YunoHost-Apps/agendav_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/agendav_ynh.git synced 2024-09-03 20:36:12 +02:00
Code Issues Activity Actions

[enh] Run under a specific agendav user, lock down write access to web/var

Browse source
This commit is contained in:
Julien Malik 2016-09-02 13:07:59 +02:00
parent 89c450aed1
commit 5ef522193f
7 changed files with 52 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
conf/nginx.conf
View file

@ -22,7 +22,7 @@ location {PATH}/ {
location ~ ^{PATH}/index\.php(/|$) { location ~ ^{PATH}/index\.php(/|$) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_split_path_info ^(.+?\.php)(/.*)$;
fastcgi_pass unix:/var/run/php5-fpm-agendav.sock; fastcgi_pass unix:/var/run/php5-fpm-{POOLNAME}.sock;
fastcgi_index index.php; fastcgi_index index.php;
include fastcgi_params; include fastcgi_params;
fastcgi_param REMOTE_USER $remote_user; fastcgi_param REMOTE_USER $remote_user;

4
conf/php-fpm.conf
View file

@ -8,8 +8,8 @@ listen.group = www-data
listen.mode = 0600 listen.mode = 0600
; Unix user/group of processes. ; Unix user/group of processes.
user = www-data user = {USER}
group = www-data group = {GROUP}
; Choose how the process manager will control the number of child processes. ; Choose how the process manager will control the number of child processes.
pm = dynamic pm = dynamic

2
scripts/backup
View file

@ -3,7 +3,7 @@
set -eu set -eu
# Set app specific variables # Set app specific variables
app="agendav" app="$YNH_APP_INSTANCE_NAME"
dbname=$app dbname=$app
dbuser=$app dbuser=$app

22
scripts/install
View file

@ -11,7 +11,7 @@ language=$3
source ./_common.sh source ./_common.sh
# Set app specific variables # Set app specific variables
app="agendav" app="$YNH_APP_INSTANCE_NAME"
dbname=$app dbname=$app
dbuser=$app dbuser=$app
@ -23,6 +23,9 @@ sudo yunohost app checkurl "${domain}${path}" -a "$app" \
language=${LANGUAGES[$3]} language=${LANGUAGES[$3]}
ynh_app_setting_set "$app" language "$language" ynh_app_setting_set "$app" language "$language"
# Define LOGDIR (create it later when user is created)
LOGDIR=/var/log/$app
# Check destination directory # Check destination directory
DESTDIR="/var/www/${app}" DESTDIR="/var/www/${app}"
[[ -d "$DESTDIR" ]] && ynh_die \ [[ -d "$DESTDIR" ]] && ynh_die \
@ -54,10 +57,6 @@ encryptkey=$(ynh_string_random 24)
ynh_app_setting_set "$app" encryptkey "$encryptkey" ynh_app_setting_set "$app" encryptkey "$encryptkey"
ynh_app_setting_set "$app" mysqlpwd "$dbpass" ynh_app_setting_set "$app" mysqlpwd "$dbpass"
# Create log directory
LOGDIR=/var/log/agendav
sudo install -m 750 -o www-data -d "$LOGDIR"
# Copy and set AgenDAV configuration # Copy and set AgenDAV configuration
conf_path="${TMPDIR}/web/config/settings.php" conf_path="${TMPDIR}/web/config/settings.php"
cp ../conf/settings.php "$conf_path" cp ../conf/settings.php "$conf_path"
@ -78,13 +77,19 @@ sed -i "s@{CALDAV_DOMAIN}@${caldav_domain}@g" "$conf_path"
# Install files and set permissions # Install files and set permissions
sudo mv "$TMPDIR" "$DESTDIR" sudo mv "$TMPDIR" "$DESTDIR"
sudo useradd -c "$app system account" \
-d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \
|| ynh_die "Unable to create $app system account"
sudo chown -hR root: "$DESTDIR" sudo chown -hR root: "$DESTDIR"
sudo chown -hR www-data: "${DESTDIR}/web" sudo chown -hR $app: "${DESTDIR}/web/var"
sudo chmod -R 750 "${DESTDIR}/web/var" sudo chmod -R 750 "${DESTDIR}/web/var"
# Create log directory
sudo install -m 750 -o $app -g adm -d "$LOGDIR"
# Initialize database # Initialize database
ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass" ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass"
(cd "$DESTDIR" && sudo sudo -u www-data \ (cd "$DESTDIR" && sudo sudo -u $app \
php agendavcli migrations:migrate --no-interaction) \ php agendavcli migrations:migrate --no-interaction) \
|| ynh_die "Unable to create AgenDAV tables" || ynh_die "Unable to create AgenDAV tables"
@ -93,6 +98,7 @@ nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf"
sed -i "s@{PATH}@${path}@g" ../conf/nginx.conf sed -i "s@{PATH}@${path}@g" ../conf/nginx.conf
sed -i "s@{LOCATION}@${path:-/}@g" ../conf/nginx.conf sed -i "s@{LOCATION}@${path:-/}@g" ../conf/nginx.conf
sed -i "s@{DESTDIR}@${DESTDIR}@g" ../conf/nginx.conf sed -i "s@{DESTDIR}@${DESTDIR}@g" ../conf/nginx.conf
sed -i "s@{POOLNAME}@${app}@g" ../conf/nginx.conf
# comment redirection in case of an installation at root # comment redirection in case of an installation at root
[[ -n "$path" ]] || sed -i '$s/^/#/' ../conf/nginx.conf [[ -n "$path" ]] || sed -i '$s/^/#/' ../conf/nginx.conf
sudo cp ../conf/nginx.conf "$nginx_conf" sudo cp ../conf/nginx.conf "$nginx_conf"
@ -101,6 +107,8 @@ sudo cp ../conf/nginx.conf "$nginx_conf"
phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf"
sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf
sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf
sed -i "s@{USER}@${app}@g" ../conf/php-fpm.conf
sed -i "s@{GROUP}@${app}@g" ../conf/php-fpm.conf
sudo cp ../conf/php-fpm.conf "$phpfpm_conf" sudo cp ../conf/php-fpm.conf "$phpfpm_conf"
# Reload services # Reload services

