From 5de81939984f23c299bc18035e185877edf90a68 Mon Sep 17 00:00:00 2001 From: keoma Date: Sun, 10 Feb 2019 19:51:12 +0100 Subject: [PATCH] create a dedicated system user with sudo permissions --- conf/sudoers.conf | 12 ++++++++++++ scripts/install | 22 ++++++++++++++++++---- scripts/remove | 4 ++++ sources/controller.php | 2 +- 4 files changed, 35 insertions(+), 5 deletions(-) create mode 100644 conf/sudoers.conf diff --git a/conf/sudoers.conf b/conf/sudoers.conf new file mode 100644 index 0000000..fd5f84a --- /dev/null +++ b/conf/sudoers.conf @@ -0,0 +1,12 @@ +Cmnd_Alias HOTSPOT_YUNOHOST = /usr/bin/yunohost app info hotspot *,\ + /usr/bin/yunohost app setting hotspot *,\ + /usr/bin/yunohost app setting vpnclient * + +Cmnd_Alias HOTSPOT_SERVICE = /bin/systemctl stop ynh-hotspot,\ + /bin/systemctl start ynh-hotspot + +Cmnd_Alias HOTSPOT_MISC = /usr/local/bin/ynh-hotspot *,\ + /usr/local/bin/iw_devices *,\ + /usr/local/bin/iw_multissid * + +__HOTSPOT_SYSUSER__ ALL = NOPASSWD: /bin/grep, HOTSPOT_YUNOHOST, HOTSPOT_SERVICE, HOTSPOT_MISC diff --git a/scripts/install b/scripts/install index b06ca24..90536df 100644 --- a/scripts/install +++ b/scripts/install @@ -45,6 +45,7 @@ wifi_passphrase=$YNH_APP_ARG_WIFI_PASSPHRASE firmware_nonfree=$YNH_APP_ARG_FIRMWARE_NONFREE app=$YNH_APP_INSTANCE_NAME +sysuser="${app}" # the service name must match the service template files service_name='ynh-hotspot' @@ -197,6 +198,19 @@ ynh_app_setting_set $app ip4_nat_prefix 10.0.242 ynh_app_setting_set $app vpnclient no ynh_app_setting_set $app service_name $service_name +#================================================= +# CREATE DEDICATED USER +#================================================= + +# Ensure the app has its own system user +if ! ynh_system_user_exists ${sysuser} +then + ynh_system_user_create ${sysuser} +fi + +# Ensure the system user has enough sudo permissions +install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh +ynh_replace_string "__HOTSPOT_SYSUSER__" "${sysuser}" /etc/sudoers.d/${app}_ynh #================================================= # INSTALL CUSTOM SCRIPTS @@ -246,10 +260,10 @@ sed 's||/var/www/wifiadmin/|g' -i "/etc/nginx/conf.d/${domai sed 's||wifiadmin|g' -i "/etc/nginx/conf.d/${domain}.d/wifiadmin.conf" ## php-fpm -sed 's||wifiadmin|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf -sed 's||admin|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf -sed 's||admins|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf -sed 's||/var/www/wifiadmin/|g' -i /etc/php5/fpm/pool.d/wifiadmin.conf +sed "s||wifiadmin|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf +sed "s||${sysuser}|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf +sed "s||${sysuser}|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf +sed "s||/var/www/wifiadmin/|g" -i /etc/php5/fpm/pool.d/wifiadmin.conf # Fix sources sed "s||${path_url}|g" -i /var/www/wifiadmin/config.php diff --git a/scripts/remove b/scripts/remove index 686375f..19e6bcd 100644 --- a/scripts/remove +++ b/scripts/remove @@ -58,6 +58,7 @@ for FILE in $(ls /etc/hostapd/hostapd.conf{.tpl?,}) do ynh_secure_remove "$FILE" done +ynh_secure_remove /etc/sudoers.d/hotspot_ynh # Remove packages if [[ $firmware_nonfree == yes ]]; then @@ -79,3 +80,6 @@ systemctl reload nginx # Remove sources ynh_secure_remove /var/www/wifiadmin/ + +# Remove user +ynh_system_user_delete ${app} diff --git a/sources/controller.php b/sources/controller.php index 98a224d..d42f37c 100644 --- a/sources/controller.php +++ b/sources/controller.php @@ -47,7 +47,7 @@ function service_status() { } function service_faststatus() { - exec('sudo systemctl is-active hostapd', $output, $retcode); + exec('systemctl is-active hostapd', $output, $retcode); return $retcode; }