[BlueOnyx:23906] easy-migrate.pl 5208R(PHP DSO) -> 5209R(suPHP)

Tomohiro Hosaka bokutin at bokut.in
Wed May 27 22:44:27 -05 2020


Hi Michael,

Thank you for locale/ja_JP/*.po merged.
I resumed the migration verification work this morning, and was 
impressed when it was updated!
(Yes, I have automatic yum update turned on.)

This is the main subject.

I am moving vsite using easy-migrate.pl, but the PHP DSO site is 
imported as suPHP.

I am considering making some changes and using it.

--- /usr/sausalito/sbin/easy-migrate.pl-00	2020-03-05 06:54:15.000000000 
+0900
+++ /usr/sausalito/sbin/easy-migrate.pl	2020-05-28 11:21:38.186732577 
+0900
@@ -814,7 +814,7 @@
                  foreach my $x (@diff) {
                      # If the import Vsite has NameSpace keys that we do 
NOT have locally, then we delete them here:
                      delete $Vsite_NameSpace->{$x};
-                    #print "Diff in $key: $x \n"
+                    print "Diff in $key: $x \n"
                  }

                  # Cleanup:
@@ -885,34 +885,34 @@
                      }

                      # Handle difference in keys when we come from 
anything older than 5209R:
-                    if (($SYSTEM{'System'}{'productBuild'} ne '5210R') 
&& ($SYSTEM{'System'}{'productBuild'} ne '5209R')) {
-                        if ($Vsite_NameSpace->{'suPHP_enabled'} eq "1") 
{
-                            $Vsite_NameSpace->{'mod_ruid_enabled'} = 
"0";
-                            $Vsite_NameSpace->{'fpm_enabled'} = "0";
-                            $Vsite_NameSpace->{'enabled'} = "1";
-                        }
-                        elsif ($Vsite_NameSpace->{'enabled'} eq "1") {
-                            $Vsite_NameSpace->{'suPHP_enabled'} = "1";
-                            $Vsite_NameSpace->{'mod_ruid_enabled'} = 
"0";
-                            $Vsite_NameSpace->{'fpm_enabled'} = "0";
-                        }
-                        elsif ($Vsite_NameSpace->{'mod_ruid_enabled'} 
eq "1") {
-                            $Vsite_NameSpace->{'suPHP_enabled'} = "0";
-                            $Vsite_NameSpace->{'fpm_enabled'} = "0";
-                            $Vsite_NameSpace->{'enabled'} = "1";
-                        }
-                        elsif ($Vsite_NameSpace->{'fpm_enabled'} eq 
"1") {
-                            $Vsite_NameSpace->{'suPHP_enabled'} = "0";
-                            $Vsite_NameSpace->{'mod_ruid_enabled'} = 
"0";
-                            $Vsite_NameSpace->{'enabled'} = "1";
-                        }
-                        else {
-                            $Vsite_NameSpace->{'suPHP_enabled'} = "0";
-                            $Vsite_NameSpace->{'mod_ruid_enabled'} = 
"0";
-                            $Vsite_NameSpace->{'fpm_enabled'} = "0";
-                            $Vsite_NameSpace->{'enabled'} = "0";
-                        }
-                    }
+                    # if (($SYSTEM{'System'}{'productBuild'} ne 
'5210R') && ($SYSTEM{'System'}{'productBuild'} ne '5209R')) {
+                    #     if ($Vsite_NameSpace->{'suPHP_enabled'} eq 
"1") {
+                    #         $Vsite_NameSpace->{'mod_ruid_enabled'} = 
"0";
+                    #         $Vsite_NameSpace->{'fpm_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'enabled'} = "1";
+                    #     }
+                    #     elsif ($Vsite_NameSpace->{'enabled'} eq "1") 
{
+                    #         $Vsite_NameSpace->{'suPHP_enabled'} = 
"1";
+                    #         $Vsite_NameSpace->{'mod_ruid_enabled'} = 
"0";
+                    #         $Vsite_NameSpace->{'fpm_enabled'} = "0";
+                    #     }
+                    #     elsif ($Vsite_NameSpace->{'mod_ruid_enabled'} 
eq "1") {
+                    #         $Vsite_NameSpace->{'suPHP_enabled'} = 
"0";
+                    #         $Vsite_NameSpace->{'fpm_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'enabled'} = "1";
+                    #     }
+                    #     elsif ($Vsite_NameSpace->{'fpm_enabled'} eq 
"1") {
+                    #         $Vsite_NameSpace->{'suPHP_enabled'} = 
"0";
+                    #         $Vsite_NameSpace->{'mod_ruid_enabled'} = 
"0";
+                    #         $Vsite_NameSpace->{'enabled'} = "1";
+                    #     }
+                    #     else {
+                    #         $Vsite_NameSpace->{'suPHP_enabled'} = 
"0";
+                    #         $Vsite_NameSpace->{'mod_ruid_enabled'} = 
"0";
+                    #         $Vsite_NameSpace->{'fpm_enabled'} = "0";
+                    #         $Vsite_NameSpace->{'enabled'} = "0";
+                    #     }
+                    # }
                  }

