From da7c2116996d26d22b3eca9f20cb497791dbb857 Mon Sep 17 00:00:00 2001
From: boli <boli@localhost>
Date: Fri, 15 Sep 2006 16:54:57 +0000
Subject: [PATCH] This uses the new FilePermission framework to set permissions on the directory holding the database files. The new config attribute ds-cfg-backend-mode is optional and by default has a value of 700. The permissions are set on backend initialization as well as on the fly via LDAP. The server will make sure the file permissions will allow owner access before setting. Any exceptions encountered while setting the attribute will result in non fatal errors which are logged. However, any configuration exceptions will keep the backend from starting.

---
 opends/src/server/org/opends/server/backends/jeb/Config.java |   62 +++++++++++++++++++++++++++++++
 1 files changed, 62 insertions(+), 0 deletions(-)

diff --git a/opends/src/server/org/opends/server/backends/jeb/Config.java b/opends/src/server/org/opends/server/backends/jeb/Config.java
index 457cb03..1d3a209 100644
--- a/opends/src/server/org/opends/server/backends/jeb/Config.java
+++ b/opends/src/server/org/opends/server/backends/jeb/Config.java
@@ -29,7 +29,14 @@
 import static org.opends.server.messages.MessageHandler.getMessage;
 import static org.opends.server.messages.ConfigMessages.
      MSGID_CONFIG_DESCRIPTION_BACKEND_DIRECTORY;
+import static org.opends.server.messages.ConfigMessages.
+     MSGID_CONFIG_DESCRIPTION_BACKEND_MODE;
+import static org.opends.server.messages.ConfigMessages.
+    MSGID_CONFIG_BACKEND_MODE_INVALID;
+import static org.opends.server.messages.ConfigMessages.
+    MSGID_CONFIG_BACKEND_INSANE_MODE;
 import static org.opends.server.config.ConfigConstants.ATTR_BACKEND_DIRECTORY;
+import static org.opends.server.config.ConfigConstants.ATTR_BACKEND_MODE;
 import static org.opends.server.messages.ConfigMessages.
      MSGID_CONFIG_BACKEND_NO_DIRECTORY;
 import static org.opends.server.messages.JebMessages.*;
@@ -52,6 +59,7 @@
 import org.opends.server.types.ErrorLogCategory;
 import org.opends.server.types.ErrorLogSeverity;
 import org.opends.server.types.RDN;
+import org.opends.server.types.FilePermission;
 import com.sleepycat.je.EnvironmentConfig;
 
 import java.util.HashMap;
@@ -240,6 +248,12 @@
   private File backendDirectory = null;
 
   /**
+   * The backend directory permission mode. By default, owner has read, write
+   * and execute permissions on the database directory.
+   */
+  private FilePermission backendPermission = new FilePermission(0700);
+
+  /**
    * Number of times we should retry database transactions that get aborted
    * due to deadlock.
    */
@@ -343,6 +357,44 @@
     }
     backendDirectory = getFileForPath(backendDirectoryAttr.activeValue());
 
+    // ds-cfg-backend-mode
+    // Optional, single-valued config attribute requiring admin action on change
+    msg = getMessage(MSGID_CONFIG_DESCRIPTION_BACKEND_MODE);
+    stub =
+        new StringConfigAttribute(ATTR_BACKEND_MODE, msg, false,false, true);
+    StringConfigAttribute backendModeAttr = (StringConfigAttribute)
+         configEntry.getConfigAttribute(stub);
+    if (backendModeAttr != null)
+    {
+      FilePermission newBackendPermission;
+      try
+      {
+        newBackendPermission = FilePermission.decodeUNIXMode(
+            backendModeAttr.activeValue());
+      }
+      catch(Exception e)
+      {
+        int msgID = MSGID_CONFIG_BACKEND_MODE_INVALID;
+        String message = getMessage(msgID, configEntry.getDN().toString());
+        throw new ConfigException(msgID, message);
+      }
+
+      //Make sure the mode will allow the server itself access to
+      //the database
+      if(!newBackendPermission.isOwnerWritable() ||
+           !newBackendPermission.isOwnerReadable() ||
+           !newBackendPermission.isOwnerExecutable())
+      {
+        int msgID = MSGID_CONFIG_BACKEND_INSANE_MODE;
+        String message = getMessage(msgID);
+        throw new ConfigException(msgID, message);
+      }
+      else
+      {
+        backendPermission = newBackendPermission;
+      }
+    }
+
     // ds-cfg-backendIndexEntryLimit
     // Optional, single-valued config attribute requiring admin action on change
     msg = getMessage(MSGID_CONFIG_DESCRIPTION_BACKEND_INDEX_ENTRY_LIMIT);
@@ -723,6 +775,16 @@
   }
 
   /**
+   * Get the backend directory file permission mode.
+   *
+   * @return An FilePermission representing the directory permissions
+   */
+  public FilePermission getBackendPermission()
+  {
+     return backendPermission;
+  }
+
+  /**
    * Get the set of base DNs.
    *
    * @return An array of base DNs.

--
Gitblit v1.10.0