From 257acb2b4db0038c3dba1c54cb1bbefd29a1c3ef Mon Sep 17 00:00:00 2001 From: Gofannon Date: Sat, 8 Sep 2018 21:02:41 +0200 Subject: [PATCH 1/8] [enh] remove duplicate code block --- scripts/upgrade | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index 827c77f..be69724 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -101,19 +101,12 @@ if [ ! -f "$final_path/conf/acl.auth.php" ]; then cp ../conf/acl.auth.php $final_path/conf fi + + # For securing DokuWiki installation, create default files that will be writable in the "conf" folder. # Other files will be read ony and owned by root. # See https://www.dokuwiki.org/install:permissions -# Create file if it does not exist -if [ ! -f "$final_path/conf/local.protected.php" ]; then - # Set the default "admin" - # Replace string in order to have a functionnal configuration file - ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" - - cp ../conf/local.protected.php $final_path/conf -fi - # If file does not exists if [ ! -f "$final_path/conf/local.php.bak" ]; then # if template exists From d7138947521817882d3e68c08f00dd187466e693 Mon Sep 17 00:00:00 2001 From: Gofannon Date: Sat, 8 Sep 2018 21:03:34 +0200 Subject: [PATCH 2/8] [fix] Copy configuration files then modify them See https://github.com/YunoHost-Apps/dokuwiki_ynh/pull/37#issuecomment-398374816 "Since a few time, because the conf folder will be kept for later uses (especially in change_url), it's better to copy your file in the right place before modifying it." --- scripts/install | 34 +++++++++++++++++----------------- scripts/upgrade | 21 ++++++++++----------- 2 files changed, 27 insertions(+), 28 deletions(-) diff --git a/scripts/install b/scripts/install index 6f496c4..e1460a8 100755 --- a/scripts/install +++ b/scripts/install @@ -100,15 +100,6 @@ ynh_add_fpm_config # CUSTOMIZE DOKUWIKI #================================================= -# Set the "admin" user -ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" - -# Set the "language" -ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php" - - -# Copy Yunohost specific configuration - # Loading order of configuration files # # By default DokuWiki loads its configuration files in the following order: @@ -119,18 +110,28 @@ ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php" # # See https://www.dokuwiki.org/plugin:config#protecting_settings -cp ../conf/local.protected.php $final_path/conf + +### Copy Yunohost specific configuration # This File cannot be modified directly by Dokuwiki, only by hand or by Yunohost # It will only be updated by Yunohost package or directly by adventurous users +cp ../conf/local.protected.php $final_path/conf + +# Set the "admin" user +ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "$final_path/conf/local.protected.php" + -cp ../conf/local.php $final_path/conf # This file might be modified by dokuwiki admin panel or by plugins # It will not be modified by Yunohost in order to keep user settings +cp ../conf/local.php $final_path/conf + +# Set the "language" +ynh_replace_string "__YNH_LANGUAGE__" "$language" "$final_path/conf/local.php" + # Restrict user rights by enforcing "read-only" mode for all users # See https://www.dokuwiki.org/acl#background_info # Default is "8" -cp ../conf/acl.auth.php $final_path/conf +cp ../conf/acl.auth.php $final_path/conf #================================================= # CREATE DEFAULT FILES @@ -144,11 +145,11 @@ cp ../conf/acl.auth.php $final_path/conf cp $final_path/conf/local.php.dist $final_path/conf/local.php.bak cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php -cp $final_path/inc/preload.php.dist $final_path/inc/preload.php # This file might be used by plugins like https://www.dokuwiki.org/plugin:siteexport # Create it to be more "user friendly" as over the top security is not the main goal here # This file could be use for bad behaviour. # See https://www.dokuwiki.org/devel:preload?s[]=preload +cp $final_path/inc/preload.php.dist $final_path/inc/preload.php # There is no template .dist provided inside DokuWiki installation folder # Create "empty" files to be able to manage linux permissions @@ -158,11 +159,10 @@ cp ../conf/plugins.local.php $final_path/conf/plugins.local.php.bak # Create file if it does not exist if [ ! -f "$final_path/conf/local.protected.php" ]; then - # Set the default "admin" - # Replace string in order to have a functionnal configuration file - ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" - cp ../conf/local.protected.php $final_path/conf + + # Set the default "admin" + ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "$final_path/conf/local.protected.php" fi #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index be69724..d9a5696 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -56,6 +56,7 @@ if [ -z "$language" ]; then fi + # Yunohost specific configuration, if not exists # Previously, these settings were store a unique "dokuwiki.php" @@ -75,22 +76,20 @@ fi # Configuration dedicated to Yunohost (LDAP and admin mainly) # Create file if it does not exist if [ ! -f "$final_path/conf/local.protected.php" ]; then - # Set the default "admin" - # Replace string in order to have a functionnal configuration file - ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" - cp ../conf/local.protected.php $final_path/conf + + # Set the default "admin" + ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "$final_path/conf/local.protected.php" fi # Do not overwrite existing dokuwiki configuration as it could have user customization's and settings. # Cannot use helper "ynh_backup_if_checksum_is_different" # Create file if it does not exist if [ ! -f "$final_path/conf/local.php" ]; then - # Set the default "language" only when file does not exist beforehand - # Replace string in order to have a functionnal configuration file - ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php" - cp ../conf/local.php $final_path/conf + + # Set the default "language" + ynh_replace_string "__YNH_LANGUAGE__" "$language" "$final_path/conf/local.php" fi # Do not overwrite existing ACL configuration file as it could have user customization's and settings. @@ -240,13 +239,13 @@ done # Safe here as this file is only used by Yunohost. Dokuwiki cannot modified it. ynh_backup_if_checksum_is_different "$final_path/conf/local.protected.php" -# Set the "admin" user -ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" - cp ../conf/local.protected.php $final_path/conf # This File cannot be modified directly by Dokuwiki, only by hand or by Yunohost # It will only be updated by Yunohost package or directly by adventurous users +# Set the "admin" user +ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" + # Recalculate and store the config file checksum into the app settings ynh_store_file_checksum "$final_path/conf/local.protected.php" From 7ae29184869bdd03f20bdeb44eef6c08286650a4 Mon Sep 17 00:00:00 2001 From: Gofannon Date: Sat, 15 Sep 2018 21:31:24 +0200 Subject: [PATCH 3/8] [enh] remove unnecessary test --- scripts/install | 8 -------- 1 file changed, 8 deletions(-) diff --git a/scripts/install b/scripts/install index e1460a8..4b0ee72 100755 --- a/scripts/install +++ b/scripts/install @@ -157,14 +157,6 @@ cp $final_path/inc/preload.php.dist $final_path/inc/preload.php cp ../conf/plugins.local.php $final_path/conf cp ../conf/plugins.local.php $final_path/conf/plugins.local.php.bak -# Create file if it does not exist -if [ ! -f "$final_path/conf/local.protected.php" ]; then - cp ../conf/local.protected.php $final_path/conf - - # Set the default "admin" - ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "$final_path/conf/local.protected.php" -fi - #================================================= # STORE THE CHECKSUM OF THE CONFIG FILE #================================================= From efd392a8c15efbeb4ddc437ec2c82aa0443a541e Mon Sep 17 00:00:00 2001 From: Gofannon Date: Sat, 15 Sep 2018 21:36:00 +0200 Subject: [PATCH 4/8] [fix] set admin user + add comments --- scripts/upgrade | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/scripts/upgrade b/scripts/upgrade index d9a5696..c4e35e8 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -233,20 +233,17 @@ done # LDAP Configuration #================================================= -# Verify if existing file needs to be upgraded by comparing it's size to new file from package -# If different, do a backup of existing file and overwrite with new file -# -# Safe here as this file is only used by Yunohost. Dokuwiki cannot modified it. +### Verify the checksum of a file, stored by `ynh_store_file_checksum` in the install script. +### And create a backup of this file if the checksum is different. So the file will be backed up if the admin had modified it. ynh_backup_if_checksum_is_different "$final_path/conf/local.protected.php" +# Always overwrite local file with the one from package. cp ../conf/local.protected.php $final_path/conf -# This File cannot be modified directly by Dokuwiki, only by hand or by Yunohost -# It will only be updated by Yunohost package or directly by adventurous users # Set the "admin" user -ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php" +ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "$final_path/conf/local.protected.php" -# Recalculate and store the config file checksum into the app settings +# Recalculate and store the checksum of the file for the next upgrade. ynh_store_file_checksum "$final_path/conf/local.protected.php" #================================================= From 3f59ea2e014f41c13544d1d3a183fe0bf13bbbe3 Mon Sep 17 00:00:00 2001 From: Gofannon Date: Sat, 15 Sep 2018 21:37:44 +0200 Subject: [PATCH 5/8] [enh] do not store unnecessary files checksums and cleaning comments --- scripts/install | 5 +++-- scripts/upgrade | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/scripts/install b/scripts/install index 4b0ee72..88017cb 100755 --- a/scripts/install +++ b/scripts/install @@ -163,8 +163,9 @@ cp ../conf/plugins.local.php $final_path/conf/plugins.local.php.bak # Calculate and store the config file checksum into the app settings ynh_store_file_checksum "$final_path/conf/local.protected.php" -ynh_store_file_checksum "$final_path/conf/local.php" -ynh_store_file_checksum "$final_path/conf/acl.auth.php" +### Files can be modified by user, no need to store checksum as they cannot be overwritten safely by package +#ynh_store_file_checksum "$final_path/conf/local.php" +#ynh_store_file_checksum "$final_path/conf/acl.auth.php" #================================================= #================================================= diff --git a/scripts/upgrade b/scripts/upgrade index c4e35e8..88280c4 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -83,7 +83,6 @@ if [ ! -f "$final_path/conf/local.protected.php" ]; then fi # Do not overwrite existing dokuwiki configuration as it could have user customization's and settings. -# Cannot use helper "ynh_backup_if_checksum_is_different" # Create file if it does not exist if [ ! -f "$final_path/conf/local.php" ]; then cp ../conf/local.php $final_path/conf @@ -93,7 +92,6 @@ if [ ! -f "$final_path/conf/local.php" ]; then fi # Do not overwrite existing ACL configuration file as it could have user customization's and settings. -# Cannot use helper "ynh_backup_if_checksum_is_different" # Create file if it does not exist # See https://www.dokuwiki.org/acl#background_info if [ ! -f "$final_path/conf/acl.auth.php" ]; then @@ -264,6 +262,8 @@ chown $app:root $final_path/inc # Do "DokuWiki" owner of configuration files that must be writable chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak} +# Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport +# See https://www.dokuwiki.org/devel:preload chown $app:root $final_path/inc/preload.php # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them # There are only files in the folder and there is sublevels. No need to use "find" From 7d3af37851a470c005889fff4a578ed95d996d19 Mon Sep 17 00:00:00 2001 From: Gofannon Date: Sat, 15 Sep 2018 21:39:12 +0200 Subject: [PATCH 6/8] [enh] redo "restore" following "upgrade" example --- scripts/restore | 42 ++++++++++++++++++++++++++++++++++-------- 1 file changed, 34 insertions(+), 8 deletions(-) diff --git a/scripts/restore b/scripts/restore index 754220d..5649801 100755 --- a/scripts/restore +++ b/scripts/restore @@ -60,16 +60,42 @@ ynh_system_user_create $app # RESTORE USER RIGHTS #================================================= -# Restore permissions on app files +# Try to use "least privilege" to grant minimal access +# For details, see https://www.dokuwiki.org/install:permissions + +# Files owned by DokuWiki can just read chown -R root: $final_path -# Restore permissions same as from the 'install' script -# except for conf, data, some data subfolders, and lib/plugin, where www-data must have write permissions -chown -R $app:root $final_path/{conf,data,data/attic,data/cache,data/index,data/locks,data/media*,data/meta,data/pages,data/tmp,lib/plugins,lib/tpl} -chmod -R 700 $final_path/conf -chmod -R 700 $final_path/data -chmod -R 755 $final_path/lib/plugins -chmod 755 $final_path/lib/tpl/{dokuwiki,dokuwiki/images} +# DokuWiki needs to write inside these folders. Do "DokuWiki" owner +chown $app:root $final_path/conf +chown $app:root $final_path/inc + +# Do "DokuWiki" owner of