permissioner

@@ -10,9 +10,6 @@

 /// configuration file

 class Config {

 public:

-  /// map of trees

-  typedef std::map<boost::filesystem::path, Tree> TreeMap;

-

   /**

    * @brief parse configuration file

    * @param[in] configFileName name of configuation file

@@ -23,6 +20,11 @@ public:

   /// return trees

   TreeMap const & getTrees() const;

+  /**

+   * @brief set owners and permissions of files in trees

+   */

+  void setPermissions() const;

+

 protected:

   TreeMap trees;

 };

@@ -1,6 +1,7 @@

 #ifndef PERMISSIONS_H

 #define PERMISSIONS_H

+#include <boost/filesystem.hpp>

 #include <cstdint>

 #include <string>

@@ -23,6 +24,16 @@ public:

    */

   void parseParams(std::string const &paramStr);

+  /**

+   * @brief apply paermissions to file or directory

+   * @param[in] path path to file or directory

+   */

+  void apply(boost::filesystem::path const &path) const;

+

+protected:

+  /// convert flags into boost filesystem permissions

+  static boost::filesystem::perms flags2perms(Flags flags);

+

 protected:

   Flags set = 0;       ///< permissions to set

   Flags setCond = 0;   ///< permissions to set conditionally on usrexec/dir

@@ -6,8 +6,12 @@

 #include <permissioner/User.h>

 #include <boost/filesystem.hpp>

+#include <map>

 #include <string>

+/// map of trees

+typedef std::map<boost::filesystem::path, class Tree> TreeMap;

+

 /// directory tree configuration

 class Tree {

 public:

@@ -30,6 +34,27 @@ public:

   /// get root path

   boost::filesystem::path const & getRoot() const;

+  /**

+   * @brief set owners and permissions of files in tree

+   * @param[in] exclude map of other trees that shall be excluded

+   */

+  void setPermissions(TreeMap const &exclude) const;

+

+protected:

+  /**

+   * @brief set owners and permissions of files in path and subtrees

+   * @param[in] path path to top of directory tree for which to set owner/perms

+   * @param[in] exclude map of other trees that shall be excluded

+   */

+  void setPermissionsInternal(boost::filesystem::path const &path,

+                              TreeMap const &exclude) const;

+

+  /**

+   * @brief set owners and permissions of one file or directory

+   * @param[in] path path to file or directory

+   */

+  void setPermissionsOne(boost::filesystem::path const &path) const;

+

 protected:

   User user;

   Group group;

@@ -43,6 +43,13 @@ void Config::parseFile(std::string const &configFileName) {

   }

 }

-Config::TreeMap const & Config::getTrees() const {

+TreeMap const & Config::getTrees() const {

   return trees;

 }

+

+void Config::setPermissions() const {

+  for (auto const & path_tree : trees) {

+    Tree const & tree = path_tree.second;

+    tree.setPermissions(trees); // exclude all other trees

+  }

+}

@@ -1,5 +1,6 @@

 #include <permissioner/Permissions.h>

+#include <boost/filesystem.hpp>

 #include <sstream>

 #include <stdexcept>

 #include <string>

@@ -77,3 +78,45 @@ void Permissions::parseParams(std::string const &paramStr) {

     }

   }

 }

+

+void Permissions::apply(boost::filesystem::path const &path) const {

+  // only process regular files and directories (especially no symlinks)

+  if (! boost::filesystem::is_regular_file(path) &&

+      ! boost::filesystem::is_directory(path)) {

+    return;

+  }

+

+  // get permissions

+  boost::filesystem::file_status st = boost::filesystem::status(path);

+  boost::filesystem::perms perms = st.permissions();

+

+  // compute updated permissions

+  Flags doSet = set, doClear = clear;

+  if (perms & boost::filesystem::perms::owner_exe) {

+    doSet |= setCond;

+    doClear |= clearCond;

+  }

+  perms &= boost::filesystem::perms::all_all ^ flags2perms(doClear);

+  perms |= flags2perms(doSet);

+

+  // set new permissions if they changed

+  if (perms != st.permissions()) {

+    boost::filesystem::permissions(path, perms);

+  }

+}

+

+boost::filesystem::perms Permissions::flags2perms(Flags flags) {

+  using fsp = boost::filesystem::perms;

+  fsp perms = fsp::no_perms;

+  if (flags & (flagUser * flagRead)) { perms |= fsp::owner_read; }

+  if (flags & (flagUser * flagWrite)) { perms |= fsp::owner_write; }

+  if (flags & (flagUser * flagExecute)) { perms |= fsp::owner_exe; }

+  if (flags & (flagGroup * flagRead)) { perms |= fsp::group_read; }

+  if (flags & (flagGroup * flagWrite)) { perms |= fsp::group_write; }

+  if (flags & (flagGroup * flagExecute)) { perms |= fsp::group_exe; }

+  if (flags & (flagOther * flagRead)) { perms |= fsp::others_read; }

+  if (flags & (flagOther * flagWrite)) { perms |= fsp::others_write; }

+  if (flags & (flagOther * flagExecute)) { perms |= fsp::others_exe; }

+  return perms;

