Pull request 2305: 7400 Disable permcheck
Updates #7400. Squashed commit of the following: commit f6508d395288dfa5ed0b9aa2e714bc1eba72d243 Merge:aa7119648
d96e65cb0
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Fri Nov 22 15:43:27 2024 +0300 Merge branch 'master' into 7400-disable-perm commitaa7119648b
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 20 16:51:37 2024 +0300 next: add flag commitc16b90918f
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 20 16:42:47 2024 +0300 home: fix help commit2e096c0e32
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 20 16:37:30 2024 +0300 all: imp code, log changes commit368598819f
Author: Eugene Burkov <E.Burkov@AdGuard.COM> Date: Wed Nov 20 16:12:18 2024 +0300 home: add permcheck option
This commit is contained in:
parent
d96e65cb0c
commit
098cbab7e6
|
@ -32,6 +32,14 @@ NOTE: Add new changes BELOW THIS COMMENT.
|
||||||
|
|
||||||
- The release executables are now signed.
|
- The release executables are now signed.
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- The `--no-permcheck` command-line option to disable checking and migration of
|
||||||
|
permissions for the security-sensitive files and directories, which caused
|
||||||
|
issues on Windows ([#7400]).
|
||||||
|
|
||||||
|
[#7400]: https://github.com/AdguardTeam/AdGuardHome/issues/7400
|
||||||
|
|
||||||
[go-1.23.3]: https://groups.google.com/g/golang-announce/c/X5KodEJYuqI
|
[go-1.23.3]: https://groups.google.com/g/golang-announce/c/X5KodEJYuqI
|
||||||
|
|
||||||
<!--
|
<!--
|
||||||
|
|
|
@ -159,7 +159,7 @@ func setupContext(opts options) (err error) {
|
||||||
|
|
||||||
if Context.firstRun {
|
if Context.firstRun {
|
||||||
log.Info("This is the first time AdGuard Home is launched")
|
log.Info("This is the first time AdGuard Home is launched")
|
||||||
checkPermissions()
|
checkNetworkPermissions()
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -686,18 +686,26 @@ func run(opts options, clientBuildFS fs.FS, done chan struct{}) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if permcheck.NeedsMigration(confPath) {
|
if !opts.noPermCheck {
|
||||||
permcheck.Migrate(Context.workDir, dataDir, statsDir, querylogDir, confPath)
|
checkPermissions(Context.workDir, confPath, dataDir, statsDir, querylogDir)
|
||||||
}
|
}
|
||||||
|
|
||||||
permcheck.Check(Context.workDir, dataDir, statsDir, querylogDir, confPath)
|
|
||||||
|
|
||||||
Context.web.start()
|
Context.web.start()
|
||||||
|
|
||||||
// Wait for other goroutines to complete their job.
|
// Wait for other goroutines to complete their job.
|
||||||
<-done
|
<-done
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// checkPermissions checks and migrates permissions of the files and directories
|
||||||
|
// used by AdGuard Home, if needed.
|
||||||
|
func checkPermissions(workDir, confPath, dataDir, statsDir, querylogDir string) {
|
||||||
|
if permcheck.NeedsMigration(confPath) {
|
||||||
|
permcheck.Migrate(workDir, dataDir, statsDir, querylogDir, confPath)
|
||||||
|
}
|
||||||
|
|
||||||
|
permcheck.Check(workDir, dataDir, statsDir, querylogDir, confPath)
|
||||||
|
}
|
||||||
|
|
||||||
// initUsers initializes context auth module. Clears config users field.
|
// initUsers initializes context auth module. Clears config users field.
|
||||||
func initUsers() (auth *Auth, err error) {
|
func initUsers() (auth *Auth, err error) {
|
||||||
sessFilename := filepath.Join(Context.getDataDir(), "sessions.db")
|
sessFilename := filepath.Join(Context.getDataDir(), "sessions.db")
|
||||||
|
@ -757,8 +765,9 @@ func startMods(l *slog.Logger) (err error) {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check if the current user permissions are enough to run AdGuard Home
|
// checkNetworkPermissions checks if the current user permissions are enough to
|
||||||
func checkPermissions() {
|
// use the required networking functionality.
|
||||||
|
func checkNetworkPermissions() {
|
||||||
log.Info("Checking if AdGuard Home has necessary permissions")
|
log.Info("Checking if AdGuard Home has necessary permissions")
|
||||||
|
|
||||||
if ok, err := aghnet.CanBindPrivilegedPorts(); !ok || err != nil {
|
if ok, err := aghnet.CanBindPrivilegedPorts(); !ok || err != nil {
|
||||||
|
|
|
@ -78,6 +78,10 @@ type options struct {
|
||||||
// localFrontend forces AdGuard Home to use the frontend files from disk
|
// localFrontend forces AdGuard Home to use the frontend files from disk
|
||||||
// rather than the ones that have been compiled into the binary.
|
// rather than the ones that have been compiled into the binary.
|
||||||
localFrontend bool
|
localFrontend bool
|
||||||
|
|
||||||
|
// noPermCheck disables checking and migration of permissions for the
|
||||||
|
// security-sensitive files.
