From 795059f3831bdce04be5f15ad922ff847d7cfa67 Mon Sep 17 00:00:00 2001 From: __cyp Date: Wed, 12 Jul 2017 19:22:08 +0200 Subject: [PATCH] [fix] Fix issue #25 #26 #27 (#28) * [fix] Reactivate integrity check #26 * [fix] Use boolean type for is_public #25 * [fix] isolate user with php-fpm * [fix] boolean is_public for check_process * [fix] Create user for upgrade and restore * [fix] delete choices manifest.json * [fix] load generic function * [fix] delete reload php5-fpm * [fix] owner file with user dokuwiki * [fix] correctly ssowat config for install * [fix] Get file fonction if not been to the current directory * [fix] owner file with user dokuwiki - upgrade * [fix] Clean code * Reload php-fpm et after remove user * [fix] upgrade php5-fpm with a good user * [fix] owner root for all files & owner dokuwiki for write access * [fix] owner root for all files & owner dokuwiki for write access (upgrade script) * [fix] owner read & write for plugins directory --- check_process | 2 +- conf/php-fpm.conf | 4 +-- manifest.json | 4 +-- scripts/.fonctions | 78 ++++++++++++++++++++++++++++++++++++++++++++-- scripts/install | 37 +++++++++------------- scripts/remove | 5 +++ scripts/restore | 12 ++++++- scripts/upgrade | 37 +++++++++++++--------- 8 files changed, 135 insertions(+), 44 deletions(-) diff --git a/check_process b/check_process index 3bddb9f..88a7a7e 100644 --- a/check_process +++ b/check_process @@ -4,7 +4,7 @@ domain="domain.tld" (DOMAIN) path="/path" (PATH) admin="john" (USER) - is_public="Yes" (PUBLIC|public=Yes|private=No) + is_public=1 (PUBLIC|public=1|private=0) ; Checks pkg_linter=1 setup_sub_dir=1 diff --git a/conf/php-fpm.conf b/conf/php-fpm.conf index 5672f10..7bad39e 100644 --- a/conf/php-fpm.conf +++ b/conf/php-fpm.conf @@ -19,8 +19,8 @@ ; Unix user/group of processes ; Note: The user is mandatory. If the group is not set, the default user's group ; will be used. -user = www-data -group = www-data +user = __USER__ +group = __USER__ ; The address on which to accept FastCGI requests. ; Valid syntaxes are: diff --git a/manifest.json b/manifest.json index 3da9786..776c0df 100644 --- a/manifest.json +++ b/manifest.json @@ -56,12 +56,12 @@ }, { "name": "is_public", + "type": "boolean", "ask": { "en": "Is it a public DokuWiki site ?", "fr": "Est-ce un site public ?" }, - "choices": ["Yes", "No"], - "default": "Yes" + "default": "true" } ] } diff --git a/scripts/.fonctions b/scripts/.fonctions index 39b2c90..4e87c5f 100644 --- a/scripts/.fonctions +++ b/scripts/.fonctions @@ -69,7 +69,7 @@ SETUP_SOURCE () { # Download source, decompress and copu into $final_path src=$(cat ../sources/source_md5 | awk -F' ' {'print $2'}) sudo wget -nv -i ../sources/source_url -O $src # Checks the checksum of the downloaded source. - # md5sum -c ../sources/source_md5 --status || ynh_die "Corrupt source" + md5sum -c ../sources/source_md5 --status || ynh_die "Corrupt source" # Decompress source if [ "$(echo ${src##*.})" == "tgz" ]; then tar -x -f $src @@ -89,6 +89,7 @@ SETUP_SOURCE () { # Download source, decompress and copu into $final_path POOL_FPM () { # Create the php-fpm pool configuration file and configure it. sed -i "s@__NAMETOCHANGE__@$app@g" ../conf/php-fpm.conf sed -i "s@__FINALPATH__@$final_path@g" ../conf/php-fpm.conf + sed -i "s@__USER__@$app@g" ../conf/php-fpm.conf finalphpconf=/etc/php5/fpm/pool.d/$app.conf sudo cp ../conf/php-fpm.conf $finalphpconf sudo chown root: $finalphpconf @@ -177,4 +178,77 @@ SECURE_REMOVE () { # Deleting a folder with variable verification echo "No detected variable." >&2 return 1 fi -} \ No newline at end of file +} + + +# Check if a YunoHost user exists +# +# example: ynh_user_exists 'toto' || exit 1 +# +# usage: ynh_user_exists username +# | arg: username - the username to check +ynh_user_exists() { + sudo yunohost user list --output-as json | grep -q "\"username\": \"${1}\"" +} + +# Retrieve a YunoHost user information +# +# example: mail=$(ynh_user_get_info 'toto' 'mail') +# +# usage: ynh_user_get_info username key +# | arg: username - the username to retrieve info from +# | arg: key - the key to retrieve +# | ret: string - the key's value +ynh_user_get_info() { + sudo yunohost user info "$1" --output-as plain | ynh_get_plain_key "$2" +} + +# Get the