mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-10 11:05:54 +02:00
72ab71969f
Check if the script has been launched as privileged user (root) and drop all permissions by switching to the "nobody" user and group. Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
97 lines
3.3 KiB
Perl
97 lines
3.3 KiB
Perl
#!/usr/bin/perl
|
|
###############################################################################
|
|
# #
|
|
# IPFire.org - A linux based firewall #
|
|
# Copyright (C) 2018 IPFire Team <info@ipfire.org> #
|
|
# #
|
|
# This program is free software: you can redistribute it and/or modify #
|
|
# it under the terms of the GNU General Public License as published by #
|
|
# the Free Software Foundation, either version 3 of the License, or #
|
|
# (at your option) any later version. #
|
|
# #
|
|
# This program is distributed in the hope that it will be useful, #
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of #
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
|
|
# GNU General Public License for more details. #
|
|
# #
|
|
# You should have received a copy of the GNU General Public License #
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>. #
|
|
# #
|
|
###############################################################################
|
|
|
|
use strict;
|
|
use POSIX;
|
|
|
|
require '/var/ipfire/general-functions.pl';
|
|
require "${General::swroot}/ids-functions.pl";
|
|
require "${General::swroot}/lang.pl";
|
|
|
|
# The user and group name as which this script should be run.
|
|
my $run_as = 'nobody';
|
|
|
|
# Get user and group id of the user.
|
|
my ( $uid, $gid ) = ( getpwnam $run_as )[ 2, 3 ];
|
|
|
|
# Check if the script currently runs as root.
|
|
if ( $> == 0 ) {
|
|
# Drop privileges and switch to the specified user and group.
|
|
POSIX::setgid( $gid );
|
|
POSIX::setuid( $uid );
|
|
}
|
|
|
|
# Check if the red device is active.
|
|
unless (-e "${General::swroot}/red/active") {
|
|
# Store notice in the syslog.
|
|
&IDS::_log_to_syslog("The system is offline.");
|
|
|
|
# Store error message for displaying in the WUI.
|
|
&IDS::_store_error_message("$Lang::tr{'could not download latest updates'} - $Lang::tr{'system is offline'}");
|
|
|
|
# Exit.
|
|
exit 0;
|
|
}
|
|
|
|
# Check if enought free disk space is availabe.
|
|
if(&IDS::checkdiskspace()) {
|
|
# Store the error message for displaying in the WUI.
|
|
&IDS::_store_error_message("$Lang::tr{'not enough disk space'}");
|
|
|
|
# Exit.
|
|
exit 0;
|
|
}
|
|
|
|
# Lock the IDS page.
|
|
&IDS::lock_ids_page();
|
|
|
|
# Call the download function and gather the new ruleset.
|
|
if(&IDS::downloadruleset()) {
|
|
# Store error message for displaying in the WUI.
|
|
&IDS::_store_error_message("$Lang::tr{'could not download latest updates'}");
|
|
|
|
# Unlock the IDS page.
|
|
&IDS::unlock_ids_page();
|
|
|
|
# Exit.
|
|
exit 0;
|
|
}
|
|
|
|
# Set correct ownership for the downloaded tarball.
|
|
&IDS::set_ownership("$IDS::rulestarball");
|
|
|
|
# Call oinkmaster to alter the ruleset.
|
|
&IDS::oinkmaster();
|
|
|
|
# Set correct ownership for the rulesdir and files.
|
|
&IDS::set_ownership("$IDS::rulespath");
|
|
|
|
# Unlock the IDS page.
|
|
&IDS::unlock_ids_page();
|
|
|
|
# Check if the IDS is running.
|
|
if(&IDS::ids_is_running()) {
|
|
# Call suricatactrl to perform a reload.
|
|
&IDS::call_suricatactrl("reload");
|
|
}
|
|
|
|
1;
|