From 66cc5be9f8a41090ad38d71032ec7ec6ec366330 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 17 Jun 2020 15:54:40 +0200 Subject: [PATCH 1/7] Fuck that shit why have a user with different name than the app -_- --- conf/ssh_regenconf_hook | 2 +- scripts/actions/sftp | 2 -- scripts/config | 3 +-- scripts/install | 23 +++++------------------ scripts/remove | 3 +-- scripts/restore | 9 +++------ scripts/upgrade | 21 +++++---------------- 7 files changed, 16 insertions(+), 47 deletions(-) diff --git a/conf/ssh_regenconf_hook b/conf/ssh_regenconf_hook index 5666bd5..6e8666e 100644 --- a/conf/ssh_regenconf_hook +++ b/conf/ssh_regenconf_hook @@ -11,7 +11,7 @@ echo " ##-> __APP__ # Hardening user connection -Match User __USER__ +Match User __APP__ ChrootDirectory %h ForceCommand internal-sftp AllowTcpForwarding no diff --git a/scripts/actions/sftp b/scripts/actions/sftp index da2aede..2b13b82 100755 --- a/scripts/actions/sftp +++ b/scripts/actions/sftp @@ -16,7 +16,6 @@ source /usr/share/yunohost/helpers app=${YNH_APP_INSTANCE_NAME:-$YNH_APP_ID} with_sftp=${YNH_ACTION_WITH_SFTP} -user=$(ynh_app_setting_get --app=$app --key=user) #================================================= # CHECK IF ARGUMENTS ARE CORRECT @@ -46,7 +45,6 @@ then cp -R conf/ssh_regenconf_hook /usr/share/yunohost/hooks/conf_regen/90-ssh_$app ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app - ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app yunohost tools regen-conf ssh else ynh_script_progression --message="Removing the custom ssh config for the SFTP access..." --weight=3 diff --git a/scripts/config b/scripts/config index f373efb..b1024be 100644 --- a/scripts/config +++ b/scripts/config @@ -126,9 +126,8 @@ apply_config() { # Disable the sftp access, as the password is incorrect yunohost app action run $app sftp --args with_sftp=0 else - user=$(ynh_app_setting_get --app=$app --key=user) # Add the password to the user - chpasswd <<< "${user}:${password}" + chpasswd <<< "${app}:${password}" ynh_app_setting_set --app=$app --key=password --value="$password" fi fi diff --git a/scripts/install b/scripts/install index 01db129..19cb9e1 100644 --- a/scripts/install +++ b/scripts/install @@ -56,13 +56,11 @@ ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url #================================================= ynh_script_progression --message="Storing installation settings..." -user=webapp${app_nb} ynh_app_setting_set --app=$app --key=domain --value=$domain ynh_app_setting_set --app=$app --key=path --value=$path_url ynh_app_setting_set --app=$app --key=is_public --value=$is_public ynh_app_setting_set --app=$app --key=with_mysql --value=$with_mysql ynh_app_setting_set --app=$app --key=with_sftp --value=$with_sftp -ynh_app_setting_set --app=$app --key=user --value=$user ynh_app_setting_set --app=$app --key=final_path --value=$final_path ynh_app_setting_set --app=$app --key=overwrite_nginx --value=0 @@ -97,13 +95,12 @@ ynh_add_nginx_config #================================================= ynh_script_progression --message="Configuring system user..." -# Create a standard user (not a system user for sftp) -ynh_system_user_exists --username=$user || \ - useradd -d "$final_path" -M --user-group "$user" +ynh_system_user_create --username=$app --home_dir="$final_path" + if [ $with_sftp -eq 1 ] then # Add the password to this user - chpasswd <<< "${user}:${password}" + chpasswd <<< "${app}:${password}" ynh_app_setting_set --app=$app --key=password --value="$password" fi @@ -119,7 +116,6 @@ then cp -R ../conf/ssh_regenconf_hook /usr/share/yunohost/hooks/conf_regen/90-ssh_$app ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app - ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app yunohost tools regen-conf ssh fi @@ -133,7 +129,6 @@ mkdir -p "$final_path/www" if [ $with_sftp -eq 1 ] then ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file=../sources/www/index.html - ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=../sources/www/index.html # Copy files to the right place cp "../sources/www/index.html" "$final_path/www/index.html" @@ -159,21 +154,13 @@ ynh_script_progression --message="Configuring php-fpm..." --weight=2 # Create a dedicated php-fpm config ynh_add_fpm_config --usage=low --footprint=low -# use $user instead of $app as user that run the fpm processes -finalphpconf="/etc/php/7.0/fpm/pool.d/$app.conf" -ynh_replace_string --match_string="^user = .