Until Perl 5.26, the current directory is added to @INC when running a
Perl script [1]. Having the current directory in @INC means it can be
tried to be traversed when performing a lib lookup. Since version 5.18,
Perl dies when it finds an unreadable directory (permissions) in @INC
that needs to be traversed. This behaviour won't change because Perl
devs consider it an enhancement to security. [2]
Because of this, we need to make sure our scripts are ran **from** a
directory in which they have read permissions.
Ths patch adds a --chdir option switch to the **koha-foreach** wrapper
script, that makes the inner shells/scripts to be ran within the Koha
instance's user home directory.
The change is trivial and should be QAed easily. I tested this on a prod
server:
- Create a /tmp/test.pl file containing:
use Modern::Perl;
use Cwd;
my $dir = getcwd;
warn $dir;
1;
A) then create a cronjob entry to run it using koha-foreach:
(in /etc/cron.d/test):
1/* * * * * root koha-foreach perl /tmp/test.pl
- Once I noticed the cronjob ran, I used mutt to read the emails in the
root user.
=> FAIL:
...
Subject: Cron <root@koha> koha-foreach --enabled perl /tmp/test.pl
"/root"
"/root"
"/root"
"/root"
"/root"
...
B) I then used the patched koha-foreach with different results:
=> SUCCESS:
...
Subject: Cron <root@koha> /root/koha-foreach --chdir --enabled perl /tmp/test.pl
"/var/lib/koha/acaderc"
"/var/lib/koha/agro"
"/var/lib/koha/anc"
"/var/lib/koha/arico"
"/var/lib/koha/artes"
...
So this patch's approach works. But...
C) master's koha-foreach seems to work just the same... I think it is
because of my previous attempt to fix this by using sudo in koha-shell.
So I think environmental conditions affect the behaviour (which shell is
configured for cron, sudo configuration, etc).
====
In conclusion, I think we should go ahead with this patch as it will solve
peoples issues, and it is a right solution (option #5 on the list) to
this Perl behaviour change. It doesn't cover other commands, but
followup patches could do.
I avoided /tmp as it is writable by any user... so it is an easy path
for both exploiting by replacing some lib, and also because the
existence of an unreadable dir that the interpreter could try to
traverse (unreadable /tmp/Authen or /tmp/Koha will trigger the same
error, and I assume people know what they are putting on the instance's
dir, at least it will be easier to track).
A followup patch takes care of making the cronjobs use --chdir when
calling koha-foreach
[1] https://lists.debian.org/debian-devel-announce/2016/08/msg00013.html
[2] https://rt.perl.org/Public/Bug/Display.html?id=123795
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Nick Clemens <nick@bywatersolutions.com>
koha-foreach has been modified to replace __instancename__ with $name
on each iteration using sed.
The docbook file for koha-foreach has also been updated to reflect the
new functionality.
To test:
koha-foreach ls -ld /etc/koha/sites/__instancename__
should list directories instead of giving an error message.
Signed-off-by: Magnus Enger <digitalutvikling@gmail.com>
The suggested example with ls works as expected, as does my
more complex example with fines.pl:
koha-foreach --enabled /usr/share/koha/bin/cronjobs/fines.pl \
--out /var/log/koha/__instancename__/
The man page looks good too.
Signed-off-by: Robin Sheat <robin@catalyst.net.nz>
Signed-off-by: Tomas Cohen Arazi <tomascohen@gmail.com>
VERY trivial string patch. Couldn't help sending it.
To+
Signed-off-by: Magnus Enger <magnus@enger.priv.no>
Thanks for fixing my typo! I did not test by building packages
etc, but by grepping for "Communnity". The patch removes
all occurences of the typo.
Passed-QA-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Jared Camins-Esakov <jcamins@cpbibliography.com>
1. Create a page for koha-run-backups
2. Fix the synopsis for koha-foreach
3. Add koha-create and koha-run-backups to koha-common
To test
- Convert the changed xml files to man pages with
$ xsltproc /usr/share/xml/docbook/stylesheet/docbook-xsl/manpages/docbook.xsl koha-x.xml
- View generated pages with e.g.
$ man -l koha-x.8"
(Replace x with the names of the changed files)
- Check that the changes make sense
Signed-off-by: Frédéric Demians <f.demians@tamil.fr>
Works as described. I was able to produce the 3 man files, load them with man
command, and see the added information properly formated.
Signed-off-by: Paul Poulain <paul.poulain@biblibre.com>
Add DocBook manual pages for commands that do not have a manual page yet. Also
add a page for koha-common itself, listing all the available commands.
Signed-off-by: Robin Sheat <robin@catalyst.net.nz>
Minor change: I fixed a typo I spotted