                  # Handle individual WebApps:
@@ -1191,8 +1191,15 @@
                  # Actual Rsync:
                  $DirOwner = $VSITE_DIROWNERS->{$directory};
                  print "[INFO] Starting RSYNC from $host:$sourceDir to 
$target_Vsite_actiondir\n";
-                #print "/usr/bin/rsync -q --progress -ar '-e ssh -p 
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after 
--info=progress2 --chown=$DirOwner\n";
-                system("/usr/bin/rsync -q --progress -ar '-e ssh -p 
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after 
--info=progress2 --chown=$DirOwner >/dev/null 2>&1 || :");
+                # --chown=$DirOwner
+                print "/usr/bin/rsync -q --progress -ar '-e ssh -p 
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after 
--info=progress2\n";
+                system("/usr/bin/rsync -q --progress -ar '-e ssh -p 
$port' $source:$sourceDir $target_Vsite_actiondir --delete-after 
--info=progress2");
+                {
+                    my ($user, $group) = split /:/, $DirOwner, 2;
+                    my $cmd = "find $target_Vsite_actiondir -not -user 
$user -or -not -group $group";
+                    print $cmd,"\n";
+                    system($cmd);
+                }
              }

              # Fix owner of sitedir:
@@ -1430,7 +1437,13 @@
              if 
($SYSTEM->{'DNS'}->{'DnsIncludeFile'}->{$NEW_VSITE_OBJ_DATA->{'domain'}}) 
{
                  my $include_File = '/var/named/chroot/var/named/db.' . 
$NEW_VSITE_OBJ_DATA->{'domain'} . '.include';
                  print "[INFO] Importing DNS include file for Vsite 
$NEW_VSITE_OBJ_DATA->{'fqdn'}: $include_File\n";
-                system("/usr/bin/rsync -q --progress -ar '-e ssh -p 
$port' $source:$include_File $include_File --delete-after 
--info=progress2 --chown=named:named");
+                print("/usr/bin/rsync -q --progress -ar '-e ssh -p 
$port' $source:$include_File $include_File --delete-after 
--info=progress2\n");
+                system("/usr/bin/rsync -q --progress -ar '-e ssh -p 
$port' $source:$include_File $include_File --delete-after 
--info=progress2");
+                {
+                    my $cmd = "find $include_File -not -user named -or 
-not -group named";
+                    print $cmd,"\n";
+                    system $cmd;
+                }
              }

              #
@@ -1520,7 +1533,13 @@
      $sourceDir = '/home/.easy-migrate/';

      # Fetch remote SQL databases:
-    system("/usr/bin/rsync -q --progress -ar '-e ssh -p $port' 
$source:$sourceDir $sourceDir --delete-after --info=progress2 
--chown=root:root >/dev/null 2>&1 || :");
+    print("/usr/bin/rsync -q --progress -ar '-e ssh -p $port' 
$source:$sourceDir $sourceDir --delete-after --info=progress2\n");
+    system("/usr/bin/rsync -q --progress -ar '-e ssh -p $port' 
$source:$sourceDir $sourceDir --delete-after --info=progress2");
+    {
+        my $cmd = "find $sourceDir -not -user root -or -not -group 
root";
+        print $cmd,"\n";
+        system $cmd;
+    }

      if (-f '/home/.easy-migrate/mysql-all-dbs.sql') {
          system("/usr/bin/mysql -u " . 
$TARGETSYSTEM{'System'}{'MySQL'}{'sql_root'} . " -p" . 
$TARGETSYSTEM{'System'}{'MySQL'}{'sql_rootpassword'} . " < 
/home/.easy-migrate/mysql-all-dbs.sql >/dev/null 2>&1 || :");
@@ -1606,7 +1625,13 @@
                      if 
($SYSTEM->{'DNS'}->{'DnsIncludeFile'}->{$CURRENT_DOMAIN}) {
                          my $include_File = 
'/var/named/chroot/var/named/db.' . $CURRENT_DOMAIN . '.include';
                          print "[INFO] Importing DNS include file for 
domain $CURRENT_DOMAIN: $include_File\n";
-                        system("/usr/bin/rsync -q --progress -ar '-e 
ssh -p $port' $source:$include_File $include_File --delete-after 
--info=progress2 --chown=named:named");
+                        print("/usr/bin/rsync -q --progress -ar '-e ssh 
-p $port' $source:$include_File $include_File --delete-after 
--info=progress2\n");
+                        system("/usr/bin/rsync -q --progress -ar '-e 
ssh -p $port' $source:$include_File $include_File --delete-after 
--info=progress2");
+                        {
+                            my $cmd = "find $include_File -not -user 
named -or -not -group named";
+                            print $cmd,"\n";
+                            system $cmd;
+                        }
                      }

