default data directory migration from /var/tmp/ntopng to /var/lib/ntopng

doc/nedge/src/conf_backup.rst

@@ -18,9 +18,9 @@ nEdge configuration can be restored by placing the compressed tarball
 (downloaded via Backup Configuration) into the nEdge data directory
 and restarting the service. The tarball must be named conf.tar.gz.
 
-For example, assuming the default /var/tmp/ntopng data directory has not been changed, one can
+For example, assuming the default /var/lib/ntopng data directory has not been changed, one can
 restore a previously backed-up configuration by placing the compressed
-tarball in /var/tmp/ntopng/conf.tar.gz and then issuing a
+tarball in /var/lib/ntopng/conf.tar.gz and then issuing a
 :code:`systemctl restart nedge`.
 
 .. note::

doc/src/cli_options.rst

@@ -25,7 +25,7 @@ ntopng supports a large number of command line parameters. To see what they are,
    [--interface|-i] <interface|pcap>   | Input interface name (numeric/symbolic),
                                        | view or pcap file path
    [--data-dir|-d] <path>              | Data directory (must be writable).
-                                       | Default: /var/tmp/ntopng
+                                       | Default: /var/lib/ntopng
    [--install-dir|-t] <path>           | Set the installation directory to <dir>.
                                        | Should be set when installing ntopng
                                        | under custom directories
@@ -39,7 +39,7 @@ ntopng supports a large number of command line parameters. To see what they are,
    [--prefs-dir|-4] <path>             | Preferences directory used to serialize
                                        | and deserialize file
                                        | containing runtime preferences.
-                                       | Default: /var/tmp/ntopng
+                                       | Default: /var/lib/ntopng
    [--no-promisc|-u]                   | Don't set the interface in promisc mode.
    [--traffic-filtering|-k] <param>    | Filter traffic using cloud services.
                                        | (default: disabled). Available options:

doc/src/web_gui/interfaces.rst

@@ -216,5 +216,5 @@ to generate a PCAP file containing the traffic of all the flows marked as "Unkno
 which can then be submitted to the ntop team for further analysis.
 
 Pcap files are generated under the ntopng data directory, into the "pcap" folder
-of a specific network inteface id (e.g. `/var/tmp/ntopng/0/pcap`). In particular,
+of a specific network inteface id (e.g. `/var/lib/ntopng/0/pcap`). In particular,
 The unknown traffic is stored into the folder "pcap/ndpi_unknown".

doc/src/web_gui/settings.rst

@@ -64,9 +64,9 @@ ntopng configuration can be restored by placing the compressed tarball
 (downloaded via Backup Configuration) into the ntopng data directory
 and restarting the service. The tarball must be named conf.tar.gz.
 
-For example, assuming the default /var/tmp/ntopng data directory has not been changed, one can
+For example, assuming the default /var/lib/ntopng data directory has not been changed, one can
 restore a previously backed-up configuration by placing the compressed
-tarball in /var/tmp/ntopng/conf.tar.gz and then issuing a
+tarball in /var/lib/ntopng/conf.tar.gz and then issuing a
 :code:`systemctl restart ntopng`.
 
 .. note::

httpdocs/misc/ntopng-utils-manage-config.in

@@ -2,7 +2,12 @@
 
 DEFAULT_CONF_FILE="/etc/ntopng/ntopng.conf"
 
-DEFAULT_DATADIR="/var/tmp/ntopng"
+DEFAULT_DATADIR="/var/lib/ntopng"
+OLD_DEFAULT_DATADIR="/var/tmp/ntopng"
+if [ -d "${OLD_DEFAULT_DATADIR}" ]; then
+    DEFAULT_DATADIR="${OLD_DEFAULT_DATADIR}"
+fi
+
 DATADIR="${DEFAULT_DATADIR}"
 DATADIR_SET=false
 

include/Ntop.h

@@ -40,9 +40,9 @@ class Ntop {
  private:
   AddressTree local_interface_addresses;
   char epoch_buf[11];
-  char working_dir[MAX_PATH]; /**< Array of working directory. */
-  char install_dir[MAX_PATH]; /**< Array of install directory. */
-  char startup_dir[MAX_PATH]; /**< Array of startup directory. */
+  char working_dir[MAX_PATH]; /**< Working directory. */
+  char install_dir[MAX_PATH]; /**< Install directory. */
+  char startup_dir[MAX_PATH]; /**< Startup directory. */
   char *custom_ndpi_protos; /**< Pointer of a custom protocol for nDPI. */
   NetworkInterface **iface; /**< Array of network interfaces. */
   u_int8_t num_defined_interfaces; /**< Number of defined interfaces. */