|
||||||
|
noPermCheck bool
|
||||||
}
|
}
|
||||||
|
|
||||||
// initCmdLineOpts completes initialization of the global command-line option
|
// initCmdLineOpts completes initialization of the global command-line option
|
||||||
|
@ -305,6 +309,15 @@ var cmdLineOpts = []cmdLineOpt{{
|
||||||
description: "Run in GL-Inet compatibility mode.",
|
description: "Run in GL-Inet compatibility mode.",
|
||||||
longName: "glinet",
|
longName: "glinet",
|
||||||
shortName: "",
|
shortName: "",
|
||||||
|
}, {
|
||||||
|
updateWithValue: nil,
|
||||||
|
updateNoValue: func(o options) (options, error) { o.noPermCheck = true; return o, nil },
|
||||||
|
effect: nil,
|
||||||
|
serialize: func(o options) (val string, ok bool) { return "", o.noPermCheck },
|
||||||
|
description: "Skip checking and migration of permissions " +
|
||||||
|
"of security-sensitive files.",
|
||||||
|
longName: "no-permcheck",
|
||||||
|
shortName: "",
|
||||||
}, {
|
}, {
|
||||||
updateWithValue: nil,
|
updateWithValue: nil,
|
||||||
updateNoValue: nil,
|
updateNoValue: nil,
|
||||||
|
|
|
@ -89,6 +89,12 @@ type options struct {
|
||||||
// TODO(a.garipov): Use.
|
// TODO(a.garipov): Use.
|
||||||
performUpdate bool
|
performUpdate bool
|
||||||
|
|
||||||
|
// noPermCheck, if true, instructs AdGuard Home to skip checking and
|
||||||
|
// migrating the permissions of its security-sensitive files.
|
||||||
|
//
|
||||||
|
// TODO(e.burkov): Use.
|
||||||
|
noPermCheck bool
|
||||||
|
|
||||||
// verbose, if true, instructs AdGuard Home to enable verbose logging.
|
// verbose, if true, instructs AdGuard Home to enable verbose logging.
|
||||||
verbose bool
|
verbose bool
|
||||||
|
|
||||||
|
@ -110,7 +116,8 @@ const (
|
||||||
disableUpdateIdx
|
disableUpdateIdx
|
||||||
glinetModeIdx
|
glinetModeIdx
|
||||||
helpIdx
|
helpIdx
|
||||||
localFrontend
|
localFrontendIdx
|
||||||
|
noPermCheckIdx
|
||||||
performUpdateIdx
|
performUpdateIdx
|
||||||
verboseIdx
|
verboseIdx
|
||||||
versionIdx
|
versionIdx
|
||||||
|
@ -214,7 +221,7 @@ var commandLineOptions = []*commandLineOption{
|
||||||
valueType: "",
|
valueType: "",
|
||||||
},
|
},
|
||||||
|
|
||||||
localFrontend: {
|
localFrontendIdx: {
|
||||||
defaultValue: false,
|
defaultValue: false,
|
||||||
description: "Use local frontend directories.",
|
description: "Use local frontend directories.",
|
||||||
long: "local-frontend",
|
long: "local-frontend",
|
||||||
|
@ -222,6 +229,14 @@ var commandLineOptions = []*commandLineOption{
|
||||||
valueType: "",
|
valueType: "",
|
||||||
},
|
},
|
||||||
|
|
||||||
|
noPermCheckIdx: {
|
||||||
|
defaultValue: false,
|
||||||
|
description: "Skip checking the permissions of security-sensitive files.",
|
||||||
|
long: "no-permcheck",
|
||||||
|
short: "",
|
||||||
|
valueType: "",
|
||||||
|
},
|
||||||
|
|
||||||
performUpdateIdx: {
|
performUpdateIdx: {
|
||||||
defaultValue: false,
|
defaultValue: false,
|
||||||
description: "Update the current binary and restart the service in case it's installed.",
|
description: "Update the current binary and restart the service in case it's installed.",
|
||||||
|
@ -264,7 +279,8 @@ func parseOptions(cmdName string, args []string) (opts *options, err error) {
|
||||||
disableUpdateIdx: &opts.disableUpdate,
|
disableUpdateIdx: &opts.disableUpdate,
|
||||||
glinetModeIdx: &opts.glinetMode,
|
glinetModeIdx: &opts.glinetMode,
|
||||||
helpIdx: &opts.help,
|
helpIdx: &opts.help,
|
||||||
localFrontend: &opts.localFrontend,
|
localFrontendIdx: &opts.localFrontend,
|
||||||
|
noPermCheckIdx: &opts.noPermCheck,
|
||||||
performUpdateIdx: &opts.performUpdate,
|
performUpdateIdx: &opts.performUpdate,
|
||||||
verboseIdx: &opts.verbose,
|
verboseIdx: &opts.verbose,
|
||||||
versionIdx: &opts.version,
|
versionIdx: &opts.version,
|
||||||
|
|
Loading…
Reference in New Issue