                      $ret = &CCE_Tramp('DnsRecord', '', { 'type' => 
$record->{'type'}, 'hostname' => $record->{'hostname'}, 'domainname' => 
$record->{'domainname'} }, $record_new);
@@ -1919,8 +1944,13 @@

                  # Actual Rsync:
                  print "[INFO] Starting RSYNC from $host:$sourceDir to 
$userDir \n";
-                #print "/usr/bin/rsync -q --dry-run --progress -ar '-e 
ssh -p $port' $source:$sourceDir $userDir --delete-after 
--info=progress2 --chown=$import_username:$new_user_group\n";
-                system("/usr/bin/rsync -q --progress -ar '-e ssh -p 
$port' $source:$sourceDir $userDir --delete-after --info=progress2 
--chown=$import_username:$new_user_group >/dev/null 2>&1 || :");
+                print "/usr/bin/rsync --progress -ar '-e ssh -p $port' 
$source:$sourceDir $userDir --delete-after --info=progress2 
--chown=$import_username:$new_user_group\n";
+                system("/usr/bin/rsync --progress -ar '-e ssh -p $port' 
$source:$sourceDir $userDir --delete-after --info=progress2");
+                {
+                    my $cmd = "find $userDir -not -user 
$import_username -or -not -group $new_user_group";
+                    print $cmd,"\n";
+                    system $cmd;
+                }

                  #
                  ### Conditionally fix directory permissions based on 
platform:
@@ -1945,8 +1975,13 @@
                  if ($Import_USERS->{$import_username}->{'UserCron'}) {
                      foreach my $userCron (keys %{ 
$Import_USERS->{$import_username}->{'UserCron'} }) {
                          print "[INFO] User has own cronjob. Making copy 
of $host:$userCron to $userCron \n";
-                        #print "/usr/bin/rsync -q --dry-run --progress 
-ar '-e ssh -p $port' $source:$userCron $userCron --delete-after 
--info=progress2 --chown=$import_username:$new_user_group\n";
-                        system("/usr/bin/rsync -q --progress -ar '-e 
ssh -p $port' $source:$userCron $userCron --delete-after 
--info=progress2 --chown=$import_username:$new_user_group >/dev/null 
2>&1 || :");
+                        print "/usr/bin/rsync -q --progress -ar '-e ssh 
-p $port' $source:$userCron $userCron --delete-after --info=progress2 
--chown=$import_username:$new_user_group\n";
+                        system("/usr/bin/rsync -q --progress -ar '-e 
ssh -p $port' $source:$userCron $userCron --delete-after 
--info=progress2");
+                        {
+                            my $cmd = "find $userCron -not -user 
$import_username -or -not -group $new_user_group";
+                            print $cmd,"\n";
+                            system $cmd;
+                        }
                          system("chmod 0600 $userCron");
                      }
                  }


I prefer to make as few changes as possible and migrate painlessly.

I also know there is a problem with PHP DSO on the 5208R. For example, 
files created by PHP are not included in the quota because their 
permissions are apache.

I also understand that suPHP uses fork(not "pre"fork) and has a very 
different execution model than PHP DSO.

I assume that the reason for changing to "rsync ... --chwon=" and suPHP 
in easy-migrate.pl is to try to fix the above problem in this phase. Do 
you have?
If the guess is correct, I would consider not chowning during this phase 
and having time to fix chown after migration.
I am considering migrating multiple vsites at once, so I would like to 
avoid multiple failures occurring at the same time.
There are many sites where the site+apache usage exceeds the site quota.

Also, why did you choose suPHP and not mod_ruid2?
I think mod_ruid2 fixes UID issues and is more like 5208R PHP (DSO) in 
terms of DSO.
Or are you considering the following?
> https://github.com/mind04/mod-ruid2
> -there are some security issues, for instance if attacker successfully 
> exploits the httpd process,
> he can set effective capabilities and setuid to root. i recommend to 
> use some security patch in kernel (grsec),
> or something.


Thanks,



More information about the Blueonyx mailing list