YunoHost-Apps/baikal_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/baikal_ynh.git synced 2024-09-03 18:16:11 +02:00
Code Issues Activity Actions

[enh] Run under a specific baikal system user, and lock down permissions to strict minimum

Browse source
This commit is contained in:
Julien Malik 2016-09-05 12:19:13 +02:00
parent 9823ac263c
commit 521dfc72dc
5 changed files with 40 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
conf/php-fpm.conf
View file

@ -8,8 +8,8 @@ listen.group = www-data
listen.mode = 0600 listen.mode = 0600
; Unix user/group of processes. ; Unix user/group of processes.
user = www-data user = {USER}
group = www-data group = {GROUP}
; Choose how the process manager will control the number of child processes. ; Choose how the process manager will control the number of child processes.
pm = dynamic pm = dynamic

9
scripts/install
View file

@ -62,8 +62,13 @@ sed -i "s@#DESKEY#@${deskey}@g" "$bk_conf"
touch "${TMPDIR}/Specific/INSTALL_DISABLED" touch "${TMPDIR}/Specific/INSTALL_DISABLED"
# Install files and set permissions # Install files and set permissions
sudo useradd -c "$app system account" \
-d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \
|| ynh_die "Unable to create $app system account"
sudo mv "$TMPDIR" "$DESTDIR" sudo mv "$TMPDIR" "$DESTDIR"
sudo chown -R www-data: "$DESTDIR" sudo chown -hR root: "$DESTDIR"
sudo chown $app:root "$DESTDIR/Specific/"{config.php,config.system.php}
sudo chmod 640 "$DESTDIR/Specific/"{config.php,config.system.php}
# Copy and set nginx configuration # Copy and set nginx configuration
nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf" nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf"
@ -77,6 +82,8 @@ sudo cp ../conf/nginx.conf "$nginx_conf"
phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf"
sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf
sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf
sed -i "s@{USER}@${app}@g" ../conf/php-fpm.conf
sed -i "s@{GROUP}@${app}@g" ../conf/php-fpm.conf
sudo cp ../conf/php-fpm.conf "$phpfpm_conf" sudo cp ../conf/php-fpm.conf "$phpfpm_conf"
# Save app settings # Save app settings

6
scripts/remove
View file

@ -25,3 +25,9 @@ sudo rm -f "/etc/php5/fpm/pool.d/${app}.conf"
# Reload services # Reload services
sudo service php5-fpm restart || true sudo service php5-fpm restart || true
sudo service nginx reload || true sudo service nginx reload || true
# Remove the user account
# (must be done after php-fpm restart)
id "$app" >/dev/null 2>&1 \
&& sudo deluser --quiet --remove-home "$app" >/dev/null \
|| true

9
scripts/restore
View file

@ -40,7 +40,14 @@ phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf"
# Restore the app files and set permissions # Restore the app files and set permissions
sudo cp -a ./sources "$DESTDIR" sudo cp -a ./sources "$DESTDIR"
sudo chown -R www-data: "$DESTDIR" if ! id -u $app > /dev/null 2>&1 ; then
sudo useradd -c "$app system account" \
-d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \
|| ynh_die "Unable to create $app system account"
fi
sudo chown -hR root: "$DESTDIR"
sudo chown $app:root "$DESTDIR/Specific/"{config.php,config.system.php}
sudo chmod 640 "$DESTDIR/Specific/"{config.php,config.system.php}
# Create and restore the database # Create and restore the database
ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass" ynh_mysql_create_db "$dbname" "$dbuser" "$dbpass"

19
scripts/upgrade
View file

@ -31,8 +31,8 @@ extract_baikal "$TMPDIR"
# Get Specific folder from current installation # Get Specific folder from current installation
# FIXME: config.php and config.system.php are not updated with possible # FIXME: config.php and config.system.php are not updated with possible
# new or changed configurations # new or changed configurations
rm -rf "${TMPDIR}/Specific" rm -rf "${TMPDIR}/Specific/*"
sudo cp -r "${DESTDIR}/Specific" "$TMPDIR" sudo cp -r "${DESTDIR}/Specific/"{config.php,config.system.php} "$TMPDIR/Specific"
sudo chown -hR "${USER}" "${TMPDIR}/Specific" sudo chown -hR "${USER}" "${TMPDIR}/Specific"
# Run Baikal upgrade from tmp directory # Run Baikal upgrade from tmp directory
@ -42,9 +42,20 @@ php "${TMPDIR}/bin/upgrade.sh" \
"https://${domain}${path}/admin/install" "https://${domain}${path}/admin/install"
# Install new app and set permissions # Install new app and set permissions
if ! id -u $app > /dev/null 2>&1 ; then
sudo useradd -c "$app system account" \
-d /var/www/$app --system --user-group $app --shell /usr/sbin/nologin \
|| ynh_die "Unable to create $app system account"
fi
sudo rm -rf "$DESTDIR" sudo rm -rf "$DESTDIR"
sudo mv "$TMPDIR" "$DESTDIR" sudo mv "$TMPDIR" "$DESTDIR"
sudo chown -R www-data: "$DESTDIR" sudo chown -hR root: "$DESTDIR"
sudo chown $app:root "$DESTDIR/Specific/"{config.php,config.system.php}
sudo chmod 640 "$DESTDIR/Specific/"{config.php,config.system.php}
# Cleanup old baikal-admin sessions
# since we may have changed owner of the session file
sudo grep -lr "CSRF_TOKEN|s:" /var/lib/php5/sessions | xargs sudo rm
# Copy and set nginx configuration # Copy and set nginx configuration
nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf" nginx_conf="/etc/nginx/conf.d/${domain}.d/${app}.conf"
@ -58,6 +69,8 @@ sudo cp ../conf/nginx.conf "$nginx_conf"
phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf" phpfpm_conf="/etc/php5/fpm/pool.d/${app}.conf"
sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf sed -i "s@{POOLNAME}@${app}@g" ../conf/php-fpm.conf
sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf sed -i "s@{DESTDIR}@${DESTDIR}/@g" ../conf/php-fpm.conf
sed -i "s@{USER}@${app}@g" ../conf/php-fpm.conf
sed -i "s@{GROUP}@${app}@g" ../conf/php-fpm.conf
sudo cp ../conf/php-fpm.conf "$phpfpm_conf" sudo cp ../conf/php-fpm.conf "$phpfpm_conf"
# Set SSOwat rules # Set SSOwat rules