From 5ef522193f6c1196a5e3565f2da8b88ff9b11e68 Mon Sep 17 00:00:00 2001 From: Julien Malik Date: Fri, 2 Sep 2016 13:07:59 +0200 Subject: [PATCH] =?UTF-8?q?[enh]=C2=A0Run=20under=20a=20specific=20agendav?= =?UTF-8?q?=20user,=20lock=20down=20write=20access=20to=20web/var?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- conf/nginx.conf | 2 +- conf/php-fpm.conf | 4 ++-- scripts/backup | 2 +- scripts/install | 22 +++++++++++++++------- scripts/remove | 8 +++++++- scripts/restore | 12 +++++++++--- scripts/upgrade | 24 +++++++++++++++++------- 7 files changed, 52 insertions(+), 22 deletions(-) diff --git a/conf/nginx.conf b/conf/nginx.conf index 22d77d6..baeceae 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -22,7 +22,7 @@ location {PATH}/ { location ~ ^{PATH}/index\.php(/|$) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; - fastcgi_pass unix:/var/run/php5-fpm-agendav.sock; + fastcgi_pass unix:/var/run/php5-fpm-{POOLNAME}.sock; fastcgi_index index.php; include fastcgi_params; fastcgi_param REMOTE_USER $remote_user; diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index e249310..49fb4a9 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -8,8 +8,8 @@ listen.group = www-data listen.mode = 0600 ; Unix user/group of processes. -user = www-data -group = www-data +user = {USER} +group = {GROUP} ; Choose how the process manager will control the number of child processes. pm = dynamic diff --git a/scripts/backup b/scripts/backup index 24dc7bb..7b57653 100644 --- a/scripts/backup +++ b/scripts/backup @@ -3,7 +3,7 @@ set -eu # Set app specific variables -app="agendav" +app="$YNH_APP_INSTANCE_NAME" dbname=$app dbuser=$app diff --git a/scripts/install b/scripts/install index a4c3b7b..3dc40cd 100644 --- a/scripts/install +++ b/scripts/install @@ -11,7 +11,7 @@ language=$3 source ./_common.sh # Set app specific variables -app="agendav" +app="$YNH_APP_INSTANCE_NAME" dbname=$app dbuser=$app @@ -23,6 +23,9 @@ sudo yunohost app checkurl "${domain}${path}" -a "$app" \ language=${LANGUAGES[$3]} ynh_app_setting_set "$app" language "$language" +# Define LOGDIR (create it later when user is created) +LOGDIR=/var/log/$app + # Check destination directory DESTDIR="/var/www/${app}" [[ -d "$DESTDIR" ]] && ynh_die \ @@ -54,10 +57,6 @@ encryptkey=$(ynh_string_random 24) ynh_app_setting_set "$app" encryptkey "$encryptkey" ynh_app_setting_set "$app" mysqlpwd "$dbpass" -# Create log directory -LOGDIR=/var/log/agendav -sudo install -m 750 -o www-data -d "$LOGDIR" - # Copy and set AgenDAV configuration conf_path="${TMPDIR}/web/config/settings.php" cp ../conf/settings.php "$conf_path" @@ -78,13 +77,19 @@ sed -i "s@{CALDAV_DOMAIN}@${caldav_domain}@g" "$conf_path" # Install files and set permissions sudo mv "$TMPDIR" "$DESTDIR" +sudo useradd -c "$app system account" \ + -d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \ + || ynh_die "Unable to create $app system account" sudo chown -hR root: "$DESTDIR" -sudo chown -hR www-data: "${DESTDIR}/web" +sudo chown -hR $app: "${DESTDIR}/web/var" sudo chmod -R 750 "${DESTDIR}/web/var" +# Create log directory +sudo install -m 750 -o $app -g adm -d "$LOGDIR" + # Initialize database ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass" -(cd "$DESTDIR" && sudo sudo -u www-data \ +(cd "$DESTDIR" && sudo sudo -u $app \ php agendavcli migrations:migrate --no-interaction) \ || ynh_die "Unable to create AgenDAV tables" @@ -93,6 +98,7 @@ nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf" sed -i "s@{PATH}@${path}@g" ../conf/nginx.conf sed -i "s@{LOCATION}@${path:-/}@g" ../conf/nginx.conf sed -i "s@{DESTDIR}@${DESTDIR}@g" ../conf/nginx.conf +sed -i "s@{POOLNAME}@${app}@g" ../conf/nginx.conf # comment redirection in case of an installation at root [[ -n "$path" ]] || sed -i '$s/^/#/' ../conf/nginx.conf sudo cp ../conf/nginx.conf "$nginx_conf" @@ -101,6 +107,8 @@ sudo cp ../conf/nginx.conf "$nginx_conf" phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf +sed -i "s@{USER}@${app}@g" ../conf/php-fpm.conf +sed -i "s@{GROUP}@${app}@g" ../conf/php-fpm.conf sudo cp ../conf/php-fpm.conf "$phpfpm_conf" # Reload services diff --git a/scripts/remove b/scripts/remove index 110cf1d..3c22df3 100644 --- a/scripts/remove +++ b/scripts/remove @@ -1,7 +1,7 @@ #!