Add CLI command to create the configuration directory

It is now not necessary anymore to generate the token as the web server's user. A user now creates the configuration directory using the CLI as well, while the SGID is set (in the default mode) causing the token only to be accessible by the super user who owns the directory/file and the web server's group. refs #7163 refs #7408 refs #7410
Icinga · Oct 21, 2014 · 049e42b · 049e42b
1 parent 3a3d29e
commit 049e42b
Showing 1 changed file with 67 additions and 2 deletions.
diff --git a/application/clicommands/SetupCommand.php b/application/clicommands/SetupCommand.php
@@ -40,15 +40,18 @@ public function showTokenAction()
      * Create a new setup token
      *
      * Re-generates the setup token used to authenticate when installing Icinga Web 2 using the web-based wizard.
-     * Note that it is required to run this command while logged in as your webserver's user or to make him the
-     * owner of the created file afterwards manually.
      *
      * USAGE:
      *
      *   icingacli setup generateToken
      */
     public function generateTokenAction()
     {
+        if (false === $this->isSuperUser()) {
+            $this->fail($this->translate('This action needs to be run as super user in order to work properly!'));
+            return false;
+        }
+
         $token = bin2hex(openssl_random_pseudo_bytes(8));
         $filepath = $this->app->getConfigDir() . '/setup.token';
 
@@ -62,4 +65,66 @@ public function generateTokenAction()
 
         printf($this->translate("The newly generated setup token is: %s\n"), $token);
     }
+
+    /**
+     * Create the configuration directory
+     *
+     * This command creates the configuration directory for Icinga Web 2. The `group' argument
+     * is mandatory and should be the groupname of the user your web server is running as.
+     *
+     * USAGE:
+     *
+     *   icingacli setup createConfigDirectory <group> [options]
+     *
+     * OPTIONS:
+     *
+     *   --mode  The access mode to use. Default is: 2775
+     *   --path  The path to the configuration directory. If omitted the default is used.
+     *
+     * EXAMPLES:
+     *
+     *   icingacli setup createConfigDirectory apache
+     *   icingacli setup createConfigDirectory apache --mode 2770
+     *   icingacli setup createConfigDirectory apache --path /some/path
+     */
+    public function createConfigDirectoryAction()
+    {
+        if (false === $this->isSuperUser()) {
+            $this->fail($this->translate('This action needs to be run as super user in order to work properly!'));
+            return false;
+        }
+
+        $group = $this->params->getStandalone();
+        if ($group === null) {
+            $this->fail($this->translate('The `group\' argument is mandatory.'));
+            return false;
+        }
+
+        $path = $this->params->get('path', $this->app->getConfigDir());
+        if (file_exists($path)) {
+            $this->fail(sprintf($this->translate('Path "%s" already exists.'), $path));
+            return false;
+        }
+
+        $mode = octdec($this->params->get('mode', '2775'));
+        if (false === mkdir($path)) {
+            $this->fail(sprintf($this->translate('Unable to create path: %s'), $path));
+            return false;
+        }
+
+        $old = umask(0); // Prevent $mode from being mangled by the system's umask ($old)
+        chmod($path, $mode);
+        umask($old);
+        chgrp($path, $group);
+    }
+
+    /**
+     * Return whether the current user is a super user
+     *
+     * @return  bool
+     */
+    protected function isSuperUser()
+    {
+        return intval(shell_exec('echo $EUID')) === 0;
+    }
 }