configuration files that must be writable +chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak} +# Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport +# See https://www.dokuwiki.org/devel:preload +chown $app:root $final_path/inc/preload.php +# Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them +# There are only files in the folder and there is sublevels. No need to use "find" +chmod -R a+r $final_path/conf +chmod -R a+r $final_path/inc + +# Give write access to "data" and subfolders +chown -R $app:root $final_path/data +# Remove access to "other" +chmod -R o-rwx $final_path/data + +# Allow the web admin panel to run, aka "Extension Manager" +chown -R $app:root $final_path/lib/plugins +# Allow to install templates +chown -R $app:root $final_path/lib/tpl + +# Allow access to public assets like style sheets +find $final_path/lib -type f -print0 | xargs -0 chmod 0644 +find $final_path/lib -type d -print0 | xargs -0 chmod 0755 +# Using "find" instead of "chmod -R 755" so files does not become executable too +# chmod : -rwxr-xr-x 1 root root 241 May 3 08:36 index.html => BAD +# find : -rw-r--r-- 1 1001 1002 241 May 3 08:36 index.html => GOOD #================================================= # RESTORE THE PHP-FPM CONFIGURATION From d27f37799b3453f85c023690969fdde4ee7ee03b Mon Sep 17 00:00:00 2001 From: Jimmy Monin Date: Sun, 16 Sep 2018 09:00:36 +0200 Subject: [PATCH 7/8] Typo fixes --- scripts/install | 2 +- scripts/restore | 4 ++-- scripts/upgrade | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/scripts/install b/scripts/install index 88017cb..046c816 100755 --- a/scripts/install +++ b/scripts/install @@ -190,7 +190,7 @@ chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.aut # See https://www.dokuwiki.org/devel:preload chown $app:root $final_path/inc/preload.php # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them -# There are only files in the folder and there is sublevels. No need to use "find" +# There are only files in the folder and there are no sublevels. No need to use "find" chmod -R a+r $final_path/conf chmod -R a+r $final_path/inc diff --git a/scripts/restore b/scripts/restore index 5649801..f8363c7 100755 --- a/scripts/restore +++ b/scripts/restore @@ -72,11 +72,11 @@ chown $app:root $final_path/inc # Do "DokuWiki" owner of configuration files that must be writable chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak} -# Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport +# Useful for some plugins like https://www.dokuwiki.org/plugin:siteexport # See https://www.dokuwiki.org/devel:preload chown $app:root $final_path/inc/preload.php # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them -# There are only files in the folder and there is sublevels. No need to use "find" +# There are only files in the folder and there are no sublevels. No need to use "find" chmod -R a+r $final_path/conf chmod -R a+r $final_path/inc diff --git a/scripts/upgrade b/scripts/upgrade index 88280c4..dd23203 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -262,7 +262,7 @@ chown $app:root $final_path/inc # Do "DokuWiki" owner of configuration files that must be writable chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak} -# Usefull for some plugins like https://www.dokuwiki.org/plugin:siteexport +# Useful for some plugins like https://www.dokuwiki.org/plugin:siteexport # See https://www.dokuwiki.org/devel:preload chown $app:root $final_path/inc/preload.php # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them From 3bb15d1eab1c28cfb62f9f38b4e4c02416591397 Mon Sep 17 00:00:00 2001 From: Maniack Crudelis Date: Mon, 17 Sep 2018 11:04:53 +0200 Subject: [PATCH 8/8] Fix weird linter error --- scripts/upgrade | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/upgrade b/scripts/upgrade index dd23203..75be9a7 100755 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -215,7 +215,7 @@ fi # TODO Taken from old "upgrade" script. Should check if it is needed and what it does # Update all plugins -for name_plugin in $(sudo -s cat $final_path/lib/plugins/*/plugin.info.txt | grep url | awk -F':' '{print $3}'); +for name_plugin in $(sudo -s cat $final_path/lib/plugins/*/plugin.info.txt | grep url | awk -F ':' '{print $3}'); do # Get a official plugin for dokuwiki, not update a no-official sudo wget -nv --quiet "https://github.com/splitbrain/dokuwiki-plugin-${name_plugin}/zipball/master" -O "${name_plugin}.zip" -o /dev/null || true