list of YunoHost users +# +# example: for u in $(ynh_user_list); do ... +# +# usage: ynh_user_list +# | ret: string - one username per line +ynh_user_list() { + sudo yunohost user list --output-as plain --quiet \ + | awk '/^##username$/{getline; print}' +} + +# Check if a user exists on the system +# +# usage: ynh_system_user_exists username +# | arg: username - the username to check +ynh_system_user_exists() { + getent passwd "$1" &>/dev/null +} + +# Create a system user +# +# usage: ynh_system_user_create user_name [home_dir] +# | arg: user_name - Name of the system user that will be create +# | arg: home_dir - Path of the home dir for the user. Usually the final path of the app. If this argument is omitted, the user will be created without home +ynh_system_user_create () { + if ! ynh_system_user_exists "$1" # Check if the user exists on the system + then # If the user doesn't exist + if [ $# -ge 2 ]; then # If a home dir is mentioned + user_home_dir="-d $2" + else + user_home_dir="--no-create-home" + fi + sudo useradd $user_home_dir --system --user-group $1 --shell /usr/sbin/nologin || ynh_die "Unable to create $1 system account" + fi +} + +# Delete a system user +# +# usage: ynh_system_user_delete user_name +# | arg: user_name - Name of the system user that will be create +ynh_system_user_delete () { + if ynh_system_user_exists "$1" # Check if the user exists on the system + then + echo "Remove the user $1" >&2 + sudo userdel $1 + else + echo "The user $1 was not found" >&2 + fi +} diff --git a/scripts/install b/scripts/install index 2ba1ed9..a7cdf9d 100755 --- a/scripts/install +++ b/scripts/install @@ -44,6 +44,9 @@ ynh_app_setting_set $app path $path ynh_app_setting_set $app admin $admin ynh_app_setting_set $app is_public $is_public +# Create system user dedicace for this app +ynh_system_user_create $app + # Modify dokuwiki conf sed -i "s@YNH_ADMIN_USER@$admin@g" ../conf/dokuwiki.php @@ -57,17 +60,15 @@ SETUP_SOURCE sudo cp ../conf/dokuwiki.php $final_path/conf sudo cp ../conf/acl.auth.php $final_path/conf -# Files owned by www-data can just read -# sudo find $final_path -type f -print0 | xargs -0 sudo chmod 0644 -# sudo find $final_path -type d -print0 | xargs -0 sudo chmod 0755 -sudo chown -R www-data: $final_path +# Files owned by dokuwiki can just read +sudo chown -R root: $final_path # except for conf, data, some data subfolders, and lib/plugin, where www-data must have write permissions -sudo chown -R www-data:root $final_path/{conf,data,data/attic,data/cache,data/index,data/locks,data/media*,data/meta,data/pages,data/tmp,lib/plugins,lib/tpl} +sudo chown -R $app:root $final_path/{conf,data,data/attic,data/cache,data/index,data/locks,data/media*,data/meta,data/pages,data/tmp,lib/plugins,lib/tpl} sudo chmod -R 700 $final_path/conf sudo chmod -R 700 $final_path/data -sudo chmod -R 700 $final_path/lib/plugins -sudo chmod -R 700 $final_path/lib/tpl +sudo chmod -R 755 $final_path/lib/plugins +sudo chmod 755 $final_path/lib/tpl/{dokuwiki,dokuwiki/images} # Modify Nginx configuration file and copy it to Nginx conf directory sudo cp ../conf/nginx.conf /etc/nginx/conf.d/$domain.d/$app.conf @@ -83,19 +84,11 @@ fi # Create the php-fpm pool config POOL_FPM -# Public access for curl -ynh_app_setting_set $app unprotected_uris "/" - -# Relaod SSOwat configuration -sudo yunohost app ssowatconf - -# Reload php5-fpm and Nginx -sudo systemctl reload php5-fpm -sudo systemctl reload nginx - -if [ "$is_public" = "No" ]; -then - # Exit public access - ynh_app_setting_delete $app unprotected_uris - sudo yunohost app ssowatconf +# If app is public, add url to SSOWat conf as skipped_uris +if [[ $is_public -eq 1 ]]; then + # unprotected_uris allows SSO credentials to be passed anyway. + ynh_app_setting_set "$app" unprotected_uris "/" fi + +# Reload Nginx +sudo systemctl reload nginx \ No newline at end of file diff --git a/scripts/remove b/scripts/remove index e127a5b..6fa841a 100755 --- a/scripts/remove +++ b/scripts/remove @@ -6,6 +6,8 @@ set -u # Get multi-instances specific variables app=$YNH_APP_INSTANCE_NAME +# Loads the generic functions usually used in the script +source .fonctions # Source app helpers . /usr/share/yunohost/helpers @@ -22,4 +24,7 @@ sudo rm -f "/etc/php5/fpm/conf.d/20-${app}.ini" sudo