include/Prefs.h

@@ -103,6 +103,7 @@ class Prefs {
   char *config_file_path, *ndpi_proto_path;
   char *packet_filter;
   char *user;
+  bool user_set;
   char *redis_host;
   char *redis_password;
   char *pid_path;
@@ -178,6 +179,8 @@ class Prefs {
   inline bool are_ixia_timestamps_enabled()             { return(enable_ixia_timestamps); };
   inline bool are_vss_apcon_timestamps_enabled()        { return(enable_vss_apcon_timestamps); };
   inline char* get_user()                               { return(user);                   };
+  inline void set_user(const char *u)                   { if(user) free(user); user = strdup(u); user_set = true; };
+  inline bool is_user_set()                             { return user_set; };
   inline u_int8_t get_num_user_specified_interfaces()   { return(num_interfaces);         };
   inline bool  do_read_flows_from_nprobe_mysql()        { return(read_flows_from_mysql);  };
   inline bool  do_dump_flows_on_es()                    { return(dump_flows_on_es);       };

include/ntop_defines.h

@@ -359,7 +359,8 @@
 
 #define NTOPNG_NDPI_OS_PROTO_ID      (NDPI_LAST_IMPLEMENTED_PROTOCOL+NDPI_MAX_NUM_CUSTOM_PROTOCOLS-2)
 #define CONST_DEFAULT_HOME_NET       "192.168.1.0/24"
-#define CONST_DEFAULT_DATA_DIR       "/var/tmp/ntopng"
+#define CONST_OLD_DEFAULT_DATA_DIR   "/var/tmp/ntopng"
+#define CONST_DEFAULT_DATA_DIR       "/var/lib/ntopng"
 #define CONST_DEFAULT_MAX_UI_STRLEN  24
 #define CONST_DEFAULT_IS_AUTOLOGOUT_ENABLED               1
 #define CONST_DEFAULT_IS_IDLE_LOCAL_HOSTS_CACHE_ENABLED   1
@@ -377,14 +378,14 @@
 #define CONST_DEFAULT_SCRIPTS_DIR    "scripts"
 #define CONST_DEFAULT_CALLBACKS_DIR  "scripts/callbacks"
 #define CONST_DEFAULT_USERS_FILE     "ntopng-users.conf"
-#define CONST_DEFAULT_WRITABLE_DIR   "/var/tmp"
 #define CONST_DEFAULT_INSTALL_DIR    (DATA_DIR "/ntopng")
 #define CONST_ALT_INSTALL_DIR        "/usr/share/ntopng"
 #define CONST_ALT2_INSTALL_DIR       "/usr/local/share/ntopng"
 #define CONST_HTTP_PREFIX_STRING     "@HTTP_PREFIX@"
 #define CONST_NTOP_STARTUP_EPOCH     "@NTOP_STARTUP_EPOCH@"
 #define CONST_NTOP_PRODUCT_NAME      "@NTOP_PRODUCT_NAME@"
-#define CONST_DEFAULT_NTOP_USER      "nobody"
+#define CONST_OLD_DEFAULT_NTOP_USER  "nobody"
+#define CONST_DEFAULT_NTOP_USER      "ntopng"
 #define CONST_TOO_EARLY              "(Too Early)"
 
 #define CONST_LUA_OK                  1

ntopng.8

@@ -186,13 +186,13 @@ can be instructed to act as a publisher delivering flows to a ZeroMQ endpoint us
 Finally using \-i dummy it is possible to create a dummy interface that generates a large number of flows/hosts in order to saturate ntopng resources. This way ntopng can be tested for performance issues as well proper handling of low-memory situations.
 
 .It \-d|\-\-data\-dir\ <path>
-Specifies the data directory (it must be writable). Default directory is /var/tmp/ntopng
+Specifies the data directory (it must be writable). Default directory is /var/lib/ntopng
 
 .It \-t|\-\-install\-dir\ <path>
 Specifies the installation directory. Default directory is retrieved from common install paths.
 
