Attachment #11111 for bug #56505

View | Details | Raw Unified | Return to bug 56505
Collapse All | Expand All

(-)a/services/univention-samba4/debian/changelog (+6 lines)

Lines 1-3	Link Here

univention-samba4 (9.0.13-8) unstable; urgency=low

  * Bug #: Fix copyright violation in univention-samba4-backup

 -- Philipp Hahn <hahn@univention.de>  Wed, 30 Aug 2023 11:04:07 +0200

univention-samba4 (9.0.13-7) unstable; urgency=medium

univention-samba4 (9.0.13-7) unstable; urgency=medium

  * Bug #56499: Restrict access to /var/univention-backup/samba

  * Bug #56499: Restrict access to /var/univention-backup/samba




# License with the Debian GNU/Linux or Univention distribution in file
# /usr/share/common-licenses/AGPL-3; if not, see
# <https://www.gnu.org/licenses/>.
#
# Copyright (C) Matthieu Patou <mat@matws.net> 2010-2011
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.
#
# Revised 2013-09-25, Brian Martin, as follows:
#    - Allow retention period ("DAYS") to be specified as a parameter.
#    - Allow individual positional parameters to be left at the default
#      by specifying "-"
#    - Use IS0 8601 standard dates (yyyy-mm-dd instead of mmddyyyy).
#    - Display tar exit codes when reporting errors.
#    - Don't send error messages to /dev/null, so we know what failed.
#    - Suppress useless tar "socket ignored" message.
#    - Fix retention period bug when deleting old backups ($DAYS variable
#      could be set, but was ignored).

set -e -u
umask 0077

FROMWHERE='/var/lib/samba'
WHERE='/var/univention-backup/samba'
DAYS=''
WHEN="$(date +%Y-%m-%d)"

display_help () {
	cat <<-EOL
		${0##*/} backups the Samba provision directory

		Syntax:
		    ${0##*/} [options]

		Options:
		    --help|-h                   display this message
		    --where|-w <DIR>            backup directory (default: $WHERE)
		    --from-where|-f <DIR>       Samba provision directory (default: $FROMWHERE)
		    --days|-d <INT>             retention period for old backups in days
	EOL
	exit "${1:-0}"
}

die () {
	echo "$*" >&2
	exit 1
}

opts="$(getopt -o 'f:w:d:h' -l 'from-where:,where:,days:,help' -- "$@")" ||
	display_help 2
eval set -- "$opts"
while true
do
IGNORE_TDBS=()
IGNORE_TDBS+=(netlogon_creds_cli.tdb)

while [ $# -gt 0 ]; do
	case "$1" in
		--from-where|-f)
			FROMWHERE="$2"
			shift 2
			;;
		--where|-w)
			WHERE="$2"
			shift 2
			;;
		--days|-d)
			DAYS="$2"
			[ "$DAYS" -ge 0 ] 2>/dev/null ||
				die "--days: number expected"
			shift 2
				exit 1
			fi
			shift 2 || exit 2
			;;
		--help|-h)
			display_help 0
			;;
		--)
			shift
			break
			;;
		*)
			display_help 1
			exit 1
			;;
	esac
done

cd "$FROMWHERE" ||
	die "Missing or wrong provision directory $FROMWHERE"

install -o root -g root -m 700 -d "$WHERE" ||
	die "Missing backup directory $WHERE"

# shellcheck source=/dev/null
. /usr/share/univention-lib/backup.sh

backup () {
	local out="${WHERE}/samba4_${name//\//_}.${WHEN}.tar.bz2"
	# Run the backup.
	#    --warning=no-file-ignored set to suppress "socket ignored" messages.
	#    --warning=no-file-changed set to suppress "file changed as we read it" messages.
	tar -c -j -f "${out}" \
		--warning=no-file-ignored \
		--warning=no-file-changed \
		"$@"
	# Ignore 1 - sysvol may change
	case "$?" in
	0|1) return 0 ;;
	*) die "Error while archiving ${out} - status = $?"
	esac
}

for name in private sysvol
do
	dir="$(find . -type d -name "$name" -printf '%P' -quit)"
	[ -d "$dir" ] ||
		continue
	if [ "$dir" = "private" ]; then
		find "$dir" -name "*.[tl]db.bak" -delete
		find "$PWD/$dir" -name "*.[tl]db" -not -name netlogon_creds_cli.tdb -exec tdbbackup {} + ||
			die "Error while backing up $PWD/$dir with tdbbackup - status $?"
		backup \
					test "$(basename $file)" = "$i" && ignore=true && break
				done
				if ! $ignore; then
					tdbbackup $file
					Status=$?
					if [ $Status -ne 0 ]; then
						terminate_on_error "Error while backing up $file with tdbbackup - status $Status"
					fi
				fi
			done
		done
		# Run the backup.
		#    --warning=no-file-ignored set to suppress "socket ignored" messages.
		#    --warning=no-file-changed set to suppress "file changed as we read it" messages.
		install -o root -g root -m 600 /dev/null "${WHERE}/samba4_${n}.${WHEN}.tar.bz2"
		tar cjf ${WHERE}/samba4_${n}.${WHEN}.tar.bz2 \
			--exclude=smbd.tmp \
			--exclude='*.ldb' \
			--exclude='*.tdb' \
			--warning=no-file-ignored \
			--warning=no-file-changed \
			--transform 's/.ldb.bak$/.ldb/' \
			--transform 's/.tdb.bak$/.tdb/' \
			"$dir"
		find "$dir" -name "*.[tl]db.bak" -delete
		if [ $Status -ne 0 -a $Status -ne 1 ]; then
			# Ignore 1 - private dir is always changing.
			terminate_on_error "Error while archiving ${WHERE}/samba4_${n}.${WHEN}.tar.bz2 - status = $Status"
		fi
		for db in tdb ldb; do
			find $relativedirname -name "*.$db.bak" -exec rm {} \;
		done
	else
		backup "$dir"
		#    --warning=no-file-ignored set to suppress "socket ignored" messages.
		#    --warning=no-file-changed set to suppress "file changed as we read it" messages.
		install -o root -g root -m 600 /dev/null "${WHERE}/${n}.${WHEN}.tar.bz2"
		tar cjf ${WHERE}/${n}.${WHEN}.tar.bz2  $relativedirname \
			--warning=no-file-ignored \
			--warning=no-file-changed
		Status=$?
		if [ $Status -ne 0 -a $Status -ne 1 ]; then
			# Ignore 1 - sysvol may change
			terminate_on_error "Error while archiving ${WHERE}/${n}.${WHEN}.tar.bz2 - status = $Status"
		fi
	fi
done

- 

Return to bug 56505