Merge pull request #40 from Gofannon/fix_conf_folder_handling

Fix conf folder handling + fix admin user + misc enhancements

scripts/install

@@ -100,15 +100,6 @@ ynh_add_fpm_config
 # CUSTOMIZE DOKUWIKI
 #=================================================
 
-# Set the "admin" user
-ynh_replace_string "__YNH_ADMIN_USER__" "$admin"  "../conf/local.protected.php"
-
-# Set the "language"
-ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php"
-
-
-# Copy Yunohost specific configuration
-
 # Loading order of configuration files
 #
 # By default DokuWiki loads its configuration files in the following order:
@@ -119,13 +110,23 @@ ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php"
 #
 # See https://www.dokuwiki.org/plugin:config#protecting_settings
 
-cp ../conf/local.protected.php $final_path/conf
+
+### Copy Yunohost specific configuration
 # This File cannot be modified directly by Dokuwiki, only by hand or by Yunohost
 # It will only be updated by Yunohost package or directly by adventurous users
+cp ../conf/local.protected.php $final_path/conf
+
+# Set the "admin" user
+ynh_replace_string "__YNH_ADMIN_USER__" "$admin"    "$final_path/conf/local.protected.php"
+
 
-cp ../conf/local.php           $final_path/conf
 # This file might be modified by dokuwiki admin panel or by plugins
 # It will not be modified by Yunohost in order to keep user settings
+cp ../conf/local.php           $final_path/conf
+
+# Set the "language"
+ynh_replace_string "__YNH_LANGUAGE__"   "$language" "$final_path/conf/local.php"
+
 
 # Restrict user rights by enforcing "read-only" mode for all users
 # See https://www.dokuwiki.org/acl#background_info
@@ -144,11 +145,11 @@ cp ../conf/acl.auth.php $final_path/conf
 cp $final_path/conf/local.php.dist      $final_path/conf/local.php.bak
 cp $final_path/conf/users.auth.php.dist $final_path/conf/users.auth.php
 
-cp $final_path/inc/preload.php.dist     $final_path/inc/preload.php
 # This file might be used by plugins like https://www.dokuwiki.org/plugin:siteexport
 # Create it to be more "user friendly" as over the top security is not the main goal here
 # This file could be use for bad behaviour.
 # See https://www.dokuwiki.org/devel:preload?s[]=preload
+cp $final_path/inc/preload.php.dist     $final_path/inc/preload.php
 
 # There is no template .dist provided inside DokuWiki installation folder
 # Create "empty" files to be able to manage linux permissions
@@ -156,23 +157,15 @@ cp $final_path/inc/preload.php.dist     $final_path/inc/preload.php
 cp ../conf/plugins.local.php            $final_path/conf
 cp ../conf/plugins.local.php            $final_path/conf/plugins.local.php.bak
 
-# Create file if it does not exist
-if [ ! -f "$final_path/conf/local.protected.php" ]; then
-	# Set the default "admin"
-	# Replace string in order to have a functionnal configuration file
-	ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php"
-
-	cp ../conf/local.protected.php $final_path/conf
-fi
-
 #=================================================
 # STORE THE CHECKSUM OF THE CONFIG FILE
 #=================================================
 
 # Calculate and store the config file checksum into the app settings
 ynh_store_file_checksum "$final_path/conf/local.protected.php"
-ynh_store_file_checksum "$final_path/conf/local.php"
-ynh_store_file_checksum "$final_path/conf/acl.auth.php"
+### Files can be modified by user, no need to store checksum as they cannot be overwritten safely by package
+#ynh_store_file_checksum "$final_path/conf/local.php"
+#ynh_store_file_checksum "$final_path/conf/acl.auth.php"
 #=================================================
 