/bin/bash # Set app specific variables -app="agendav" +app="$YNH_APP_INSTANCE_NAME" dbname=$app dbuser=$app @@ -23,3 +23,9 @@ sudo rm -f "/etc/php5/fpm/pool.d/${app}.conf" # Reload services sudo service php5-fpm restart || true sudo service nginx reload || true + +# Remove the user account +# (must be done after php-fpm restart) +id "$app" >/dev/null 2>&1 \ + && sudo deluser --quiet --remove-home "$app" >/dev/null \ + || true diff --git a/scripts/restore b/scripts/restore index 29d15f7..8bea2a4 100644 --- a/scripts/restore +++ b/scripts/restore @@ -3,7 +3,7 @@ set -eu # Set app specific variables -app="agendav" +app="$YNH_APP_INSTANCE_NAME" dbname=$app dbuser=$app @@ -46,10 +46,16 @@ else ynh_die "You must install Baïkal or Radicale before" fi +if ! id -u $app > /dev/null 2>&1 ; then + sudo useradd -c "$app system account" \ + -d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \ + || ynh_die "Unable to create $app system account" +fi + # Restore the app files and set permissions sudo cp -a ./sources "$DESTDIR" sudo chown -hR root: "$DESTDIR" -sudo chown -hR www-data: "${DESTDIR}/web" +sudo chown -hR $app: "${DESTDIR}/web/var" sudo chmod -R 750 "${DESTDIR}/web/var" # Clean caches @@ -66,7 +72,7 @@ sudo sed -i "s@^\(\$app\['caldav.baseurl.public'\] = \).*\ @\1'${caldav_domain}';@g" "$conf_path" # Create log directory -sudo install -m 750 -o www-data -d "/var/log/${app}" +sudo install -m 750 -o www-data -g adm -d "/var/log/${app}" # Create and restore the database ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass" diff --git a/scripts/upgrade b/scripts/upgrade index 65a5d04..aba3bce 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -6,7 +6,7 @@ set -eu source ./_common.sh # Set app specific variables -app="agendav" +app="$YNH_APP_INSTANCE_NAME" dbname=$app dbuser=$app @@ -29,6 +29,9 @@ if [[ -z "$language" ]]; then ynh_app_setting_set "$app" language "$language" fi +# Define LOGDIR (create it later when user is created) +LOGDIR=/var/log/$app + # Check destination directory DESTDIR="/var/www/$app" [[ ! -d $DESTDIR ]] && ynh_die \ @@ -54,10 +57,6 @@ ynh_package_is_installed "php5-cli" \ TMPDIR=$(ynh_mkdir_tmp) extract_agendav "$TMPDIR" -# Create log directory -LOGDIR=/var/log/agendav -sudo install -m 750 -o www-data -d "$LOGDIR" - # Copy and set AgenDAV configuration conf_path="${TMPDIR}/web/config/settings.php" cp ../conf/settings.php "$conf_path" @@ -79,12 +78,20 @@ sed -i "s@{CALDAV_DOMAIN}@${caldav_domain}@g" "$conf_path" # Replace files and set permissions sudo rm -rf "$DESTDIR" sudo mv "$TMPDIR" "$DESTDIR" +if ! id -u $app > /dev/null 2>&1 ; then + sudo useradd -c "$app system account" \ + -d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \ + || ynh_die "Unable to create $app system account" +fi sudo chown -hR root: "$DESTDIR" -sudo chown -hR www-data: "${DESTDIR}/web" +sudo chown -hR $app: "${DESTDIR}/web/var" sudo chmod -R 750 "${DESTDIR}/web/var" +# Create log directory +sudo install -m 750 -o $app -g adm -d "$LOGDIR" + # Run database migrations -(cd "$DESTDIR" && sudo sudo -u www-data \ +(cd "$DESTDIR" && sudo sudo -u $app \ php agendavcli migrations:migrate --no-interaction) \ || ynh_die "Unable to run AgenDAV database migration" @@ -93,6 +100,7 @@ nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf" sed -i "s@{PATH}@${path}@g" ../conf/nginx.conf sed -i "s@{LOCATION}@${path:-/}@g" ../conf/nginx.conf sed -i "s@{DESTDIR}@${DESTDIR}@g" ../conf/nginx.conf +sed -i "s@{POOLNAME}@${app}@g" ../conf/nginx.conf # comment redirection in case of an installation at root [[ -n "$path" ]] || sed -i '$s/^/#/' ../conf/nginx.conf sudo cp ../conf/nginx.conf "$nginx_conf" @@ -101,6 +109,8 @@ sudo cp ../conf/nginx.conf "$nginx_conf" phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf +sed -i "s@{USER}@${app}@g" ../conf/php-fpm.conf +sed -i "s@{GROUP}@${app}@g" ../conf/php-fpm.conf sudo cp ../conf/php-fpm.conf "$phpfpm_conf" # Reload services