*" --replace_string="user = $user" --target_file="$finalphpconf" -ynh_replace_string --match_string="^group = .*" --replace_string="group = $user" --target_file="$finalphpconf" -ynh_store_file_checksum --file="$finalphpconf" - -ynh_systemd_action --service_name=php7.0-fpm --action=reload - #================================================= # GENERIC FINALIZATION #================================================= # SECURE FILES AND DIRECTORIES #================================================= -chown -R $user: "$final_path" +chown -R $app: "$final_path" # Home directory of the user needs to be owned by root to allow # SFTP connections chown root: "$final_path" @@ -218,7 +205,7 @@ then sftp_infos="You can connect to this repository by using sftp with the following credentials. Domain: $domain Port: $(grep "^Port" /etc/ssh/sshd_config | awk '{print $2}') -User: $user +User: $app Password: The one you set at installation." else sftp_infos="" diff --git a/scripts/remove b/scripts/remove index fe1f5f9..5f64004 100644 --- a/scripts/remove +++ b/scripts/remove @@ -19,7 +19,6 @@ app=$YNH_APP_INSTANCE_NAME domain=$(ynh_app_setting_get --app=$app --key=domain) with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql) with_sftp=$(ynh_app_setting_get --app=$app --key=with_sftp) -user=$(ynh_app_setting_get --app=$app --key=user) db_name=$(ynh_app_setting_get --app=$app --key=db_name) db_user=$db_name @@ -83,7 +82,7 @@ fi ynh_script_progression --message="Removing the dedicated system user..." # Delete a system user -ynh_system_user_delete --username=$user +ynh_system_user_delete --username=$app #================================================= # END OF SCRIPT diff --git a/scripts/restore b/scripts/restore index a30508f..57d6700 100644 --- a/scripts/restore +++ b/scripts/restore @@ -30,7 +30,6 @@ db_name=$(ynh_app_setting_get --app=$app --key=db_name) with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql) with_sftp=$(ynh_app_setting_get --app=$app --key=with_sftp) password=$(ynh_app_setting_get --app=$app --key=password) -user=$(ynh_app_setting_get --app=$app --key=user) #================================================= # CHECK IF THE APP CAN BE RESTORED @@ -74,14 +73,12 @@ fi #================================================= ynh_script_progression --message="Recreating the dedicated system user..." --weight=2 -# Create a standard user (not a system user for sftp) -ynh_system_user_exists --username=$user || \ - useradd -d "$final_path" -M --user-group "$user" +ynh_system_user_create --username=$app --home_dir="$final_path" if [ -n "$password" ] then # Add the password to this user - chpasswd <<< "${user}:${password}" + chpasswd <<< "${app}:${password}" fi #================================================= @@ -89,7 +86,7 @@ fi #================================================= # Restore permissions on app files -chown -R $user: "$final_path" +chown -R $app: "$final_path" # Home directory of the user need to be owned by root to allow # SFTP connections chown root: "$final_path" diff --git a/scripts/upgrade b/scripts/upgrade index 246f75a..76023a6 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -24,7 +24,6 @@ db_name=$(ynh_app_setting_get --app=$app --key=db_name) with_mysql=$(ynh_app_setting_get --app=$app --key=with_mysql) with_sftp=$(ynh_app_setting_get --app=$app --key=with_sftp) password=$(ynh_app_setting_get --app=$app --key=password) -user=$(ynh_app_setting_get --app=$app --key=user) overwrite_nginx=$(ynh_app_setting_get --app=$app --key=overwrite_nginx) overwrite_phpfpm=$(ynh_app_setting_get --app=$app --key=overwrite_phpfpm) @@ -149,18 +148,17 @@ fi #================================================= ynh_script_progression --message="Making sure dedicated system user exists..." --weight=2 -# Create a standard user (not a system user for sftp) -ynh_system_user_exists --username=$user || \ - useradd -d "$final_path" -M --user-group "$user" +ynh_system_user_create --username=$app --home_dir="$final_path" + if [ $with_sftp -eq 1 ] then # Add the password to this user - chpasswd <<< "${user}:${password}" + chpasswd <<< "${app}:${password}" fi # Change the user group for previous my_webapp install script -groupadd -f "$user" -usermod -g "$user" "$user" +groupadd -f "$app" +usermod -g "$app" "$app" #================================================= # PHP-FPM CONFIGURATION @@ -173,14 +171,6 @@ then # Create a dedicated php-fpm config ynh_add_fpm_config --usage=$fpm_usage --footprint=$fpm_footprint - - # Use $user instead of $app as user that run the fpm processes - finalphpconf="/etc/php/7.0/fpm/pool.d/$app.conf" - ynh_replace_string --match_string="^user = .