From e526e968ed722dbdfbd8f6dd5a4d1af7e30708d1 Mon Sep 17 00:00:00 2001 From: Ryan Tasson Date: Tue, 11 Jun 2024 12:39:31 -0400 Subject: [PATCH] add group membership setting for sqlite db --- README.md | 6 ++++++ device/models.py | 26 ++++++++++++++++++++------ 2 files changed, 26 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index e12f671..8858c3a 100644 --- a/README.md +++ b/README.md @@ -30,6 +30,12 @@ pip install -r requirements.txt ### `device` +Create a `support` group. Certain functions require root, like opening a wireguard device. Others don't. We use a `support` group for the backing SQLite database to share this between both contexts. For any non-root user calling these services, add them to this group. + +``` +groupadd support +``` + Request a tunnel on your `device`. If you are a Micro-Nova employee, this is more or less what the updater does when you press the "Request support tunnel" button. ``` diff --git a/device/models.py b/device/models.py index 0224d58..cb6f6d0 100644 --- a/device/models.py +++ b/device/models.py @@ -1,15 +1,17 @@ +import os +import stat +import logging import datetime import common.tunnel import common.models -from os import getenv -from sqlmodel import Field, SQLModel, create_engine +from grp import getgrnam from pydantic import UUID4 from typing import Optional -from ipaddress import IPv4Address, IPv4Network -from wireguard_tools import WireguardKey from sqlalchemy.types import Text - +from wireguard_tools import WireguardKey +from ipaddress import IPv4Address, IPv4Network +from sqlmodel import Field, SQLModel, create_engine class DeviceTunnel(SQLModel, table=True): """ Represents the database table on a device, where each row @@ -60,7 +62,19 @@ def to_WireguardTunnel(self) -> common.models.WireguardTunnel: peers=peers, ) +SQLITE_DB = os.getenv("SQLITE_DB", "/var/lib/support_tunnel/device.db") +SQL_URI = f"sqlite:///{SQLITE_DB}" -SQL_URI = getenv("SQL_URI", "sqlite:////var/lib/support_tunnel/device.db") engine = create_engine(SQL_URI) SQLModel.metadata.create_all(engine) + +try: + stat_result = os.stat(SQLITE_DB) + gid = getgrnam("support").gr_gid + if stat_result.st_gid != gid: + os.chown(SQLITE_DB, -1, gid) + if stat.filemode(stat_result.st_mode) != '-rw-rw----': + os.chmod(SQLITE_DB, 0o0660) +except Exception as e: + error_msg = f"unable to set permissions on {SQLITE_DB}: {e}" + logging.warning(error_msg)