8
scripts/remove
View file

@ -1,7 +1,7 @@
#!/bin/bash #!/bin/bash
# Set app specific variables # Set app specific variables
app="agendav" app="$YNH_APP_INSTANCE_NAME"
dbname=$app dbname=$app
dbuser=$app dbuser=$app
@ -23,3 +23,9 @@ sudo rm -f "/etc/php5/fpm/pool.d/${app}.conf"
# Reload services # Reload services
sudo service php5-fpm restart || true sudo service php5-fpm restart || true
sudo service nginx reload || true sudo service nginx reload || true
# Remove the user account
# (must be done after php-fpm restart)
id "$app" >/dev/null 2>&1 \
&& sudo deluser --quiet --remove-home "$app" >/dev/null \
|| true

12
scripts/restore
View file

@ -3,7 +3,7 @@
set -eu set -eu
# Set app specific variables # Set app specific variables
app="agendav" app="$YNH_APP_INSTANCE_NAME"
dbname=$app dbname=$app
dbuser=$app dbuser=$app
@ -46,10 +46,16 @@ else
ynh_die "You must install Baïkal or Radicale before" ynh_die "You must install Baïkal or Radicale before"
fi fi
if ! id -u $app > /dev/null 2>&1 ; then
sudo useradd -c "$app system account" \
-d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \
|| ynh_die "Unable to create $app system account"
fi
# Restore the app files and set permissions # Restore the app files and set permissions
sudo cp -a ./sources "$DESTDIR" sudo cp -a ./sources "$DESTDIR"
sudo chown -hR root: "$DESTDIR" sudo chown -hR root: "$DESTDIR"
sudo chown -hR www-data: "${DESTDIR}/web" sudo chown -hR $app: "${DESTDIR}/web/var"
sudo chmod -R 750 "${DESTDIR}/web/var" sudo chmod -R 750 "${DESTDIR}/web/var"
# Clean caches # Clean caches
@ -66,7 +72,7 @@ sudo sed -i "s@^\(\$app\['caldav.baseurl.public'\] = \).*\
@\1'${caldav_domain}';@g" "$conf_path" @\1'${caldav_domain}';@g" "$conf_path"
# Create log directory # Create log directory
sudo install -m 750 -o www-data -d "/var/log/${app}" sudo install -m 750 -o www-data -g adm -d "/var/log/${app}"
# Create and restore the database # Create and restore the database
ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass" ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass"

