diff --git a/scripts/install b/scripts/install index 6f496c4..046c816 100755 --- a/scripts/install +++ b/scripts/install @@ -100,15 +100,6 @@ ynh_add_fpm_config # CUSTOMIZE DOKUWIKI #================================================= -# Set the "admin" user -ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" - -# Set the "language" -ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php" - - -# Copy Yunohost specific configuration - # Loading order of configuration files # # By default DokuWiki loads its configuration files in the following order: @@ -119,18 +110,28 @@ ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php" # # See https://www.dokuwiki.org/plugin:config#protecting_settings -cp ../conf/local.protected.php $final_path/conf + +### Copy Yunohost specific configuration # This File cannot be modified directly by Dokuwiki, only by hand or by Yunohost # It will only be updated by Yunohost package or directly by adventurous users +cp ../conf/local.protected.php $final_path/conf + +# Set the "admin" user +ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "$final_path/conf/local.protected.php" + -cp ../conf/local.php $final_path/conf # This file might be modified by dokuwiki admin panel or by plugins # It will not be modified by Yunohost in order to keep user settings +cp ../conf/local.php $final_path/conf + +# Set the "language" +ynh_replace_string "__YNH_LANGUAGE__" "$language" "$final_path/conf/local.php" + # Restrict user rights by enforcing "read-only" mode for all users # See https://www.dokuwiki.org/acl#background_info # Default is "8" -cp ../conf/acl.auth.php $final_path/conf +cp ../conf/acl.auth.php $final_path/conf #================================================= # CREATE DEFAULT FILES @@ -144,11 +145,11 @@ cp ../conf/acl.auth.php $final_path/conf cp $final_path/conf/local.php.dist $final_path/conf/local.php.bak cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php -cp $final_path/inc/preload.php.dist $final_path/inc/preload.php # This file might be used by plugins like https://www.dokuwiki.org/plugin:siteexport # Create it to be more "user friendly" as over the top security is not the main goal here # This file could be use for bad behaviour. # See https://www.dokuwiki.org/devel:preload?s[]=preload +cp $final_path/inc/preload.php.dist $final_path/inc/preload.php # There is no template .dist provided inside DokuWiki installation folder # Create "empty" files to be able to manage linux permissions @@ -156,23 +157,15 @@ cp $final_path/inc/preload.php.dist $final_path/inc/preload.php cp ../conf/plugins.local.php $final_path/conf cp ../conf/plugins.local.php $final_path/conf/plugins.local.php.bak -# Create file if it does not exist -if [ ! -f "$final_path/conf/local.protected.php" ]; then - # Set the default "admin" - # Replace string in order to have a functionnal configuration file - ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" - - cp ../conf/local.protected.php $final_path/conf -fi - #================================================= # STORE THE CHECKSUM OF THE CONFIG FILE #================================================= # Calculate and store the config file checksum into the app settings ynh_store_file_checksum "$final_path/conf/local.protected.php" -ynh_store_file_checksum "$final_path/conf/local.php" -ynh_store_file_checksum "$final_path/conf/acl.auth.php" +### Files can be modified by user, no need to store checksum as they cannot be overwritten safely by package +#ynh_store_file_checksum "$final_path/conf/local.php" +#ynh_store_file_checksum "$final_path/conf/acl.auth.php" #================================================= #================================================= @@ -197,7 +190,7 @@ chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.aut # See https://www.dokuwiki.org/devel:preload chown $app:root $final_path/inc/preload.php # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them -# There are only files in the folder and there is sublevels. No need to use "find" +# There are only files in the folder and there are no sublevels. No need to use "find" chmod -R a+r $final_path/conf chmod -R a+r $final_path/inc diff --git a/scripts/restore b/scripts/restore index 754220d..f8363c7 100755 --- a/scripts/restore +++ b/scripts/restore @@ -60,16 +60,42 @@ ynh_system_user_create $app # RESTORE USER RIGHTS #================================================= -# Restore permissions on app files +# Try to use "least privilege" to grant minimal access +# For details, see https://www.dokuwiki.org/install:permissions + +# Files owned by DokuWiki can just read chown -R root: $final_path -# Restore permissions same as from the 'install' script -# except for conf, data, some data subfolders, and lib/plugin, where www-data must have write permissions -chown -R $app:root $final_path/{conf,data,data/attic,data/cache,data/index,data/locks,data/media*,data/meta,data/pages,data/tmp,lib/plugins,lib/tpl} -chmod -R 700 $final_path/conf -chmod -R 700 $final_path/data -chmod -R 755 $final_path/lib/plugins -chmod 755 $final_path/lib/tpl/{dokuwiki,dokuwiki/images} +# DokuWiki needs to write inside these folders. Do "DokuWiki" owner +chown $app:root $final_path/conf +chown $app:root $final_path/inc + +# Do "DokuWiki" owner of configuration files that must be writable +chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak} +# Useful for some plugins like https://www.dokuwiki.org/plugin:siteexport +# See https://www.dokuwiki.org/devel:preload +chown $app:root $final_path/inc/preload.php +# Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them +# There are only files in the folder and there are no sublevels. No