*" --replace_string="user = $user" --target_file="$finalphpconf" - ynh_replace_string --match_string="^group = .*" --replace_string="group = $user" --target_file="$finalphpconf" - ynh_store_file_checksum --file="$finalphpconf" - - ynh_systemd_action --service_name=php7.0-fpm --action=reload fi #================================================= @@ -196,7 +186,6 @@ then cp -R ../conf/ssh_regenconf_hook /usr/share/yunohost/hooks/conf_regen/90-ssh_$app ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app - ynh_replace_string --match_string="__USER__" --replace_string="$user" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app yunohost tools regen-conf ssh fi From fba6f8e4955b951ad7b2b74a699440f76761e596 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 17 Jun 2020 15:55:39 +0200 Subject: [PATCH 2/7] This is not how the regen conf works --- scripts/actions/sftp | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/scripts/actions/sftp b/scripts/actions/sftp index 2b13b82..19981f6 100755 --- a/scripts/actions/sftp +++ b/scripts/actions/sftp @@ -43,27 +43,19 @@ then ynh_script_progression --message="Configuring ssh to add a SFTP access..." --weight=3 cp -R conf/ssh_regenconf_hook /usr/share/yunohost/hooks/conf_regen/90-ssh_$app - ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=/usr/share/yunohost/hooks/conf_regen/90-ssh_$app - yunohost tools regen-conf ssh else ynh_script_progression --message="Removing the custom ssh config for the SFTP access..." --weight=3 - sed -i "/##-> ${app}/,/##<- ${app}/d" /etc/ssh/sshd_config # Remove regen-conf hook ynh_secure_remove --file="/usr/share/yunohost/hooks/conf_regen/90-ssh_$app" fi +yunohost tools regen-conf ssh + # Update the config of the app ynh_app_setting_set --app=$app --key=with_sftp --value=$with_sftp -#================================================= -# RELOAD SSH -#================================================= -ynh_script_progression --message="Reloading SSH..." - -ynh_systemd_action --service_name=ssh --action=reload - #================================================= # END OF SCRIPT #================================================= From 3e34a7e69d8c12a5d9b899c787ec7461f881fdf8 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 17 Jun 2020 16:08:05 +0200 Subject: [PATCH 3/7] Replace username in original index.html --- scripts/install | 1 + sources/www/index.html | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/install b/scripts/install index 19cb9e1..464c781 100644 --- a/scripts/install +++ b/scripts/install @@ -129,6 +129,7 @@ mkdir -p "$final_path/www" if [ $with_sftp -eq 1 ] then ynh_replace_string --match_string="__DOMAIN__" --replace_string="$domain" --target_file=../sources/www/index.html + ynh_replace_string --match_string="__APP__" --replace_string="$app" --target_file=../sources/www/index.html # Copy files to the right place cp "../sources/www/index.html" "$final_path/www/index.html" diff --git a/sources/www/index.html b/sources/www/index.html index 051a429..b4dd3ea 100644 --- a/sources/www/index.html +++ b/sources/www/index.html @@ -20,7 +20,7 @@
Port
22 (or the port you defined if you change the ssh port)
User
-
__USER__
+
__APP__
Password
the one you set at installation