24
scripts/upgrade
View file

@ -6,7 +6,7 @@ set -eu
source ./_common.sh source ./_common.sh
# Set app specific variables # Set app specific variables
app="agendav" app="$YNH_APP_INSTANCE_NAME"
dbname=$app dbname=$app
dbuser=$app dbuser=$app
@ -29,6 +29,9 @@ if [[ -z "$language" ]]; then
ynh_app_setting_set "$app" language "$language" ynh_app_setting_set "$app" language "$language"
fi fi
# Define LOGDIR (create it later when user is created)
LOGDIR=/var/log/$app
# Check destination directory # Check destination directory
DESTDIR="/var/www/$app" DESTDIR="/var/www/$app"
[[ ! -d $DESTDIR ]] && ynh_die \ [[ ! -d $DESTDIR ]] && ynh_die \
@ -54,10 +57,6 @@ ynh_package_is_installed "php5-cli" \
TMPDIR=$(ynh_mkdir_tmp) TMPDIR=$(ynh_mkdir_tmp)
extract_agendav "$TMPDIR" extract_agendav "$TMPDIR"
# Create log directory
LOGDIR=/var/log/agendav
sudo install -m 750 -o www-data -d "$LOGDIR"
# Copy and set AgenDAV configuration # Copy and set AgenDAV configuration
conf_path="${TMPDIR}/web/config/settings.php" conf_path="${TMPDIR}/web/config/settings.php"
cp ../conf/settings.php "$conf_path" cp ../conf/settings.php "$conf_path"
@ -79,12 +78,20 @@ sed -i "s@{CALDAV_DOMAIN}@${caldav_domain}@g" "$conf_path"
# Replace files and set permissions # Replace files and set permissions
sudo rm -rf "$DESTDIR" sudo rm -rf "$DESTDIR"
sudo mv "$TMPDIR" "$DESTDIR" sudo mv "$TMPDIR" "$DESTDIR"
if ! id -u $app > /dev/null 2>&1 ; then
sudo useradd -c "$app system account" \
-d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \
|| ynh_die "Unable to create $app system account"
fi
sudo chown -hR root: "$DESTDIR" sudo chown -hR root: "$DESTDIR"
sudo chown -hR www-data: "${DESTDIR}/web" sudo chown -hR $app: "${DESTDIR}/web/var"
sudo chmod -R 750 "${DESTDIR}/web/var" sudo chmod -R 750 "${DESTDIR}/web/var"
# Create log directory
sudo install -m 750 -o $app -g adm -d "$LOGDIR"
# Run database migrations # Run database migrations
(cd "$DESTDIR" && sudo sudo -u www-data \ (cd "$DESTDIR" && sudo sudo -u $app \
php agendavcli migrations:migrate --no-interaction) \ php agendavcli migrations:migrate --no-interaction) \
|| ynh_die "Unable to run AgenDAV database migration" || ynh_die "Unable to run AgenDAV database migration"
@ -93,6 +100,7 @@ nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf"
sed -i "s@{PATH}@${path}@g" ../conf/nginx.conf sed -i "s@{PATH}@${path}@g" ../conf/nginx.conf
sed -i "s@{LOCATION}@${path:-/}@g" ../conf/nginx.conf sed -i "s@{LOCATION}@${path:-/}@g" ../conf/nginx.conf
sed -i "s@{DESTDIR}@${DESTDIR}@g" ../conf/nginx.conf sed -i "s@{DESTDIR}@${DESTDIR}@g" ../conf/nginx.conf
sed -i "s@{POOLNAME}@${app}@g" ../conf/nginx.conf
# comment redirection in case of an installation at root # comment redirection in case of an installation at root
[[ -n "$path" ]] || sed -i '$s/^/#/' ../conf/nginx.conf [[ -n "$path" ]] || sed -i '$s/^/#/' ../conf/nginx.conf
sudo cp ../conf/nginx.conf "$nginx_conf" sudo cp ../conf/nginx.conf "$nginx_conf"
@ -101,6 +109,8 @@ sudo cp ../conf/nginx.conf "$nginx_conf"
phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf"
sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf
sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf
sed -i "s@{USER}@${app}@g" ../conf/php-fpm.conf
sed -i "s@{GROUP}@${app}@g" ../conf/php-fpm.conf
sudo cp ../conf/php-fpm.conf "$phpfpm_conf" sudo cp ../conf/php-fpm.conf "$phpfpm_conf"
# Reload services # Reload services