need to use "find" +chmod -R a+r $final_path/conf +chmod -R a+r $final_path/inc + +# Give write access to "data" and subfolders +chown -R $app:root $final_path/data +# Remove access to "other" +chmod -R o-rwx $final_path/data + +# Allow the web admin panel to run, aka "Extension Manager" +chown -R $app:root $final_path/lib/plugins +# Allow to install templates +chown -R $app:root $final_path/lib/tpl + +# Allow access to public assets like style sheets +find $final_path/lib -type f -print0 | xargs -0 chmod 0644 +find $final_path/lib -type d -print0 | xargs -0 chmod 0755 +# Using "find" instead of "chmod -R 755" so files does not become executable too +# chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD +# find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD #================================================= # RESTORE THE PHP-FPM CONFIGURATION diff --git a/scripts/upgrade b/scripts/upgrade index 827c77f..75be9a7 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -56,6 +56,7 @@ if [ -z "$language" ]; then fi + # Yunohost specific configuration, if not exists # Previously, these settings were store a unique "dokuwiki.php" @@ -75,45 +76,34 @@ fi # Configuration dedicated to Yunohost (LDAP and admin mainly) # Create file if it does not exist if [ ! -f "$final_path/conf/local.protected.php" ]; then - # Set the default "admin" - # Replace string in order to have a functionnal configuration file - ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" - cp ../conf/local.protected.php $final_path/conf + + # Set the default "admin" + ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "$final_path/conf/local.protected.php" fi # Do not overwrite existing dokuwiki configuration as it could have user customization's and settings. -# Cannot use helper "ynh_backup_if_checksum_is_different" # Create file if it does not exist if [ ! -f "$final_path/conf/local.php" ]; then - # Set the default "language" only when file does not exist beforehand - # Replace string in order to have a functionnal configuration file - ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php" - cp ../conf/local.php $final_path/conf + + # Set the default "language" + ynh_replace_string "__YNH_LANGUAGE__" "$language" "$final_path/conf/local.php" fi # Do not overwrite existing ACL configuration file as it could have user customization's and settings. -# Cannot use helper "ynh_backup_if_checksum_is_different" # Create file if it does not exist # See https://www.dokuwiki.org/acl#background_info if [ ! -f "$final_path/conf/acl.auth.php" ]; then cp ../conf/acl.auth.php $final_path/conf fi + + # For securing DokuWiki installation, create default files that will be writable in the "conf" folder. # Other files will be read ony and owned by root. # See https://www.dokuwiki.org/install:permissions -# Create file if it does not exist -if [ ! -f "$final_path/conf/local.protected.php" ]; then - # Set the default "admin" - # Replace string in order to have a functionnal configuration file - ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" - - cp ../conf/local.protected.php $final_path/conf -fi - # If file does not exists if [ ! -f "$final_path/conf/local.php.bak" ]; then # if template exists @@ -225,7 +215,7 @@ fi # TODO Taken from old "upgrade" script. Should check if it is needed and what it does # Update all plugins -for name_plugin in $(sudo -s cat $final_path/lib/plugins/*/plugin.info.txt | grep url | awk -F':' '{print $3}'); +for name_plugin in $(sudo -s cat $final_path/lib/plugins/*/plugin.info.txt | grep url | awk -F ':' '{print $3}'); do # Get a official plugin for dokuwiki, not update a no-official sudo wget -nv --quiet "https://github.com/splitbrain/dokuwiki-plugin-${name_plugin}/zipball/master" -O "${name_plugin}.zip" -o /dev/null || true @@ -241,20 +231,17 @@ done # LDAP Configuration #================================================= -# Verify if existing file needs to be upgraded by comparing it's size to new file from package -# If different, do a backup of existing file and overwrite with new file -# -# Safe here as this file is only used by Yunohost. Dokuwiki cannot modified it. +### Verify the checksum of a file, stored by `ynh_store_file_checksum` in the install script. +### And create a backup of this file if the checksum is different. So the file will be backed up if the admin had modified it. ynh_backup_if_checksum_is_different "$final_path/conf/local.protected.php" -# Set the "admin" user -ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" - +# Always overwrite local file with the one from package. cp ../conf/local.protected.php $final_path/conf -# This File cannot be modified directly by Dokuwiki, only by hand or by Yunohost -# It will only be updated by Yunohost package or directly by adventurous users -# Recalculate and store the config file checksum into the app settings +# Set the "admin" user +ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "$final_path/conf/local.protected.php" + +# Recalculate and store the checksum of the file for the next upgrade. ynh_store_file_checksum "$final_path/conf/local.protected.php" #================================================= @@ -275,6 +262,8 @@ chown $app:root $final_path/inc # Do "DokuWiki" owner of configuration files that must be writable chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak} +# Useful for some plugins like https://www.dokuwiki.org/plugin:siteexport +# See https://www.dokuwiki.org/devel:preload chown $app:root $final_path/inc/preload.php # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them # There are only files in the folder and there is sublevels. No need to use "find"