From 47279654051cc45c82502ab91bea1909d06fc66d Mon Sep 17 00:00:00 2001 From: mchyzer Date: Sat, 25 Nov 2023 15:11:51 -0500 Subject: [PATCH] GRP-5153: add option to run tomcat as another use --- Dockerfile | 4 +- container_files/usr-local-bin/changeGid.sh | 9 +++- container_files/usr-local-bin/changeUid.sh | 9 +++- container_files/usr-local-bin/libraryPrep.sh | 25 ++++++++-- .../usr-local-bin/libraryRunCommand.sh | 14 ++++-- .../usr-local-bin/librarySetupFiles.sh | 46 ++++++++++++++++++- .../usr-local-bin/librarySetupFilesTomcat.sh | 7 ++- 7 files changed, 93 insertions(+), 21 deletions(-) diff --git a/Dockerfile b/Dockerfile index f4ba995f..73f2dcd1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -19,8 +19,8 @@ RUN yum update -y \ && yum install -y diffutils logrotate python3-pip rsync sudo patch supervisor wget tar unzip dos2unix file \ && pip3 install --upgrade setuptools \ && yum clean -y all \ - && groupadd -r tomcat \ - && useradd -r -m -s /sbin/nologin -g tomcat tomcat \ + && groupadd -g 994 -r tomcat \ + && useradd -u 996 -r -m -s /sbin/nologin -g tomcat tomcat \ && mkdir -p /opt/container_files # Install Corretto Java JDK diff --git a/container_files/usr-local-bin/changeGid.sh b/container_files/usr-local-bin/changeGid.sh index 6d55d94d..e3aaeeab 100755 --- a/container_files/usr-local-bin/changeGid.sh +++ b/container_files/usr-local-bin/changeGid.sh @@ -13,6 +13,11 @@ newGid=$2 getentOutput="$(getent group "$groupname")" oldGid="$( echo "$getentOutput" |cut -d\: -f3 )" groupmod -g "$newGid" "$groupname" -echo "grouperContainer; INFO: (changeGid.sh) groupmod -g \"$newGid\" \"$groupname\" , result: $?" +returnCode=$? +echo "grouperContainer; INFO: (changeGid.sh) groupmod -g \"$newGid\" \"$groupname\" , result: $returnCode" +if [ $returnCode != 0 ]; then exit $returnCode; fi + find / -xdev -group "$oldGid" -exec chgrp -h "$groupname" {} \; -echo "grouperContainer; INFO: (changeGid.sh) find / -xdev -group \"$oldGid\" -exec chgrp -h \"$groupname\" {} \; , result: $?" +returnCode=$? +echo "grouperContainer; INFO: (changeGid.sh) find / -xdev -group \"$oldGid\" -exec chgrp -h \"$groupname\" {} \; , result: $returnCode" +if [ $returnCode != 0 ]; then exit $returnCode; fi diff --git a/container_files/usr-local-bin/changeUid.sh b/container_files/usr-local-bin/changeUid.sh index 2dcf8a83..343d487d 100755 --- a/container_files/usr-local-bin/changeUid.sh +++ b/container_files/usr-local-bin/changeUid.sh @@ -12,6 +12,11 @@ username=$1 newUid=$2 oldUid="$(id -u "$username")" usermod -u "$newUid" "$username" -echo "grouperContainer; INFO: (changeUid.sh) usermod -u \"$newUid\" \"$username\" , result: $?" +returnCode=$? +echo "grouperContainer; INFO: (changeUid.sh) usermod -u \"$newUid\" \"$username\" , result: $returnCode" +if [ $returnCode != 0 ]; then exit $returnCode; fi + find / -xdev -user "$oldUid" -exec chown -h "$username" {} \; -echo "grouperContainer; INFO: (changeUid.sh) find / -xdev -user \"$oldUid\" -exec chown -h \"$username\" {} \; , result: $?" +returnCode=$? +echo "grouperContainer; INFO: (changeUid.sh) find / -xdev -user \"$oldUid\" -exec chown -h \"$username\" {} \; , result: $returnCode" +if [ $returnCode != 0 ]; then exit $returnCode; fi diff --git a/container_files/usr-local-bin/libraryPrep.sh b/container_files/usr-local-bin/libraryPrep.sh index 0237a2af..36521821 100644 --- a/container_files/usr-local-bin/libraryPrep.sh +++ b/container_files/usr-local-bin/libraryPrep.sh @@ -223,6 +223,18 @@ prep_finishBegin() { echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_UI=false" export GROUPER_UI=false fi + if [ -z "$GROUPER_TOMCAT_UID" ] ; then + echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_UID=996" + export GROUPER_TOMCAT_UID=996 + fi + if [ -z "$GROUPER_TOMCAT_GID" ] ; then + echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_GID=994" + export GROUPER_TOMCAT_GID=994 + fi + if [ -z "$GROUPER_TOMCAT_UNIX_GROUP" ] ; then + echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) GROUPER_TOMCAT_UNIX_GROUP=root" + export GROUPER_TOMCAT_UNIX_GROUP=root + fi if [ -z "$GROUPER_WS" ] ; then echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_WS=false" export GROUPER_WS=false @@ -314,8 +326,13 @@ prep_finishBegin() { fi if [ -z "$GROUPER_RUN_PROCESSES_AS_USERS" ]; then - echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_RUN_PROCESSES_AS_USERS=true" - export GROUPER_RUN_PROCESSES_AS_USERS=true + if [[ $EUID -eq 0 ]]; then + echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) running as root: export GROUPER_RUN_PROCESSES_AS_USERS=true" + export GROUPER_RUN_PROCESSES_AS_USERS=true + else + echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) not running as root: export GROUPER_RUN_PROCESSES_AS_USERS=false" + export GROUPER_RUN_PROCESSES_AS_USERS=false + fi fi # do these before the "only" component @@ -398,10 +415,10 @@ prep_finishBegin() { #Replace web.xml session timeout with env variable if [[ -z "$GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES" ]]; then if [[ "$GROUPER_UI" != 'true' ]] && [[ "$GROUPER_WS" = 'true' ]]; then - echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) $ GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES is not set, export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1" + echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1" export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=1 else - echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) $ GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES is not set, export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600 (10 hours)" + echo "grouperContainer; INFO: (libraryPrep.sh-prep_finishBegin) export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600" export GROUPER_TOMCAT_SESSION_TIMEOUT_MINUTES=600 fi diff --git a/container_files/usr-local-bin/libraryRunCommand.sh b/container_files/usr-local-bin/libraryRunCommand.sh index 878c61b7..e20c191a 100644 --- a/container_files/usr-local-bin/libraryRunCommand.sh +++ b/container_files/usr-local-bin/libraryRunCommand.sh @@ -11,12 +11,16 @@ runCommand() { runCommand_unsetAll - if [ "$GROUPER_RUN_TOMCAT_NOT_SUPERVISOR" = "true" ] - then - echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat not supervisor" - /opt/tomcat/bin/catalina.sh run + if [ "$GROUPER_RUN_TOMCAT_NOT_SUPERVISOR" = "true" ]; then + if [ "$GROUPER_RUN_PROCESSES_AS_USERS" = "true" ]; then + echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: sudo -u tomcat /opt/tomcat/bin/catalina.sh run" + sudo -u tomcat /opt/tomcat/bin/catalina.sh run else - echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting supervisor" + echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting tomcat: /opt/tomcat/bin/catalina.sh run" + /opt/tomcat/bin/catalina.sh run + fi + else + echo "grouperContainer; INFO: (libraryRunCommand.sh-runCommand) Starting supervisor: exec /usr/bin/supervisord -c /opt/tier-support/supervisord.conf" exec /usr/bin/supervisord -c /opt/tier-support/supervisord.conf fi diff --git a/container_files/usr-local-bin/librarySetupFiles.sh b/container_files/usr-local-bin/librarySetupFiles.sh index 02461a72..4d6ed339 100644 --- a/container_files/usr-local-bin/librarySetupFiles.sh +++ b/container_files/usr-local-bin/librarySetupFiles.sh @@ -34,6 +34,44 @@ setupFiles_rsyncSlashRoot() { fi } +setupFiles_uid() { + + makeChange=false + if [ "$GROUPER_TOMCAT_UID" != "996" ]; then + makeChange=true + elif [ "$GROUPER_TOMCAT_GID" != "994" ]; then + makeChange=true + elif [ "$GROUPER_TOMCAT_UNIX_GROUP" != "root" ]; then + makeChange=true + fi + + if [ "$makeChange" = "true" ]; then + if [[ $EUID -ne 0 ]]; then + echo "grouperContainer; ERROR: (librarySetupFiles.sh-setupFiles_uid) Cannot set tomcat UID/GID/unixGroup if not running the container as root" + exit 1 + fi + fi + + if [ "$GROUPER_TOMCAT_UID" != "996" ]; then + + /usr/local/bin/changeUid.sh tomcat $GROUPER_TOMCAT_UID + returnCode=$? + echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_uid) /usr/local/bin/changeUid.sh tomcat $GROUPER_TOMCAT_UID, result: $returnCode" + + fi + + if [ "$GROUPER_TOMCAT_GID" != "994" ]; then + + /usr/local/bin/changeGid.sh tomcat $GROUPER_TOMCAT_GID + returnCode=$? + echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_uid) /usr/local/bin/changeGid.sh tomcat $GROUPER_TOMCAT_GID, result: $returnCode" + + fi + + # this is called later: setupFiles_chownDirs to set ownership and privs on filesystem + +} + setupFiles_localLogging() { additionalLoggersFile=/opt/grouper/grouperWebapp/WEB-INF/classes/log4j2.additionalLoggers.xml.txt if [ -f $additionalLoggersFile ]; then @@ -139,9 +177,9 @@ setupFiles_chownDirs() { # do this last if [ "$GROUPER_CHOWN_DIRS" = "true" ] then - /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat root + /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat $GROUPER_TOMCAT_UNIX_GROUP returnCode=$? - echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_chownDirs) /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat root, result: $returnCode" + echo "grouperContainer; INFO: (librarySetupFiles.sh-setupFiles_chownDirs) /opt/container_files/docker-build-bin/containerDockerfileInstallPermissions.sh tomcat $GROUPER_TOMCAT_UNIX_GROUP, result: $returnCode" if [ $returnCode != 0 ]; then exit $returnCode; fi fi } @@ -371,6 +409,8 @@ setupFiles() { fi setupFiles_rsyncSlashRoot + + setupFiles_uid setupFiles_analyzeOriginalFiles @@ -431,6 +471,7 @@ setupFiles_unsetAll() { unset -f setupFiles_removePids unset -f setupFiles_rsyncSlashRoot unset -f setupFiles_storeEnvVars + unset -f setupFiles_uid unset -f setupFiles_unsetAll unset -f setupFiles_unsetAllAndFromFiles } @@ -446,6 +487,7 @@ setupFiles_exportAll() { export -f setupFiles_removePids export -f setupFiles_rsyncSlashRoot export -f setupFiles_storeEnvVars + export -f setupFiles_uid export -f setupFiles_unsetAll export -f setupFiles_unsetAllAndFromFiles } diff --git a/container_files/usr-local-bin/librarySetupFilesTomcat.sh b/container_files/usr-local-bin/librarySetupFilesTomcat.sh index 1391448b..c66644fb 100644 --- a/container_files/usr-local-bin/librarySetupFilesTomcat.sh +++ b/container_files/usr-local-bin/librarySetupFilesTomcat.sh @@ -273,9 +273,8 @@ setupFilesTomcat_sslCertsAnchors() { # openssl req -x509 -sha256 -new -nodes -key rootCAKey.pem -days 3650 -out rootCACert.pem if [ -n "$(ls -A /opt/grouper/certs/anchors/ 2>/dev/null)" ]; then - - amiroot=`whoami` - if [ "$amiroot" = "root" ]; then + # if root + if [[ $EUID -eq 0 ]]; then echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process" @@ -296,7 +295,7 @@ setupFilesTomcat_sslCertsAnchors() { fi else - echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so run this in derived image: /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors; /bin/update-ca-trust" + echo "grouperContainer; INFO: (librarySetupFilesTomcat.sh-setupFilesTomcat_sslCertsAnchors) There are anchor certs in /opt/grouper/certs/anchors/ to process but not running as root so you might need to run this in derived image: /usr/bin/cp -v /opt/grouper/certs/anchors/* /etc/pki/ca-trust/source/anchors; /bin/update-ca-trust" fi chmod u+w $JAVA_HOME/lib/security/cacerts