diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index e249310..49fb4a9 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -8,8 +8,8 @@ listen.group = www-data listen.mode = 0600 ; Unix user/group of processes. -user = www-data -group = www-data +user = {USER} +group = {GROUP} ; Choose how the process manager will control the number of child processes. pm = dynamic diff --git a/scripts/install b/scripts/install index 74c1aeb..4ff3d5c 100644 --- a/scripts/install +++ b/scripts/install @@ -62,8 +62,13 @@ sed -i "s@#DESKEY#@${deskey}@g" "$bk_conf" touch "${TMPDIR}/Specific/INSTALL_DISABLED" # Install files and set permissions +sudo useradd -c "$app system account" \ + -d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \ + || ynh_die "Unable to create $app system account" sudo mv "$TMPDIR" "$DESTDIR" -sudo chown -R www-data: "$DESTDIR" +sudo chown -hR root: "$DESTDIR" +sudo chown $app:root "$DESTDIR/Specific/"{config.php,config.system.php} +sudo chmod 640 "$DESTDIR/Specific/"{config.php,config.system.php} # Copy and set nginx configuration nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf" @@ -77,6 +82,8 @@ sudo cp ../conf/nginx.conf "$nginx_conf" phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf +sed -i "s@{USER}@${app}@g" ../conf/php-fpm.conf +sed -i "s@{GROUP}@${app}@g" ../conf/php-fpm.conf sudo cp ../conf/php-fpm.conf "$phpfpm_conf" # Save app settings diff --git a/scripts/remove b/scripts/remove index ae74e55..1549569 100644 --- a/scripts/remove +++ b/scripts/remove @@ -25,3 +25,9 @@ sudo rm -f "/etc/php5/fpm/pool.d/${app}.conf" # Reload services sudo service php5-fpm restart || true sudo service nginx reload || true + +# Remove the user account +# (must be done after php-fpm restart) +id "$app" >/dev/null 2>&1 \ + && sudo deluser --quiet --remove-home "$app" >/dev/null \ + || true diff --git a/scripts/restore b/scripts/restore index e394c7f..a6cfe00 100644 --- a/scripts/restore +++ b/scripts/restore @@ -40,7 +40,14 @@ phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" # Restore the app files and set permissions sudo cp -a ./sources "$DESTDIR" -sudo chown -R www-data: "$DESTDIR" +if ! id -u $app > /dev/null 2>&1 ; then + sudo useradd -c "$app system account" \ + -d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \ + || ynh_die "Unable to create $app system account" +fi +sudo chown -hR root: "$DESTDIR" +sudo chown $app:root "$DESTDIR/Specific/"{config.php,config.system.php} +sudo chmod 640 "$DESTDIR/Specific/"{config.php,config.system.php} # Create and restore the database ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass" diff --git a/scripts/upgrade b/scripts/upgrade index 35491a1..4666b56 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -31,8 +31,8 @@ extract_baikal "$TMPDIR" # Get Specific folder from current installation # FIXME: config.php and config.system.php are not updated with possible # new or changed configurations -rm -rf "${TMPDIR}/Specific" -sudo cp -r "${DESTDIR}/Specific" "$TMPDIR" +rm -rf "${TMPDIR}/Specific/*" +sudo cp -r "${DESTDIR}/Specific/"{config.php,config.system.php} "$TMPDIR/Specific" sudo chown -hR "${USER}" "${TMPDIR}/Specific" # Run Baikal upgrade from tmp directory @@ -42,9 +42,20 @@ php "${TMPDIR}/bin/upgrade.sh" \ "https://${domain}${path}/admin/install" # Install new app and set permissions +if ! id -u $app > /dev/null 2>&1 ; then + sudo useradd -c "$app system account" \ + -d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \ + || ynh_die "Unable to create $app system account" +fi sudo rm -rf "$DESTDIR" sudo mv "$TMPDIR" "$DESTDIR" -sudo chown -R www-data: "$DESTDIR" +sudo chown -hR root: "$DESTDIR" +sudo chown $app:root "$DESTDIR/Specific/"{config.php,config.system.php} +sudo chmod 640 "$DESTDIR/Specific/"{config.php,config.system.php} + +# Cleanup old baikal-admin sessions +# since we may have changed owner of the session file +sudo grep -lr "CSRF_TOKEN|s:" /var/lib/php5/sessions | xargs sudo rm # Copy and set nginx configuration nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf" @@ -58,6 +69,8 @@ sudo cp ../conf/nginx.conf "$nginx_conf" phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf +sed -i "s@{USER}@${app}@g" ../conf/php-fpm.conf +sed -i "s@{GROUP}@${app}@g" ../conf/php-fpm.conf sudo cp ../conf/php-fpm.conf "$phpfpm_conf" # Set SSOwat rules