From 578eb90e6989ad4b468c7c73b1379fc05ddbed24 Mon Sep 17 00:00:00 2001 From: Darren 'Tadgy' Austin Date: Sat, 23 May 2026 23:51:18 +0100 Subject: [PATCH 1/3] Move where umask is used. --- mirror-wrapper | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/mirror-wrapper b/mirror-wrapper index 9f9c532..8c6641a 100755 --- a/mirror-wrapper +++ b/mirror-wrapper @@ -26,6 +26,9 @@ notify() { return 0 } +# Logs are only for root. +umask 027 + # Only run for the configured mirroring user. [[ "$(whoami)" != "$MIRRORING_USER" ]] && { printf "%s: %s\\n" "${0##*/}" "must be run by the '$MIRRORING_USER' user - use su to run manually" >&2 @@ -60,9 +63,6 @@ if [[ "$FLOCK" != "$0" ]]; then fi fi -# Logs are only for root. -umask 027 - # Drop the caches as sometimes old user/groups are cached. sudo /opt/sbin/drop-caches From 3eae23d1a80a95d29851190c829c56f02692cc64 Mon Sep 17 00:00:00 2001 From: Darren 'Tadgy' Austin Date: Sun, 24 May 2026 00:25:36 +0100 Subject: [PATCH 2/3] Slight adjustment to the sg call. --- mirror-wrapper | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/mirror-wrapper b/mirror-wrapper index 8c6641a..904047c 100755 --- a/mirror-wrapper +++ b/mirror-wrapper @@ -76,7 +76,7 @@ if [[ -n "$WRONG_PERMS" ]]; then else # Do the mirroring work. export MIRRORING_USER - sg "$DEPOSITORY_GROUP" -c "$COMMAND" "$@" >"$LOGSDIR/$LOGFILE" 2>&1 + sg "$DEPOSITORY_GROUP" -c "$COMMAND $@" >"$LOGSDIR/$LOGFILE" 2>&1 ERR="$?" fi From 8349b685f1133ef3ecbccea69f6c7b5141ea088c Mon Sep 17 00:00:00 2001 From: Darren 'Tadgy' Austin Date: Sun, 24 May 2026 00:32:48 +0100 Subject: [PATCH 3/3] Various changes to sbosrcarch-wrapper. * Introduce a test to make sure the script is being run by the correct user. * Do all testing before locking. * Drop disk caches before starting work. * Check for files with the wrong owner/group before doing a sync. * Run the mirror script with the configured group as primary. --- sbosrcarch-wrapper | 62 +++++++++++++++++++++++++++++----------------- 1 file changed, 39 insertions(+), 23 deletions(-) diff --git a/sbosrcarch-wrapper b/sbosrcarch-wrapper index cb37760..d4d749b 100755 --- a/sbosrcarch-wrapper +++ b/sbosrcarch-wrapper @@ -3,6 +3,9 @@ # Configuration. COMMAND="/opt/bin/sbosrcarch" +DEPOSITORY="/data/depository/sbosrcarch" +SBOSRCARCH_USER="sbosrcarch" +DEPOSITORY_GROUP="depository" LOGSDIR="/var/log/duplication/sbosrcarch/$(printf "%(%Y/%m)T")" LOGFILE="$(printf "%(%Y%m%d-%H%M%S)T")-$$" # Where from/to to send emails. Comment for no emailing. @@ -22,9 +25,25 @@ notify() { return 0 } -# Don't run as root! -(( $(id -u) == 0 )) && { - printf "%s: %s\\n" "${0##*/}" "don't run me as root - it messes up permissions!" >&2 +# Logs are only for root. +umask 027 + +# Only run for the configured sbosrcarch user. +[[ "$(whoami)" != "$SBOSRCARCH_USER" ]] && { + printf "%s: %s\\n" "${0##*/}" "must be run by the '$SBOSRCARCH_USER' user - use su to run manually" >&2 + exit 1 +} + +# Make sure the logs directory exists. +# shellcheck disable=SC2174 +mkdir -p -m 750 "$LOGSDIR" 2>/dev/null || { + printf "%s: %s\\n" "${0##*/}" "Failed to create logs directory '$LOGSDIR'" >&2 + exit 1 +} + +# Make sure the command to do the work is runnable. +[[ ! -x "$COMMAND" ]] && { + printf "%s: %s\\n" "${0##*/}" "'$COMMAND' is not executable" >&2 exit 1 } @@ -43,27 +62,24 @@ if [[ "$FLOCK" != "$0" ]]; then fi fi -# Logs are only for root. -umask 027 +# Drop the caches as sometimes old user/groups are cached. +sudo /opt/sbin/drop-caches -# Make sure the logs directory exists. -# shellcheck disable=SC2174 -mkdir -p -m 750 "$LOGSDIR" 2>/dev/null || { - printf "%s: %s\\n" "${0##*/}" "Failed to create logs directory '$LOGSDIR'" >&2 - exit 1 -} - -# Make sure the command to do the work is runnable. -[[ ! -x "$COMMAND" ]] && { - printf "%s: %s\\n" "${0##*/}" "'$COMMAND' is not executable" >&2 - exit 1 -} - -# Do the sbosrcarch work. -"$COMMAND" "${@:-update}" >"$LOGSDIR/$LOGFILE" 2>&1 -ERR="$?" -printf "\\n" >>"$LOGSDIR/$LOGFILE" -"$COMMAND" "status" >>"$LOGSDIR/$LOGFILE" 2>&1 +# Make sure there's no errant ownerships. +#WRONG_PERMS="$(find "$DEPOSITORY" \( \! -user "$SBOSRCARCH_USER" -o \! -group "$DEPOSITORY_GROUP" \) -a \! -path "$DEPOSITORY" -printf "%u:%g\t%P\n")" +if [[ -n "$WRONG_PERMS" ]]; then + printf "%s\\n" "This run has been aborted!" >"$LOGSDIR/$LOGFILE" + printf "%s\\n" "The following files in have errant permissions:" >>"$LOGSDIR/$LOGFILE" + printf "%s\\n" "$WRONG_PERMS" >>"$LOGSDIR/$LOGFILE" + ERR=-1 +else + # Do the sbosrcarch work. + sg "$DEPOSITORY_GROUP" -c "$COMMAND ${1:-update}" >"$LOGSDIR/$LOGFILE" 2>&1 + ERR="$?" + printf "\\n" >>"$LOGSDIR/$LOGFILE" + sg "$DEPOSITORY_GROUP" -c "$COMMAND status" >>"$LOGSDIR/$LOGFILE" 2>&1 + (( ERR += $? )) +fi # Tell the sysadmin what went on. if (( "$ERR" == 0 )); then