From 421888d1377f99f5965b5e6465256948b4fe21d0 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 17 Jun 2020 16:09:30 +0200 Subject: [PATCH 4/7] Password strength is to be enforced by the core --- config_panel.toml | 2 +- scripts/config | 14 +++----------- scripts/install | 9 --------- 3 files changed, 4 insertions(+), 21 deletions(-) diff --git a/config_panel.toml b/config_panel.toml index 3ce3d75..bcaceb1 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -13,7 +13,7 @@ name = "My webapp configuration" default = true [main.sftp.password] - ask = "Set a password for the SFTP access. ≥ 5 character" + ask = "Set a password for the SFTP access" type = "password" optional = true help = "If a password already exist, it will not be replaced." diff --git a/scripts/config b/scripts/config index b1024be..ebdadf8 100644 --- a/scripts/config +++ b/scripts/config @@ -119,17 +119,9 @@ apply_config() { # Change the password only if none was already set for the user if [ $is_password_exist -eq 0 ] && [ $with_sftp -eq 1 ] then - # Check password strength - if [ ${#password} -le 5 ] - then - ynh_print_err --message="The password is too weak, it must be longer than 5 characters." - # Disable the sftp access, as the password is incorrect - yunohost app action run $app sftp --args with_sftp=0 - else - # Add the password to the user - chpasswd <<< "${app}:${password}" - ynh_app_setting_set --app=$app --key=password --value="$password" - fi + # Add the password to the user + chpasswd <<< "${app}:${password}" + ynh_app_setting_set --app=$app --key=password --value="$password" fi fi diff --git a/scripts/install b/scripts/install index 464c781..3400ecb 100644 --- a/scripts/install +++ b/scripts/install @@ -39,15 +39,6 @@ ynh_script_progression --message="Validating installation parameters..." --weigh final_path=/var/www/$app test ! -e "$final_path" || ynh_die --message="This path already contains a folder" -if [ $with_sftp -eq 1 ] -then - # Check password strength - if [ ${#password} -le 5 ] - then - ynh_die --message="The password is too weak, it must be longer than 5 characters" - fi -fi - # Register (book) web path ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url From 1dca10235328296fe41d6682f927253644e32ecd Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 17 Jun 2020 16:13:09 +0200 Subject: [PATCH 5/7] Public/private is handled by the core using the group permission system --- actions.toml | 15 ------- config_panel.toml | 9 ----- scripts/actions/public_private | 74 ---------------------------------- scripts/config | 15 ------- 4 files changed, 113 deletions(-) delete mode 100755 scripts/actions/public_private diff --git a/actions.toml b/actions.toml index 39f826b..b5f8859 100644 --- a/actions.toml +++ b/actions.toml @@ -13,21 +13,6 @@ description = "Enable or disable the sftp access." ask = "Do you need a SFTP access?" default = true -[public_private] -name = "Move to public or private" -command = "/bin/bash scripts/actions/public_private" -# user = "root" # optional -# cwd = "/" # optional -# accepted_return_codes = [0, 1, 2, 3] # optional -accepted_return_codes = [0] -description = "Change the public access of the app." - - [public_private.arguments] - [public_private.arguments.is_public] - type = "boolean" - ask = "Is it a public app ?" - default = true - [create_database] name = "Create a database" command = "/bin/bash scripts/actions/create_database" diff --git a/config_panel.toml b/config_panel.toml index bcaceb1..f5e1e86 100644 --- a/config_panel.toml +++ b/config_panel.toml @@ -18,15 +18,6 @@ name = "My webapp configuration" optional = true help = "If a password already exist, it will not be replaced." - [main.is_public] - name = "Public access" - - [main.is_public.is_public] - ask = "Is it a public website ?" - type = "boolean" - default = true - - [main.overwrite_files] name = "Overwriting config files" diff --git a/scripts/actions/public_private b/scripts/actions/public_private deleted file mode 100755 index 778a6a3..0000000 --- a/scripts/actions/public_private +++ /dev/null @@ -1,74 +0,0 @@ -#!/bin/bash - -#================================================= -# GENERIC STARTING -#================================================= -# IMPORT GENERIC HELPERS -#================================================= - -source scripts/_common.sh -source /usr/share/yunohost/helpers - -#================================================= -# RETRIEVE ARGUMENTS -#================================================= - -# Get is_public -is_public=${YNH_ACTION_IS_PUBLIC} - -app=${YNH_APP_INSTANCE_NAME:-$YNH_APP_ID} - -#================================================= -# CHECK IF ARGUMENTS ARE CORRECT -#================================================= - -#================================================= -# CHECK IF AN ACTION HAS TO BE DONE -#================================================= - -is_public_old=$(ynh_app_setting_get --app=$app --key=is_public) - -if [ $is_public -eq $is_public_old ] -then - ynh_die --message="is_public is already set as $is_public." --ret_code=0 -fi - -#================================================= -# SPECIFIC ACTION -#================================================= -# MOVE TO PUBLIC OR PRIVATE -#================================================= - -if [ $is_public -eq 0 ]; then - public_private="private" -else - public_private="public" -fi -ynh_script_progression --message="Moving the application to $public_private..." --weight=3 - -if [ $is_public -eq 0 ] -then - ynh_app_setting_delete --app=$app --key=skipped_uris -else - ynh_app_setting_set --app=$app --key=skipped_uris --value="/" -fi - -ynh_script_progression --message="Upgrading SSOwat configuration..." -# Regen ssowat configuration -yunohost app ssowatconf - -# Update the config of the app -ynh_app_setting_set --app=$app --key=is_public --value=$is_public - -#================================================= -# RELOAD NGINX -#================================================= -ynh_script_progression --message="Reloading nginx web server..." - -ynh_systemd_action --service_name=nginx --action=reload - -#================================================= -# END OF SCRIPT -#================================================= - -ynh_script_progression --message="Execution completed" --last diff --git a/scripts/config b/scripts/config index ebdadf8..2a14858 100644 --- a/scripts/config +++ b/scripts/config @@ -45,11 +45,6 @@ else fi -# is_public -old_is_public="$(ynh_app_setting_get --app=$app --key=is_public)" -is_public="${YNH_CONFIG_MAIN_IS_PUBLIC_IS_PUBLIC:-$old_is_public}" - - # Overwrite nginx configuration old_overwrite_nginx="$(ynh_app_setting_get --app=$app --key=overwrite_nginx)" overwrite_nginx="${YNH_CONFIG_MAIN_OVERWRITE_FILES_OVERWRITE_NGINX:-$old_overwrite_nginx}" @@ -88,8 +83,6 @@ show_config() { ynh_return "YNH_CONFIG_MAIN_SFTP_SFTP=$with_sftp" # ynh_return "YNH_CONFIG_MAIN_SFTP_PASSWORD=$password" - ynh_return "YNH_CONFIG_MAIN_IS_PUBLIC_IS_PUBLIC=$is_public" - ynh_return "YNH_CONFIG_MAIN_PHP_FPM_CONFIG_FOOTPRINT=$fpm_footprint" ynh_return "YNH_CONFIG_MAIN_PHP_FPM_CONFIG_FREE_FOOTPRINT=$free_footprint" ynh_return "YNH_CONFIG_MAIN_PHP_FPM_CONFIG_USAGE=$fpm_usage" @@ -100,14 +93,6 @@ show_config() { #================================================= apply_config() { - # Change public accessibility - if [ "$is_public" = "1" ] - then - yunohost app action run $app public_private --args is_public=1 - else - yunohost app action run $app public_private --args is_public=0 - fi - #================================================= # REMOVE OR ADD SFTP ACCESS #================================================= From 2d4e6f42ed9ad42db761f0807c2cef3796e514c6 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 17 Jun 2020 16:36:55 +0200 Subject: [PATCH 6/7] Jessie is ded --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 0c9fb39..bc54d29 100644 --- a/README.md +++ b/README.md @@ -40,7 +40,6 @@ of your custom Web application inside. * x86-64b - [![Build Status](https://ci-apps.yunohost.org/ci/logs/my_webapp%20%28Apps%29.svg)](https://ci-apps.yunohost.org/ci/apps/my_webapp/) * ARMv8-A - [![Build Status](https://ci-apps-arm.yunohost.org/ci/logs/my_webapp%20%28Apps%29.svg)](https://ci-apps-arm.yunohost.org/ci/apps/my_webapp/) -* Jessie x86-64b - [![Build Status](https://ci-stretch.nohost.me/ci/logs/my_webapp%20%28Apps%29.svg)](https://ci-stretch.nohost.me/ci/apps/my_webapp/) ## Limitations From 4aaac5bef210d58b7c95d2abbc9ec29156cc314d Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Wed, 17 Jun 2020 17:15:16 +0200 Subject: [PATCH 7/7] Delete old user during upgrade --- scripts/upgrade | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/scripts/upgrade b/scripts/upgrade index 76023a6..f2c9caf 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -52,6 +52,13 @@ elif [ "$is_public" = "No" ]; then is_public=0 fi +# Delete old user +if [ -n "$(ynh_app_setting_get --app=$app --key=user)" ] +then + ynh_system_user_delete --username="$(ynh_app_setting_get --app=$app --key=user)" + ynh_app_setting_delete --app=$app --key=user +fi + # If db_name doesn't exist, create it if [ -z "$db_name" ]; then db_name=$(ynh_sanitize_dbid --db_name=$app)