 .It \-G|\-\-pid\-path\ <path>
-Specifies the path where the PID (process ID) is saved. Default is /var/tmp/ntopng.pid
+Specifies the path where the PID (process ID) is saved. Default is /var/run/ntopng.pid
 
 .It \-k|\-\-traffic\-filtering\ <key>
 Set the key used to access httpbl services (default: disabled).  Please read README.httpbl and README.flashstart for more info.

packages/etc/ntopng/nedge.conf

@@ -63,7 +63,7 @@
 #       -d|--data-dir
 #        Specifies the data directory (it must be writable by the user that is executing ntopng).
 #
-# -d=/var/tmp/ntopng
+# -d=/var/lib/ntopng
 #
 #       -q|--disable-autologout
 #        Disable web interface logout for inactivity.

packages/etc/ntopng/ntopng.conf

@@ -62,7 +62,7 @@
 #       -d|--data-dir
 #        Specifies the data directory (it must be writable by the user that is executing ntopng).
 #
-# -d=/var/tmp/ntopng
+# -d=/var/lib/ntopng
 #
 #       -q|--disable-autologout
 #        Disable web interface logout for inactivity.

packages/ntopng.spec.in

@@ -37,6 +37,7 @@ if [ -d $RPM_BUILD_ROOT ]; then
 fi
 
 mkdir -p $RPM_BUILD_ROOT/usr/bin $RPM_BUILD_ROOT/usr/share/ntopng $RPM_BUILD_ROOT/usr/share/man/man8 
+mkdir -p $RPM_BUILD_ROOT/var/lib/ntopng
 mkdir -p $RPM_BUILD_ROOT/etc/logrotate.d
 %if 0%{?centos_ver} != 7
 mkdir -p $RPM_BUILD_ROOT/etc/init.d 
@@ -100,6 +101,8 @@ rm -fr $RPM_BUILD_ROOT
 #/etc/ntopng/ntopng.conf.sample
 #/etc/ntopng/ntopng.start
 
+%dir %attr(700, ntopng, ntopng) /var/lib/ntopng
+
 # Set the default attributes of all of the files specified to have an
 # owner and group of root and to inherit the permissions of the file
 # itself.
@@ -115,6 +118,14 @@ rm -fr $RPM_BUILD_ROOT
 # un-install:                          preun       -> (delete)     -> postun
 
 %pre
+if ! grep -q ntopng /etc/group; then
+  echo 'Creating ntopng group'
+  /usr/sbin/groupadd -r ntopng
+fi
+if ! /usr/bin/id -u ntopng > /dev/null 2>&1; then 
+  echo 'Creating ntopng user'
+  /usr/sbin/useradd -M -N -g ntopng -r ntopng
+fi
 %if 0%{?centos_ver} != 7
 case "$1" in
   1)

packages/ubuntu/debian.ntopng/postinst

@@ -17,11 +17,28 @@ esac
 
 umask 022
 
+if ! grep -q ntopng /etc/group; then
+    echo 'Creating ntopng group'
+    /usr/sbin/groupadd -r ntopng
+fi
+
+if ! /usr/bin/id -u ntopng > /dev/null 2>&1; then 
+    echo "Creating ntopng user..."
+    /usr/sbin/useradd -M -N -g ntopng -r ntopng
+fi
+
+DATA_DIR=/var/lib/ntopng
+if [ ! -d "$DATA_DIR" ]; then
+    mkdir $DATA_DIR
+    /bin/chown ntopng:ntopng $DATA_DIR
+    /bin/chmod 700 $DATA_DIR
+fi
+
 echo "Rebuilding ld cache..."
 /sbin/ldconfig
 
 if [ ! -f /usr/local/bin/ntopng ] && [ ! -L /usr/local/bin/ntopng ] ; then
-   ln -s /usr/bin/ntopng /usr/local/bin/ntopng
+    ln -s /usr/bin/ntopng /usr/local/bin/ntopng
 fi
 
 if [ -d /usr/local/share/ntopng ] ; then

scripts/locales/en.lua

@@ -156,6 +156,7 @@ local lang = {
     ["built_on"] = "Built on",
     ["copyright"] = "Copyright",
     ["cpu_load"] = "CPU load",
+    ["datadir_warning"] = "Data directory migration notice",
     ["last_log"] = "Last Log Trace",
     ["licence"] = "License",
     ["licence_expires_in"] = "License expires in %{time}",

scripts/lua/examples/sqlite.lua

@@ -25,7 +25,7 @@ if (query == nil) then
   <div class="alert alert-warning alert-dismissible" role="alert">
    <button type="button" class="close" data-dismiss="alert"><span aria-hidden="true">&times;</span>
    <span class="sr-only">Close</span></button>
-   <strong>Query Empty!</strong> Example: localhost:3000/lua/examples/sqlite.lua?query=/var/tmp/ntopng/0/flows/2014-15-15/07/08/01/45.sqlite
+   <strong>Query Empty!</strong> Example: localhost:3000/lua/examples/sqlite.lua?query=/var/lib/ntopng/0/flows/2014-15-15/07/08/01/45.sqlite
 </div>
    ]]
 
