From 0bcc6cfc56fc953b88ecab59040f82d1f31f8567 Mon Sep 17 00:00:00 2001
From: root <root@cybelia.xyz>
Date: Fri, 24 Feb 2017 17:06:06 +0100
Subject: [PATCH] Use of dedicated system user

---
 manifest.json   |  9 ---------
 scripts/install | 24 +++++++++++++++++++++---
 scripts/remove  |  5 +++++
 scripts/restore | 19 +++++++++++++++++++
 scripts/upgrade | 23 +++++++++++++++++++++--
 5 files changed, 66 insertions(+), 14 deletions(-)

diff --git a/manifest.json b/manifest.json
index 8cdd833..5317cc4 100644
--- a/manifest.json
+++ b/manifest.json
@@ -50,15 +50,6 @@
                 "example": "/home/yunohost.app/owncloud/data/johndoe/files/eBooks",
                 "default": "/home/yunohost.app/owncloud/data/johndoe/files/eBooks"
             },
-            {
-                "name": "runninguser",
-                "ask": {
-                    "en": "Which system user is managing the Calibre folder ?",
-                    "fr": "Quel utilisateur système gère le dossier Calibre ?"
-                },
-                "choices": ["www-data", "owncloud", "nextcloud"],
-                "default": "www-data"
-            },
             {
                 "name": "is_public",
                 "ask": {
diff --git a/scripts/install b/scripts/install
index 85ad6ad..e021772 100755
--- a/scripts/install
+++ b/scripts/install
@@ -40,7 +40,7 @@ app=$YNH_APP_INSTANCE_NAME
 domain=$YNH_APP_ARG_DOMAIN
 path=$YNH_APP_ARG_PATH
 is_public=$YNH_APP_ARG_IS_PUBLIC
-runninguser=$YNH_APP_ARG_RUNNINGUSER
+#runninguser=$YNH_APP_ARG_RUNNINGUSER
 calibre=$YNH_APP_ARG_CALIBRE
 
 # No basic auth if app is private
@@ -112,7 +112,6 @@ ynh_app_setting_set "$app" domain "$domain"
 #ynh_app_setting_set "$app" path "$path"
 ynh_app_setting_set "$app" is_public "$is_public"
 ynh_app_setting_set "$app" final_path "$final_path"
-ynh_app_setting_set "$app" runninguser "$runninguser"
 ynh_app_setting_set "$app" calibre "$calibre"
 ynh_app_setting_set "$app" basicauthcreate "$basicauthcreate"
 
@@ -148,8 +147,27 @@ sed -i "s@TIMEZONETOCHANGE@$timezone@g" ../conf/config_local.php
 sudo cp ../conf/config_local.php $final_path
 sudo cp ../conf/robots.txt $final_path
 
+# Create cops user and join nextcloud/owncloud/www-data groups
+runninguser="${app}-ynh"
+# 1.  Create the user
+# Create a system account for COPS
+sudo useradd -c "$runninguser system account" \
+    -d $final_path --system --user-group $runninguser \
+  || ynh_die "Unable to create $runninguser system account"
+ynh_app_setting_set "$app" runninguser "$runninguser"
+
+# 2. Add cops-ynh to groups www-data and nextcloud/owncloud if they exist
+sudo usermod -a -G www-data $runninguser
+for filesharing in "nextcloud" "owncloud"; do
+    app_id=$(sudo yunohost app list --installed -f "$filesharing" \
+            --output-as json | grep -Po '"id":[ ]?"\K.*?(?=")' | head -1)
+    [[ -z "$app_id" ]] || {
+	sudo usermod -a -G $filesharing $runninguser
+    }
+done
+
 # Set permissions
-sudo chmod 775 -R $final_path
+sudo chmod ug+rw -R $final_path
 sudo chown -hR $runninguser:$runninguser $final_path
 
 # Add basic auth if requested
diff --git a/scripts/remove b/scripts/remove
index 8b905c1..8ace49c 100755
--- a/scripts/remove
+++ b/scripts/remove
@@ -27,6 +27,7 @@ domain=$(ynh_app_setting_get $app domain)
 final_path=$(ynh_app_setting_get $app final_path)
 finalnginxconf=$(ynh_app_setting_get $app finalnginxconf)
 finalphpconf=$(ynh_app_setting_get $app finalphpconf)
+runninguser=$app-ynh
 