 #=================================================
@@ -197,7 +190,7 @@ chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.aut
 # See https://www.dokuwiki.org/devel:preload
 chown $app:root $final_path/inc/preload.php
 # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them
-# There are only files in the folder and there is sublevels. No need to use "find"
+# There are only files in the folder and there are no sublevels. No need to use "find"
 chmod -R a+r $final_path/conf
 chmod -R a+r $final_path/inc
 

scripts/restore

@@ -60,16 +60,42 @@ ynh_system_user_create $app
 # RESTORE USER RIGHTS
 #=================================================
 
-# Restore permissions on app files
+# Try to use "least privilege" to grant minimal access
+# For details, see https://www.dokuwiki.org/install:permissions
+
+# Files owned by DokuWiki can just read
 chown -R root: $final_path
 
-# Restore permissions same as from the 'install' script
-# except for conf, data, some data subfolders, and lib/plugin, where www-data must have write permissions
-chown -R $app:root $final_path/{conf,data,data/attic,data/cache,data/index,data/locks,data/media*,data/meta,data/pages,data/tmp,lib/plugins,lib/tpl}
-chmod -R 700 $final_path/conf
-chmod -R 700 $final_path/data
-chmod -R 755 $final_path/lib/plugins
-chmod 755 $final_path/lib/tpl/{dokuwiki,dokuwiki/images}
+# DokuWiki needs to write inside these folders. Do "DokuWiki" owner
+chown $app:root $final_path/conf
+chown $app:root $final_path/inc
+
+# Do "DokuWiki" owner of configuration files that must be writable
+chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak}
+# Useful for some plugins like https://www.dokuwiki.org/plugin:siteexport
+# See https://www.dokuwiki.org/devel:preload
+chown $app:root $final_path/inc/preload.php
+# Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them
+# There are only files in the folder and there are no sublevels. No need to use "find"
+chmod -R a+r $final_path/conf
+chmod -R a+r $final_path/inc
+
+# Give write access to "data" and subfolders
+chown -R $app:root $final_path/data
+# Remove access to "other"
+chmod -R o-rwx $final_path/data
+
+# Allow the web admin panel to run, aka "Extension Manager"
+chown -R $app:root $final_path/lib/plugins
+# Allow to install templates
+chown -R $app:root $final_path/lib/tpl
+
+# Allow access to public assets like style sheets
+find $final_path/lib -type f -print0 | xargs -0 chmod 0644
+find $final_path/lib -type d -print0 | xargs -0 chmod 0755
+# Using "find" instead of "chmod -R 755" so files does not become executable too
+# chmod :   -rwxr-xr-x  1 root root  241 May  3 08:36 index.html   => BAD
+# find  :   -rw-r--r--  1 1001 1002  241 May  3 08:36 index.html   => GOOD
 
 #=================================================
 # RESTORE THE PHP-FPM CONFIGURATION

scripts/upgrade

@@ -56,6 +56,7 @@ if [ -z "$language" ]; then
 fi
 
 
+
 # Yunohost specific configuration, if not exists
 
 # Previously, these settings were store a unique "dokuwiki.php"
@@ -75,45 +76,34 @@ fi
 # Configuration dedicated to Yunohost (LDAP and admin mainly)
 # Create file if it does not exist
 if [ ! -f "$final_path/conf/local.protected.php" ]; then
-	# Set the default "admin"
-	# Replace string in order to have a functionnal configuration file
-	ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php"
-
 	cp ../conf/local.protected.php $final_path/conf
+
+	# Set the default "admin"
+	ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "$final_path/conf/local.protected.php"
 fi
 
 # Do not overwrite existing dokuwiki configuration as it could have user customization's and settings.
-# Cannot use helper "ynh_backup_if_checksum_is_different"
 # Create file if it does not exist
 if [ ! -f "$final_path/conf/local.php" ]; then
-	# Set the default "language" only when file does not exist beforehand
-	# Replace string in order to have a functionnal configuration file
-	ynh_replace_string "__YNH_LANGUAGE__" "$language" "../conf/local.php"
-
 	cp ../conf/local.php $final_path/conf
+
+	# Set the default "language"
+	ynh_replace_string "__YNH_LANGUAGE__" "$language" "$final_path/conf/local.php"
 fi
 