@@ -71,4 +71,4 @@ else
 end
 end
 print ('<strong>Total flows: ' .. num .. '</strong>')
-dofile(dirs.installdir .. "/scripts/lua/inc/footer.lua")
+dofile(dirs.installdir .. "/scripts/lua/inc/footer.lua")

scripts/lua/inc/footer.lua

@@ -71,6 +71,12 @@ if have_nedge then
   )
 end
 
+if(dirs.workingdir == "/var/tmp/ntopng") then
+   print('<br><A HREF="https://www.ntop.org/support/faq/migrate-the-data-directory-in-ntopng/"><span class="badge badge-warning">')
+   print(i18n("about.datadir_warning"))
+   print('</span></a>')
+end
+
 if(info["pro.systemid"] and (info["pro.systemid"] ~= "")) then
    local do_show = false
 

src/Ntop.cpp

@@ -93,8 +93,11 @@ Ntop::Ntop(char *appName) {
   dirs[0] = startup_dir;
   dirs[1] = install_dir;
 #else
-  /* Folder will be created lazily, avoid creating it now */
-  snprintf(working_dir, sizeof(working_dir), "%s/ntopng", CONST_DEFAULT_WRITABLE_DIR);
+  /* Note: working_dir folder will be created lazily, avoid creating it now */
+  if (Utils::dir_exists(CONST_OLD_DEFAULT_DATA_DIR)) /* keep using the old dir */
+    snprintf(working_dir, sizeof(working_dir), CONST_OLD_DEFAULT_DATA_DIR);
+  else
+    snprintf(working_dir, sizeof(working_dir), CONST_DEFAULT_DATA_DIR);
 
   //umask(0);
 

src/Prefs.cpp

@@ -70,6 +70,7 @@ Prefs::Prefs(Ntop *_ntop) {
   https_port = 0; // CONST_DEFAULT_NTOP_PORT+1;
   change_user = true, daemonize = false;
   user = strdup(CONST_DEFAULT_NTOP_USER);
+  user_set = false;
   http_binding_address1 = NULL;
   http_binding_address2 = NULL;
   https_binding_address1 = NULL; // CONST_ANY_ADDRESS;
@@ -1203,8 +1204,7 @@ int Prefs::setOption(int optkey, char *optarg) {
     break;
 
   case 'U':
-    free(user);
-    user = strdup(optarg);
+    set_user(optarg);
     break;
 
   case 'V':
@@ -1359,6 +1359,12 @@ int Prefs::checkOptions() {
   if(https_binding_address1 == NULL) https_binding_address1 = strdup(CONST_ANY_ADDRESS);
   if(https_binding_address2 == NULL) https_binding_address2 = strdup(CONST_ANY_ADDRESS);
 
+  if (strcmp(ntop->get_working_dir(), CONST_OLD_DEFAULT_DATA_DIR) == 0 && !is_user_set()) {
+    /* Using the old /var/tmp/ntopng with the default user:
+     * keep using 'nobody' to preserve backward compaitibility */
+    set_user(CONST_OLD_DEFAULT_NTOP_USER);
+  }
+
   return(0);
 }
 

src/Utils.cpp

@@ -484,7 +484,8 @@ int Utils::dropPrivileges() {
   pw = getpwnam(username);
 
   if(pw == NULL) {
-    username = "anonymous";
+    /* if the user (e.g. 'ntopng') does not exists, falls back to 'nobody' */
+    username = CONST_OLD_DEFAULT_NTOP_USER;
     pw = getpwnam(username);
   }
 

src/main.cpp

@@ -313,8 +313,9 @@ int main(int argc, char *argv[])
    */
   if(prefs->do_change_user()
      && (prefs->get_http_port()  >= 1024)
-     && (prefs->get_https_port() >= 1024))
+     && (prefs->get_https_port() >= 1024)) {
     Utils::dropPrivileges();
+  }
 
   ntop->loadGeolocation(prefs->get_docs_dir());
   ntop->loadMacManufacturers(prefs->get_docs_dir());
@@ -352,8 +353,8 @@ int main(int argc, char *argv[])
   
   if((fd = fopen(path, "w")) == NULL) {
     ntop->getTrace()->traceEvent(TRACE_ERROR,
-				 "Unable to write on %s [%s]: %s. Please specify a different directory (-d)",
-				 ntop->get_working_dir(), path, strerror(errno));
+				 "Unable to write on %s as '%s' [%s]: %s. Please specify a different directory (-d)",
+				 ntop->get_working_dir(), prefs->get_user(), path, strerror(errno));
     exit(EXIT_FAILURE);
   } else {
     chmod(path, CONST_DEFAULT_FILE_MODE);