feat: Enhance file permission checks and automatic correction for critical system files
This commit is contained in:
@@ -383,42 +383,100 @@ class EntityValidator:
|
|||||||
return True
|
return True
|
||||||
|
|
||||||
def check_file_permissions(self) -> bool:
|
def check_file_permissions(self) -> bool:
|
||||||
"""Prüfe Dateirechte im custom-Verzeichnis."""
|
"""Prüfe Dateirechte im custom-Verzeichnis und kritischen System-Dateien."""
|
||||||
print_header("6. DATEIRECHTE-PRÜFUNG")
|
print_header("6. DATEIRECHTE-PRÜFUNG")
|
||||||
|
|
||||||
|
# Verzeichnisse/Dateien die geprüft werden sollen
|
||||||
|
paths_to_check = [
|
||||||
|
self.custom_path, # custom/Espo/Custom/Resources
|
||||||
|
self.client_custom_path, # client/custom
|
||||||
|
self.base_path / "data", # Gesamtes data/ Verzeichnis
|
||||||
|
]
|
||||||
|
|
||||||
|
# Kritische einzelne Dateien die UNBEDINGT www-data gehören müssen
|
||||||
|
critical_files = [
|
||||||
|
self.base_path / "data" / "config.php",
|
||||||
|
self.base_path / "data" / "config-internal.php",
|
||||||
|
]
|
||||||
|
|
||||||
|
all_wrong_files = []
|
||||||
|
critical_wrong_files = []
|
||||||
|
|
||||||
try:
|
try:
|
||||||
# Prüfe ob Dateien von www-data gehören
|
# Prüfe jedes Verzeichnis
|
||||||
result = subprocess.run(
|
for path in paths_to_check:
|
||||||
['find', str(self.custom_path), '!', '-user', 'www-data', '-o', '!', '-group', 'www-data'],
|
if not path.exists():
|
||||||
capture_output=True,
|
continue
|
||||||
text=True
|
|
||||||
)
|
|
||||||
|
|
||||||
wrong_owner_files = [line for line in result.stdout.strip().split('\n') if line]
|
result = subprocess.run(
|
||||||
|
['find', str(path), '!', '-user', 'www-data', '-o', '!', '-group', 'www-data'],
|
||||||
|
capture_output=True,
|
||||||
|
text=True
|
||||||
|
)
|
||||||
|
|
||||||
if wrong_owner_files:
|
wrong_files = [line for line in result.stdout.strip().split('\n') if line]
|
||||||
print_warning(f"{len(wrong_owner_files)} Dateien mit falschen Rechten gefunden")
|
all_wrong_files.extend(wrong_files)
|
||||||
print_info("Versuche automatische Korrektur...")
|
|
||||||
|
# Prüfe kritische Dateien einzeln
|
||||||
|
for critical_file in critical_files:
|
||||||
|
if not critical_file.exists():
|
||||||
|
continue
|
||||||
|
|
||||||
|
stat_result = critical_file.stat()
|
||||||
|
import pwd
|
||||||
|
import grp
|
||||||
|
|
||||||
# Versuche Rechte zu korrigieren
|
|
||||||
try:
|
try:
|
||||||
subprocess.run(
|
owner = pwd.getpwuid(stat_result.st_uid).pw_name
|
||||||
['sudo', 'chown', '-R', 'www-data:www-data', str(self.custom_path)],
|
group = grp.getgrgid(stat_result.st_gid).gr_name
|
||||||
check=True,
|
|
||||||
capture_output=True
|
if owner != 'www-data' or group != 'www-data':
|
||||||
)
|
critical_wrong_files.append(str(critical_file))
|
||||||
subprocess.run(
|
all_wrong_files.append(str(critical_file))
|
||||||
['sudo', 'find', str(self.custom_path), '-type', 'f', '-exec', 'chmod', '664', '{}', ';'],
|
print_error(f"KRITISCH: {critical_file.relative_to(self.base_path)} gehört {owner}:{group} statt www-data:www-data")
|
||||||
check=True,
|
except (KeyError, OSError):
|
||||||
capture_output=True
|
pass
|
||||||
)
|
|
||||||
subprocess.run(
|
if all_wrong_files:
|
||||||
['sudo', 'find', str(self.custom_path), '-type', 'd', '-exec', 'chmod', '775', '{}', ';'],
|
print_warning(f"{len(all_wrong_files)} Dateien/Verzeichnisse mit falschen Rechten gefunden")
|
||||||
check=True,
|
|
||||||
capture_output=True
|
if critical_wrong_files:
|
||||||
)
|
print_error(f"{len(critical_wrong_files)} davon sind KRITISCHE System-Dateien!")
|
||||||
print_success("Dateirechte korrigiert")
|
|
||||||
except subprocess.CalledProcessError:
|
print_info("Versuche automatische Korrektur aller Verzeichnisse...")
|
||||||
|
|
||||||
|
# Korrigiere alle Pfade
|
||||||
|
success_count = 0
|
||||||
|
for path in paths_to_check:
|
||||||
|
if not path.exists():
|
||||||
|
continue
|
||||||
|
|
||||||
|
try:
|
||||||
|
# Setze Owner
|
||||||
|
subprocess.run(
|
||||||
|
['sudo', 'chown', '-R', 'www-data:www-data', str(path)],
|
||||||
|
check=True,
|
||||||
|
capture_output=True
|
||||||
|
)
|
||||||
|
# Setze Permissions für Dateien
|
||||||
|
subprocess.run(
|
||||||
|
['sudo', 'find', str(path), '-type', 'f', '-exec', 'chmod', '664', '{}', ';'],
|
||||||
|
check=True,
|
||||||
|
capture_output=True
|
||||||
|
)
|
||||||
|
# Setze Permissions für Verzeichnisse
|
||||||
|
subprocess.run(
|
||||||
|
['sudo', 'find', str(path), '-type', 'd', '-exec', 'chmod', '775', '{}', ';'],
|
||||||
|
check=True,
|
||||||
|
capture_output=True
|
||||||
|
)
|
||||||
|
success_count += 1
|
||||||
|
except subprocess.CalledProcessError as e:
|
||||||
|
print_warning(f"Konnte {path.relative_to(self.base_path)} nicht korrigieren: {e}")
|
||||||
|
|
||||||
|
if success_count > 0:
|
||||||
|
print_success(f"Dateirechte für {success_count} Verzeichnis(se) korrigiert")
|
||||||
|
else:
|
||||||
print_warning("Konnte Dateirechte nicht automatisch korrigieren (sudo erforderlich)")
|
print_warning("Konnte Dateirechte nicht automatisch korrigieren (sudo erforderlich)")
|
||||||
else:
|
else:
|
||||||
print_success("Alle Dateirechte korrekt (www-data:www-data)")
|
print_success("Alle Dateirechte korrekt (www-data:www-data)")
|
||||||
|
|||||||
Reference in New Issue
Block a user