 # Do not overwrite existing ACL configuration file as it could have user customization's and settings.
-# Cannot use helper "ynh_backup_if_checksum_is_different"
 # Create file if it does not exist
 # See https://www.dokuwiki.org/acl#background_info
 if [ ! -f "$final_path/conf/acl.auth.php" ]; then
 	cp ../conf/acl.auth.php $final_path/conf
 fi
 
+
+
 # For securing DokuWiki installation, create default files that will be writable in the "conf" folder.
 # Other files will be read ony and owned by root.
 # See https://www.dokuwiki.org/install:permissions
 
-# Create file if it does not exist
-if [ ! -f "$final_path/conf/local.protected.php" ]; then
-	# Set the default "admin"
-	# Replace string in order to have a functionnal configuration file
-	ynh_replace_string "__YNH_ADMIN_USER__" "$admin" "../conf/local.protected.php"
-
-	cp ../conf/local.protected.php $final_path/conf
-fi
-
 # If file does not exists
 if [ ! -f "$final_path/conf/local.php.bak" ]; then
 	# if template exists
@@ -225,7 +215,7 @@ fi
 
 # TODO Taken from old "upgrade" script. Should check if it is needed and what it does
 # Update all plugins
-for name_plugin in $(sudo -s cat $final_path/lib/plugins/*/plugin.info.txt | grep url | awk -F':' '{print $3}');
+for name_plugin in $(sudo -s cat $final_path/lib/plugins/*/plugin.info.txt | grep url | awk -F ':' '{print $3}');
 do
 	# Get a official plugin for dokuwiki, not update a no-official
 	sudo wget -nv --quiet "https://github.com/splitbrain/dokuwiki-plugin-${name_plugin}/zipball/master" -O "${name_plugin}.zip" -o /dev/null || true
@@ -241,20 +231,17 @@ done
 # LDAP Configuration
 #=================================================
 
-# Verify if existing file needs to be upgraded by comparing it's size to new file from package
-# If different, do a backup of existing file and overwrite with new file
-#
-# Safe here as this file is only used by Yunohost. Dokuwiki cannot modified it.
+### Verify the checksum of a file, stored by `ynh_store_file_checksum` in the install script.
+### And create a backup of this file if the checksum is different. So the file will be backed up if the admin had modified it.
 ynh_backup_if_checksum_is_different "$final_path/conf/local.protected.php"
 
-# Set the "admin" user
-ynh_replace_string "__YNH_ADMIN_USER__" "$admin"  "../conf/local.protected.php"
-
+# Always overwrite local file with the one from package.
 cp ../conf/local.protected.php $final_path/conf
-# This File cannot be modified directly by Dokuwiki, only by hand or by Yunohost
-# It will only be updated by Yunohost package or directly by adventurous users
 
-# Recalculate and store the config file checksum into the app settings
+# Set the "admin" user
+ynh_replace_string "__YNH_ADMIN_USER__" "$admin"  "$final_path/conf/local.protected.php"
+
+# Recalculate and store the checksum of the file for the next upgrade.
 ynh_store_file_checksum "$final_path/conf/local.protected.php"
 
 #=================================================
@@ -275,6 +262,8 @@ chown $app:root $final_path/inc
 
 # Do "DokuWiki" owner of configuration files that must be writable
 chown $app:root $final_path/conf/{local.php,local.php.bak,users.auth.php,acl.auth.php,plugins.local.php,plugins.local.php.bak}
+# Useful for some plugins like https://www.dokuwiki.org/plugin:siteexport
+# See https://www.dokuwiki.org/devel:preload
 chown $app:root $final_path/inc/preload.php
 # Grant read-only to all files as files copied above are owned by root by defaut and nginx cannot read them
 # There are only files in the folder and there is sublevels. No need to use "find"