+}

+

@@ -9,6 +9,7 @@

 #include <sstream>

 #include <stdexcept>

 #include <string>

+#include <unistd.h>

 #include <vector>

 void Tree::parseParams(std::string const &paramStr) {

@@ -25,6 +26,7 @@ void Tree::parseParams(std::string const &paramStr) {

     msg << "<root> field missing in \"" << paramStr << "\"";

     throw std::runtime_error(msg.str());

   }

+  rootStr = paramStr.substr(pos);

   try {

     user.parseUserName(userStr);

@@ -78,3 +80,42 @@ Permissions const & Tree::getPermissions() const {

 boost::filesystem::path const & Tree::getRoot() const {

   return root;

 }

+

+void Tree::setPermissions(TreeMap const &exclude) const {

+  setPermissionsInternal(root, exclude);

+}

+

+void Tree::setPermissionsInternal(boost::filesystem::path const &path,

+                                  TreeMap const &exclude) const {

+  try {

+    if (boost::filesystem::is_regular_file(path)) {

+      setPermissionsOne(path);

+    } else if (boost::filesystem::is_directory(path)) {

+      setPermissionsOne(path);

+      for (boost::filesystem::directory_entry entry :

+           boost::filesystem::directory_iterator(path)) {

+        if (exclude.find(entry) != exclude.end()) {

+          continue; // other tree -> skip here

+        }

+        setPermissionsInternal(entry, exclude); // recurse

+      }

+    }

+  } catch (boost::filesystem::filesystem_error const & e) {

+    // ignore filesystem errors for now, as this runs in a daemon in background

+    (void)e;

+  }

+}

+

+void Tree::setPermissionsOne(boost::filesystem::path const &path) const {

+  // change permissions

+  try {

+    permissions.apply(path);

+  } catch (boost::filesystem::filesystem_error const & e) {

+    // ignore filesystem errors for now, as this runs in a daemon in background

+    (void)e;

+  }

+

+  // change owner/group

+  lchown(path.string().c_str(), user.getUid(), group.getGid());

+  // ignore error for now, as this runs in a daemon in background

+}

@@ -1 +1,2 @@

 add_subdirectory(config)

+add_subdirectory(trees)

@@ -13,6 +13,7 @@ add_test(

   NAME

   testConfig

   COMMAND

-  ./testConfig

-  ${CMAKE_CURRENT_SOURCE_DIR}/test.cfg

+  ${CMAKE_CURRENT_BINARY_DIR}/testConfig test.cfg

+  WORKING_DIRECTORY

+  ${CMAKE_CURRENT_SOURCE_DIR}

 )

@@ -1,2 +1,2 @@

-tree nobody nogroup go+rX,go-w /some/dir

-tree - - a=rwx /some/other/dir

+tree nobody nogroup go+rX,go-w some/dir

+tree - - a=rwx some/other/dir

@@ -0,0 +1,17 @@

+add_executable(

+  testTrees

+  testTrees.cpp

+)

+

+target_link_libraries(

+  testTrees

+  PUBLIC

+  permissioner

+)

+

+add_test(

+  NAME

+  testTrees

+  COMMAND

+  ${CMAKE_CURRENT_SOURCE_DIR}/testTrees.bash

+)

@@ -0,0 +1,10 @@

+#! /bin/bash

+

+set -eux -o pipefail

+

+SCRIPT_DIR="$(readlink -f "$(dirname "$0")")"

+

+rm -rf work

+cp -a "$SCRIPT_DIR/work" work

+

+./testTrees "$SCRIPT_DIR/trees.cfg"

@@ -0,0 +1,27 @@

+#include <permissioner/Config.h>

+

+#include <cstdlib>

+#include <iostream> // DEBUG

+#include <unistd.h>

+#include <sys/stat.h>

+

+// mock version of lchown, to see if right files get right owners

+extern "C" int lchown(const char *pathname, uid_t owner, gid_t group) {

+  std::cout << "DEBUG lchown " << pathname << " owner " << owner

+            << " group " << group << std::endl;

+  return 0;

+}

+

+// mock version fo chmod, to see if right files get right permissions

+extern "C" int chmod(const char *pathname, mode_t mode) {

+  std::cout << "DEBUG chmod " << pathname << " mode " << mode << std::endl;

+  return 0;

+}

+

+int main(int argc, char const **argv) {

+  (void)argc;

+  Config config;

+  config.parseFile(argv[1]);

+  config.setPermissions();

+  return EXIT_SUCCESS;

+}

@@ -0,0 +1,2 @@

+tree nobody nogroup g+w work

+tree nobody nogroup o+w work/nested