89	shift
		90	break
114	;;	91	;;
115	*)	92	*)
116	display_help	93	display_help 1
117	exit 1
118	;;	94	;;
119	esac	95	esac
120	done	96	done
121		97
122	if [ ! -d $WHERE ]; then	98	cd "$FROMWHERE" \|\|
123	terminate_on_error "Missing backup directory $WHERE"	99	die "Missing or wrong provision directory $FROMWHERE"
124	fi	100
125	install -o root -g root -m 700 -d "$WHERE"	101	install -o root -g root -m 700 -d "$WHERE" \|\|
		102	die "Missing backup directory $WHERE"
126		103
127	if [ ! -d $FROMWHERE ]; then	104	# shellcheck source=/dev/null
128	terminate_on_error "Missing or wrong provision directory $FROMWHERE"	105	. /usr/share/univention-lib/backup.sh
129	fi	106
		107	backup () {
		108	local out="${WHERE}/samba4_${name//\//_}.${WHEN}.tar.bz2"
		109	# Run the backup.
		110	# --warning=no-file-ignored set to suppress "socket ignored" messages.
		111	# --warning=no-file-changed set to suppress "file changed as we read it" messages.
		112	tar -c -j -f "${out}" \
		113	--warning=no-file-ignored \
		114	--warning=no-file-changed \
		115	"$@"
		116	# Ignore 1 - sysvol may change
		117	case "$?" in
		118	0\|1) return 0 ;;
		119	*) die "Error while archiving ${out} - status = $?"
		120	esac
		121	}
130		122
131	cd $FROMWHERE	123	for name in private sysvol
132	for d in $DIRS; do	124	do
133	relativedirname=`find . -type d -name "$d" -prune`	125	dir="$(find . -type d -name "$name" -printf '%P' -quit)"
134	n=`echo $d \| sed 's/\//_/g'`	126	[ -d "$dir" ] \|\|
135	if [ "$d" = "private" ]; then	127	continue
136	for db in tdb ldb; do	128	if [ "$dir" = "private" ]; then
137	find $relativedirname -name "*.$db.bak" -exec rm {} \;	129	find "$dir" -name "*.[tl]db.bak" -delete
138	for file in `find $relativedirname -name "*.$db"`; do	130	find "$PWD/$dir" -name "*.[tl]db" -not -name netlogon_creds_cli.tdb -exec tdbbackup {} + \|\|
139	ignore=false	131	die "Error while backing up $PWD/$dir with tdbbackup - status $?"
140	for i in ${IGNORE_TDBS[@]}; do	132	backup \
141	test "$(basename $file)" = "$i" && ignore=true && break
142	done
143	if ! $ignore; then
144	tdbbackup $file
145	Status=$?
146	if [ $Status -ne 0 ]; then
147	terminate_on_error "Error while backing up $file with tdbbackup - status $Status"
148	fi
149	fi
150	done
151	done
152	# Run the backup.
153	# --warning=no-file-ignored set to suppress "socket ignored" messages.
154	# --warning=no-file-changed set to suppress "file changed as we read it" messages.
155	install -o root -g root -m 600 /dev/null "${WHERE}/samba4_${n}.${WHEN}.tar.bz2"
156	tar cjf ${WHERE}/samba4_${n}.${WHEN}.tar.bz2 \
157	--exclude=smbd.tmp \	133	--exclude=smbd.tmp \
158	--exclude=\*.ldb \	134	--exclude='*.ldb' \
159	--exclude=\*.tdb \	135	--exclude='*.tdb' \
160	--warning=no-file-ignored \
161	--warning=no-file-changed \
162	--transform 's/.ldb.bak$/.ldb/' \	136	--transform 's/.ldb.bak$/.ldb/' \
163	--transform 's/.tdb.bak$/.tdb/' \	137	--transform 's/.tdb.bak$/.tdb/' \
164	$relativedirname	138	"$dir"
165	Status=$?	139	find "$dir" -name "*.[tl]db.bak" -delete
166	if [ $Status -ne 0 -a $Status -ne 1 ]; then
167	# Ignore 1 - private dir is always changing.
168	terminate_on_error "Error while archiving ${WHERE}/samba4_${n}.${WHEN}.tar.bz2 - status = $Status"
169	fi
170	for db in tdb ldb; do
171	find $relativedirname -name "*.$db.bak" -exec rm {} \;
172	done
173	else	140	else
174	# Run the backup.	141	backup "$dir"
175	# --warning=no-file-ignored set to suppress "socket ignored" messages.
176	# --warning=no-file-changed set to suppress "file changed as we read it" messages.
177	install -o root -g root -m 600 /dev/null "${WHERE}/${n}.${WHEN}.tar.bz2"
178	tar cjf ${WHERE}/${n}.${WHEN}.tar.bz2 $relativedirname \
179	--warning=no-file-ignored \
180	--warning=no-file-changed
181	Status=$?
182	if [ $Status -ne 0 -a $Status -ne 1 ]; then
183	# Ignore 1 - sysvol may change
184	terminate_on_error "Error while archiving ${WHERE}/${n}.${WHEN}.tar.bz2 - status = $Status"
185	fi
186	fi	142	fi
187	done	143	done
188		144
189	-