systemctl reload php5-fpm sudo systemctl reload nginx +# Delete system user dedicace for this app +ynh_system_user_delete $app + echo -e "\e[0m" # Restore normal color \ No newline at end of file diff --git a/scripts/restore b/scripts/restore index 9cb2d33..2ee9014 100755 --- a/scripts/restore +++ b/scripts/restore @@ -7,6 +7,13 @@ set -eu # The parameter $2 is the id of the app instance ex: ynhexample__2 app=$YNH_APP_INSTANCE_NAME +if [ ! -e .fonctions ]; then + # Get file fonction if not been to the current directory + sudo cp ../settings/scripts/.fonctions ./.fonctions + sudo chmod a+rx .fonctions +fi +# Loads the generic functions usually used in the script +source .fonctions # Source app helpers source /usr/share/yunohost/helpers @@ -41,11 +48,14 @@ if [ -f $phpfpm_ini ]; then ynh_die "The PHP FPM INI configuration already exists at '${phpfpm_ini}'. You should safely delete it before restoring this app." fi +# Create system user dedicace for this app +ynh_system_user_create $app + # Restore sources & data sudo cp -a ./sources "${final_path}" # Set permissions -sudo chown -R www-data: "${final_path}" +sudo chown -R $app: "${final_path}" # Restore nginx configuration files sudo cp -a ./nginx.conf "${nginx_conf}" diff --git a/scripts/upgrade b/scripts/upgrade index 909d644..b297bbf 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -3,6 +3,12 @@ # Exit on command errors and treat unset variables as an error set -eu +if [ ! -e .fonctions ]; then + # Get file fonction if not been to the current directory + sudo cp ../settings/scripts/.fonctions ./.fonctions + sudo chmod a+rx .fonctions +fi +# Loads the generic functions usually used in the script source .fonctions # Source app helpers source /usr/share/yunohost/helpers @@ -38,6 +44,9 @@ then sudo ynh_app_setting_set $app is_public -v "$is_public" fi +# Create system user dedicace for this app +ynh_system_user_create $app + # Modify dokuwiki conf sed -i "s@YNH_ADMIN_USER@$admin@g" ../conf/dokuwiki.php @@ -80,24 +89,23 @@ do done # Files owned by www-data can just read -# sudo find $final_path -type f -print0 | xargs -0 sudo chmod 0644 -# sudo find $final_path -type d -print0 | xargs -0 sudo chmod 0755 -sudo chown -R www-data: $final_path +sudo chown -R root: $final_path -# except for conf, data, some data subfolders, and lib/plugin, where www-data must have write permissions +# except for conf, data, some data subfolders, and lib/plugin, where dokuwiki must have write permissions if [ -d "${final_path}/data/media" ]; then - sudo chown -R www-data:root $final_path/{data/attic,data/cache,data/index,data/locks,data/media*,data/meta,data/pages,data/tmp} + sudo chown -R $app:root $final_path/{data/attic,data/cache,data/index,data/locks,data/media*,data/meta,data/pages,data/tmp} fi -sudo chown -R www-data:root $final_path/{conf,data,lib/plugins,lib/tpl} +sudo chown -R $app:root $final_path/{conf,data,lib/plugins,lib/tpl} sudo chmod -R 700 $final_path/conf sudo chmod -R 700 $final_path/data sudo chmod -R 700 $final_path/lib/plugins -sudo chmod -R 700 $final_path/lib/tpl +sudo chmod 755 $final_path/lib/tpl/{dokuwiki,dokuwiki/images} # Modify Nginx configuration file and copy it to Nginx conf directory sudo sed -i "s@__PATHTOCHANGE__@$path@g" /etc/nginx/conf.d/$domain.d/$app.conf sudo sed -i "s@__FINALPATH__@$final_path@g" /etc/nginx/conf.d/$domain.d/$app.conf -sudo sed -i "s@__NAMETOCHANGE__@$app@g" /etc/nginx/conf.d/$domain.d/$app.conf +# sudo sed -i "s@__NAMETOCHANGE__@$app@g" /etc/nginx/conf.d/$domain.d/$app.conf +sudo sed -i "s@fastcgi_pass unix:/var/run/php5-fpm.sock;@fastcgi_pass unix:/var/run/php5-fpm-${app}.sock;@g" /etc/nginx/conf.d/$domain.d/$app.conf if [ "$is_public" = "Yes" ]; then @@ -107,13 +115,14 @@ fi # Create the php-fpm pool config POOL_FPM -# Setup SSOwat -ynh_app_setting_set "$app" is_public "$is_public" -if [ "$is_public" = "Yes" ]; -then - ynh_app_setting_set "$app" unprotected_uris "/" +# Set ssowat config +if [ "$is_public" = "Yes" ]; then + ynh_app_setting_set $app is_public 1 # Fixe is_public en booléen + is_public=1 +else + ynh_app_setting_set $app is_public 0 + is_public=0 fi -sudo systemctl reload php5-fpm sudo systemctl reload nginx sudo yunohost app ssowatconf \ No newline at end of file