 # Suppression du dossier de la webapp
 sudo rm -rf $final_path
@@ -40,6 +41,10 @@ if ynh_package_is_installed "cops-deps"; then
   ynh_package_autoremove "cops-deps"
 fi
 
+# Remove the user account
+id "$runninguser" >/dev/null 2>&1 \
+&& sudo deluser --quiet --remove-home "$runninguser" >/dev/null
+
 # We reload the services
 sudo service php5-fpm reload
 sudo service nginx reload
diff --git a/scripts/restore b/scripts/restore
index f2ec689..1c22ac5 100755
--- a/scripts/restore
+++ b/scripts/restore
@@ -41,6 +41,25 @@ basicauthcreate=$(ynh_app_setting_get $app basicauthcreate)
 sudo mkdir -p $final_path
 sudo cp -a ./sources/* $final_path/
 
+# Create cops user and join nextcloud/owncloud/www-data groups
+runninguser="${app}-ynh"
+# 1.  Create the user
+# Create a system account for COPS
+sudo useradd -c "$runninguser system account" \
+    -d $final_path --system --user-group $runninguser \
+  || ynh_die "Unable to create $runninguser system account"
+ynh_app_setting_set "$app" runninguser "$runninguser"
+
+# 2. Add cops-ynh to groups www-data and nextcloud/owncloud if they exist
+sudo usermod -a -G www-data $runninguser
+for filesharing in "nextcloud" "owncloud"; do
+    app_id=$(sudo yunohost app list --installed -f "$filesharing" \
+            --output-as json | grep -Po '"id":[ ]?"\K.*?(?=")' | head -1)
+    [[ -z "$app_id" ]] || {
+        sudo usermod -a -G $filesharing $runninguser
+    }
+done
+
 # Restore permissions to app files
 # you may need to make some file and/or directory writeable by www-data (nginx user)
 sudo chown -R $runninguser:$runninguser $final_path
diff --git a/scripts/upgrade b/scripts/upgrade
index e0da1be..1ee6b03 100755
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -38,7 +38,6 @@ domain=$(ynh_app_setting_get $app domain)
 final_path=$(ynh_app_setting_get $app final_path)
 finalnginxconf=$(ynh_app_setting_get $app finalnginxconf)
 finalphpconf=$(ynh_app_setting_get $app finalphpconf)
-runninguser=$(ynh_app_setting_get $app runninguser)
 calibre=$(ynh_app_setting_get $app calibre)
 basicauthcreate=$(ynh_app_setting_get $app basicauthcreate)
 
@@ -80,8 +79,28 @@ sed -i "s@TIMEZONETOCHANGE@$timezone@g" ../conf/config_local.php
 sudo cp ../conf/config_local.php $final_path
 sudo cp ../conf/robots.txt $final_path
 
+# Create cops user and join nextcloud/owncloud/www-data groups
+runninguser="${app}-ynh"
+# 1.  Create the user
+# Create a system account for COPS
+sudo useradd -c "$runninguser system account" \
+    -d $final_path --system --user-group $runninguser \
+  || ynh_die "Unable to create $runninguser system account"
+ynh_app_setting_set "$app" runninguser "$runninguser"
+
+# 2. Add cops-ynh to groups www-data and nextcloud/owncloud if they exist
+sudo usermod -a -G www-data $runninguser
+for filesharing in "nextcloud" "owncloud"; do
+    app_id=$(sudo yunohost app list --installed -f "$filesharing" \
+            --output-as json | grep -Po '"id":[ ]?"\K.*?(?=")' | head -1)
+    [[ -z "$app_id" ]] || {
+        sudo usermod -a -G $filesharing $runninguser
+    }
+done
+ynh_app_setting_set $app runninguser $runninguser
+
 # Set permissions
-sudo chmod 775 -R $final_path
+sudo chmod ug+rw -R $final_path
 sudo chown -hR $runninguser:$runninguser $final_path
 
 # Add basic auth if requested