feat: force attr for log/ini files

- based for systemd service with inotify; - group and permissions can be set in kf2-srv.conf; - bot password in separate conf with no permissions for others.
2020-07-12 04:38:39 +03:00 · 2020-07-12 04:38:39 +03:00 · 4b05ded66c
commit 4b05ded66c
parent 848ea7d726
8 changed files with 42 additions and 9 deletions
--- a/SOURCES/bot.conf
+++ b/SOURCES/bot.conf
@ -0,0 +1,4 @@
+# Bot default password
+# To change the password for the bot, you must do this here and in WebAdmin.
+# Otherwise, the bot will stop working and some actions cannot be done on running servers
+ServerBotPassword=VerySecretBotPassword
--- a/SOURCES/kf2-srv
+++ b/SOURCES/kf2-srv
@ -26,10 +26,11 @@ declare -A MutNames

 source /etc/steamcmd/steamcmd.conf
 source /etc/kf2-srv/kf2-srv.conf
+source /etc/kf2-srv/bot.conf

 ScriptFullname=$(readlink -e "$0")
 ScriptName=$(echo "$ScriptFullname" | awk -F '/' '{print $NF;}')
-readonly ScriptVersion="0.11.1"
+readonly ScriptVersion="0.12.0"

 # Constants. Don't change.
 readonly AppServerNum="232130"
--- a/SOURCES/kf2-srv-beta@.service
+++ b/SOURCES/kf2-srv-beta@.service
@ -1,5 +1,6 @@
 [Unit]
 Description=Killing Floor 2 Beta Server Daemon - %i
+After=kf2-srv-force-attr.service
 After=network-online.target
 Wants=network-online.target

--- a/SOURCES/kf2-srv-force-attr.service
+++ b/SOURCES/kf2-srv-force-attr.service
@ -0,0 +1,19 @@
+[Unit]
+Description=kf2-srv force attr service
+
+[Service]
+Type=simple
+StandardOutput=null
+StandardError=null
+EnvironmentFile=/etc/kf2-srv/kf2-srv.conf
+ExecStart=/bin/bash -c 'declare -a DiffNames WaveNames; declare -A ModeNames MutNames; source /etc/kf2-srv/kf2-srv.conf; /usr/bin/inotifywait -qmr -e create -e moved_to --format %w%f /var/log/kf2-srv /var/log/kf2-srv-beta /etc/kf2-srv/instances /etc/kf2-srv/instances-beta | while read File; do if echo "${File}" | grep -Piq "\.log$"; then chmod "${ForceLogPermissions}" "${File}"; chown :"${ForceLogGroup}" "${File}"; elif echo "${File}" | grep -Piq "\.ini$"; then chmod "${ForceIniPermissions}" "${File}"; chown :"${ForceIniGroup}" "${File}"; fi; done'
+Restart=always
+
+NoNewPrivileges=yes
+PrivateTmp=true
+PrivateDevices=true
+ProtectHome=true
+ProtectSystem=true
+
+[Install]
+WantedBy=multi-user.target
--- a/SOURCES/kf2-srv.conf
+++ b/SOURCES/kf2-srv.conf
@ -3,7 +3,7 @@
 DiffNames=('Normal' 'Hard' 'Suicide' 'Hell')

 # Displays the number of waves
-# You can rename them as you like
+# You can rename them as you like (e.g. 'short' 'medium' 'long')
 WaveNames=('4' '7' '10')

 # Add custom gamemodes to the end of the list, similar to what is already there:
@ -16,7 +16,9 @@ ModeNames['KFGameContent.KFGameInfo_VersusSurvival']='Versus'
 # Add mutators to the end of the list, similar to what is already there:
 MutNames['ServerExtMut.ServerExtMut']='RPG'

-# Bot default password
-# To change the password for the bot, you must do this here and in WebAdmin.
-# Otherwise, the bot will stop working and some actions cannot be done on running servers
-ServerBotPassword=VerySecretBotPassword
+# These parameters works only if "kf2-srv-force-attr.service" is active
+ForceIniPermissions=644
+ForceLogPermissions=640
+ForceIniGroup=steam
+ForceLogGroup=steam
+
--- a/SOURCES/kf2-srv@.service
+++ b/SOURCES/kf2-srv@.service
@ -1,5 +1,6 @@
 [Unit]
 Description=Killing Floor 2 Server Daemon - %i
+After=kf2-srv-force-attr.service
 After=network-online.target
 Wants=network-online.target

--- a/SPECS/kf2-srv.spec
+++ b/SPECS/kf2-srv.spec
@ -22,6 +22,8 @@ Source11:   %{name}.conf
 Source12:   COPYING
 Source13:   rsyslog-%{name}.conf
 Source14:   logrotate-%{name}
+Source15:   bot.conf
+Source16:   %{name}-force-attr.service

 Requires:   systemd >= 219
 Requires:   steamcmd
@ -38,6 +40,7 @@ Requires:   gawk
 Requires:   multini >= 0.2.3
 Requires:   rsyslog >= 8.25.0
 Requires:   logrotate
+Requires:   inotify-tools

 Provides:   %{name}

@ -80,6 +83,8 @@ install -m 644 %{SOURCE11} %{buildroot}/%{_sysconfdir}/%{name}
 install -m 644 %{SOURCE12} %{buildroot}/%{_datadir}/licenses/%{name}
 install -m 644 %{SOURCE13} %{buildroot}/%{_sysconfdir}/rsyslog.d/%{name}.conf
 install -m 644 %{SOURCE14} %{buildroot}/%{_sysconfdir}/logrotate.d/%{name}
+install -m 644 %{SOURCE15} %{buildroot}/%{_sysconfdir}/%{name}
+install -m 644 %{SOURCE16} %{buildroot}/%{_prefix}/lib/systemd/system

 %clean
 rm -rf $RPM_BUILD_ROOT
@ -95,6 +100,7 @@ rm -rf $RPM_BUILD_ROOT
 %attr(0770,root,%{steamuser}) %dir               %{_localstatedir}/log/%{name}-beta
 %attr(0664,root,%{steamuser}) %config(noreplace) %{_sysconfdir}/%{name}/main.conf.template
 %attr(0664,root,%{steamuser}) %config(noreplace) %{_sysconfdir}/%{name}/%{name}.conf
+%attr(0640,root,%{steamuser}) %config(noreplace) %{_sysconfdir}/%{name}/bot.conf
 %attr(0644,root,root)         %config(noreplace) %{_prefix}/lib/firewalld/services/%{name}.xml
 %attr(0755,root,root)                            %{_bindir}/%{name}
 %attr(0755,root,root)                            %{_bindir}/%{name}-beta
@ -123,7 +129,8 @@ systemctl try-restart rsyslog.service
 * Sun Jul 12 2020 GenZmeY <genzmey@gmail.com> - 0.12.0-1
 - chat logs without timestamp;
 - update rsyslog config - now logs will be create with steam group and 640 permissions;
- update logrotate config (fixed that logrotate does nothing).
+- update logrotate config (fixed that logrotate does nothing);
+- feat: force attr for log/ini files.

 * Thu Jul 9 2020 GenZmeY <genzmey@gmail.com> - 0.11.1-1
 - fix syntax error in firewalld service.
--- a/2
+++ b/2
@ -11,8 +11,6 @@
 - generate unique password for server bot on install
 - parallel actions
 - bash completion
- fix permissions for log/ini by inotify. Example:
-	inotifywait -qm -e 'create' -e 'moved_to' --format %w%f /home/genzmey/test/ /home/genzmey/test2/

 ###################