Fix: unlock database
This commit is contained in:
L0m1g
parent
f664d07c77
commit
63fc1ffd0e
5 changed files with 17 additions and 7 deletions
1
.gitignore
vendored
1
.gitignore
vendored
|
|
@ -5,3 +5,4 @@ __pycache__/
|
||||||
*.egg-info/
|
*.egg-info/
|
||||||
.pytest_cache/
|
.pytest_cache/
|
||||||
*.log
|
*.log
|
||||||
|
lib/erminig.db
|
||||||
|
|
|
||||||
|
|
@ -4,7 +4,9 @@ RUN dnf -y update && \
|
||||||
dnf -y install python3 python3-pip sqlite tar zstd git bash && \
|
dnf -y install python3 python3-pip sqlite tar zstd git bash && \
|
||||||
dnf clean all
|
dnf clean all
|
||||||
|
|
||||||
RUN mkdir -p /var/lib/erminig /var/cache/erminig /opt/erminig
|
RUN useradd -r -s /sbin/nologin -d /var/lib/erminig pak && \
|
||||||
|
mkdir -p /var/lib/erminig /var/cache/erminig /opt/erminig && \
|
||||||
|
chown -R pak:pak /var/lib/erminig /var/cache/erminig /opt/erminig
|
||||||
|
|
||||||
COPY . /opt/erminig
|
COPY . /opt/erminig
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,8 @@
|
||||||
# Libre comme l’air, stable comme un menhir, et salé comme le beurre.
|
# Libre comme l’air, stable comme un menhir, et salé comme le beurre.
|
||||||
#
|
#
|
||||||
|
|
||||||
|
import os
|
||||||
|
import pwd
|
||||||
import sqlite3
|
import sqlite3
|
||||||
from erminig.config import Config
|
from erminig.config import Config
|
||||||
|
|
||||||
|
|
@ -20,6 +22,12 @@ def init_db():
|
||||||
conn.executescript(f.read())
|
conn.executescript(f.read())
|
||||||
conn.commit()
|
conn.commit()
|
||||||
conn.close()
|
conn.close()
|
||||||
|
# Attribution au user pak
|
||||||
|
pak_uid = pwd.getpwnam("pak").pw_uid
|
||||||
|
pak_gid = pwd.getpwnam("pak").pw_gid
|
||||||
|
os.chown(Config.DB_PATH, pak_uid, pak_gid)
|
||||||
|
os.chmod(Config.DB_PATH, 0o664)
|
||||||
|
|
||||||
print("Base erminig.db initialisée avec succès.")
|
print("Base erminig.db initialisée avec succès.")
|
||||||
|
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -39,9 +39,9 @@ def run_as_user(username):
|
||||||
try:
|
try:
|
||||||
pid = os.fork()
|
pid = os.fork()
|
||||||
if pid > 0:
|
if pid > 0:
|
||||||
# Parent
|
# Parent : attendre le child, ne pas exit, juste return proprement
|
||||||
_, status = os.waitpid(pid, 0)
|
_, status = os.waitpid(pid, 0)
|
||||||
return os.WEXITSTATUS(status)
|
return status >> 8 # récupère le code retour du fils (comme exit code)
|
||||||
|
|
||||||
# Child
|
# Child
|
||||||
pw_record = pwd.getpwnam(username)
|
pw_record = pwd.getpwnam(username)
|
||||||
|
|
@ -51,13 +51,12 @@ def run_as_user(username):
|
||||||
os.setgid(user_gid)
|
os.setgid(user_gid)
|
||||||
os.setuid(user_uid)
|
os.setuid(user_uid)
|
||||||
|
|
||||||
# Exécuter la fonction sous l'utilisateur demandé
|
|
||||||
result = func(*args, **kwargs)
|
result = func(*args, **kwargs)
|
||||||
sys.exit(0 if result is None else int(bool(result)))
|
os._exit(0 if result is None else int(bool(result)))
|
||||||
|
|
||||||
except OSError as e:
|
except OSError as e:
|
||||||
print(f"[SECURITY] Fork échoué : {e}")
|
print(f"[SECURITY] Fork échoué : {e}")
|
||||||
sys.exit(1)
|
os._exit(1)
|
||||||
|
|
||||||
return wrapper
|
return wrapper
|
||||||
|
|
||||||
|
|
|
||||||
BIN
lib/erminig.db
BIN
lib/erminig.db
Binary file not shown.
Loading…
Add table
Add a link
Reference in a new issue