From 9a2ed86672d5d7a162263448070ed1c562ef2515 Mon Sep 17 00:00:00 2001 From: Robin Appelman Date: Wed, 25 Jun 2014 15:22:49 +0200 Subject: Prevent running the files:scan command as the wrong user --- apps/files/command/scan.php | 31 ++++++++++++++++++------------- lib/private/files/utils/scanner.php | 11 ++++++++++- 2 files changed, 28 insertions(+), 14 deletions(-) diff --git a/apps/files/command/scan.php b/apps/files/command/scan.php index 25ab70af362..5927e413ceb 100644 --- a/apps/files/command/scan.php +++ b/apps/files/command/scan.php @@ -9,6 +9,7 @@ namespace OCA\Files\Command; +use OC\ForbiddenException; use Symfony\Component\Console\Command\Command; use Symfony\Component\Console\Input\InputArgument; use Symfony\Component\Console\Input\InputInterface; @@ -32,28 +33,32 @@ class Scan extends Command { ->setName('files:scan') ->setDescription('rescan filesystem') ->addArgument( - 'user_id', - InputArgument::OPTIONAL | InputArgument::IS_ARRAY, - 'will rescan all files of the given user(s)' - ) + 'user_id', + InputArgument::OPTIONAL | InputArgument::IS_ARRAY, + 'will rescan all files of the given user(s)' + ) ->addOption( - 'all', - null, - InputOption::VALUE_NONE, - 'will rescan all files of all known users' - ) - ; + 'all', + null, + InputOption::VALUE_NONE, + 'will rescan all files of all known users' + ); } protected function scanFiles($user, OutputInterface $output) { $scanner = new \OC\Files\Utils\Scanner($user); - $scanner->listen('\OC\Files\Utils\Scanner', 'scanFile', function($path) use ($output) { + $scanner->listen('\OC\Files\Utils\Scanner', 'scanFile', function ($path) use ($output) { $output->writeln("Scanning $path"); }); - $scanner->listen('\OC\Files\Utils\Scanner', 'scanFolder', function($path) use ($output) { + $scanner->listen('\OC\Files\Utils\Scanner', 'scanFolder', function ($path) use ($output) { $output->writeln("Scanning $path"); }); - $scanner->scan(''); + try { + $scanner->scan(''); + } catch (ForbiddenException $e) { + $output->writeln("Home storage for user $user not writable"); + $output->writeln("Make sure you're running the scan command only as the user the web server runs as"); + } } protected function execute(InputInterface $input, OutputInterface $output) { diff --git a/lib/private/files/utils/scanner.php b/lib/private/files/utils/scanner.php index 1bb3e694c96..c2fabf51946 100644 --- a/lib/private/files/utils/scanner.php +++ b/lib/private/files/utils/scanner.php @@ -11,6 +11,7 @@ namespace OC\Files\Utils; use OC\Files\View; use OC\Files\Cache\ChangePropagator; use OC\Files\Filesystem; +use OC\ForbiddenException; use OC\Hooks\PublicEmitter; /** @@ -104,6 +105,7 @@ class Scanner extends PublicEmitter { /** * @param string $dir + * @throws \OC\ForbiddenException */ public function scan($dir) { $mounts = $this->getMounts($dir); @@ -111,7 +113,14 @@ class Scanner extends PublicEmitter { if (is_null($mount->getStorage())) { continue; } - $scanner = $mount->getStorage()->getScanner(); + $storage = $mount->getStorage(); + // if the home storage isn't writable then the scanner is run as the wrong user + if ($storage->instanceOfStorage('\OC\Files\Storage\Home') and + (!$storage->isCreatable('') or !$storage->isCreatable('files')) + ) { + throw new ForbiddenException(); + } + $scanner = $storage->getScanner(); $this->attachListener($mount); $scanner->scan('', \OC\Files\Cache\Scanner::SCAN_RECURSIVE, \OC\Files\Cache\Scanner::REUSE_ETAG | \OC\Files\Cache\Scanner::REUSE_SIZE); } -- cgit v1.2.3