From 9484e1dec8be1082554b7da7a3625182bdda5761 Mon Sep 17 00:00:00 2001
From: ericgaspar <junk.eg@free.fr>
Date: Mon, 22 Mar 2021 19:33:07 +0100
Subject: [PATCH] Secure config file

---
 README.md       |  2 +-
 README_fr.md    |  2 +-
 scripts/install | 41 ++++++++++++++++++++++++-----------------
 scripts/restore | 18 ++++++++++--------
 scripts/upgrade | 40 +++++++++++++++++++++++-----------------
 5 files changed, 59 insertions(+), 44 deletions(-)

diff --git a/README.md b/README.md
index 3b88944..13bd61e 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@ You can extend - or even override - the Roundcube configuration which is coming
 ## Documentation
 
  * Official documentation: https://github.com/roundcube/roundcubemail/wiki
- * YunoHost documentation: https://github.com/YunoHost/doc/blob/master/app_roundcube.md:
+ * YunoHost documentation: https://yunohost.org/en/app_roundcube
 
 ## YunoHost specific features
 
diff --git a/README_fr.md b/README_fr.md
index 3d0a039..7849826 100644
--- a/README_fr.md
+++ b/README_fr.md
@@ -28,7 +28,7 @@ Vous pouvez étendre (ou même remplacer) la configuration de Roundcube fournie
 ## Documentation
 
  * Documentation officielle : https://github.com/roundcube/roundcubemail/wiki
- * Documentation YunoHost : https://github.com/YunoHost/doc/blob/master/app_roundcube.md:
+ * Documentation YunoHost : https://yunohost.org/fr/app_roundcube
 
 ## Caractéristiques spécifiques YunoHost
 
diff --git a/scripts/install b/scripts/install
index 87491bd..cac6f1c 100644
--- a/scripts/install
+++ b/scripts/install
@@ -61,6 +61,14 @@ db_name=$(ynh_sanitize_dbid --db_name=$app)
 ynh_app_setting_set --app=$app --key=db_name --value=$db_name
 ynh_mysql_setup_db --db_user=$db_name --db_name=$db_name
 
+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Configuring system user..." --weight=3
+
+# Create a system user
+ynh_system_user_create --username=$app --home_dir="$final_path"
+
 #=================================================
 # DOWNLOAD, CHECK AND UNPACK SOURCE
 #=================================================
@@ -78,14 +86,6 @@ ynh_script_progression --message="Configuring NGINX web server..." --weight=2
 # Create a dedicated NGINX config
 ynh_add_nginx_config
 
-#=================================================
-# CREATE DEDICATED USER
-#=================================================
-ynh_script_progression --message="Configuring system user..." --weight=3
-
-# Create a system user
-ynh_system_user_create --username=$app
-
 #=================================================
 # PHP-FPM CONFIGURATION
 #=================================================
@@ -121,15 +121,19 @@ ynh_mysql_connect_as --user="$db_name" --password="$db_pwd" --database="$db_name
 #=================================================
 ynh_script_progression --message="Configuring Roundcube..."
 
-rc_conf="$final_path/config/config.inc.php"
+#rc_conf="$final_path/config/config.inc.php"
 
-cp ../conf/config.inc.php "$rc_conf"
+deskey=$(ynh_string_random --length=24)
 
-ynh_replace_string --match_string="__DESKEY__" --replace_string="$(ynh_string_random --length=24)" --target_file="$rc_conf"
-ynh_replace_string --match_string="__DB_USER__" --replace_string="$db_name" --target_file="$rc_conf"
-ynh_replace_string --match_string="__DB_PWD__" --replace_string="$db_pwd" --target_file="$rc_conf"
-ynh_replace_string --match_string="__DB_NAME__" --replace_string="$db_name" --target_file="$rc_conf"
-ynh_replace_string --match_string="__LANGUAGE__" --replace_string="$language" --target_file="$rc_conf"
+# cp ../conf/config.inc.php "$rc_conf"
+
+# ynh_replace_string --match_string="__DESKEY__" --replace_string="$(ynh_string_random --length=24)" --target_file="$rc_conf"
+# ynh_replace_string --match_string="__DB_USER__" --replace_string="$db_name" --target_file="$rc_conf"
+# ynh_replace_string --match_string="__DB_PWD__" --replace_string="$db_pwd" --target_file="$rc_conf"
+# ynh_replace_string --match_string="__DB_NAME__" --replace_string="$db_name" --target_file="$rc_conf"
+# ynh_replace_string --match_string="__LANGUAGE__" --replace_string="$language" --target_file="$rc_conf"
+
+ynh_add_config --template="../conf/config.inc.php" --destination="$final_path/config/config.inc.php"
 
 #=================================================
 # INSTALL ADDITIONAL PLUGINS
@@ -204,14 +208,14 @@ fi
 #=================================================
 ynh_script_progression --message="Updating Roundcube configuration..." --weight=3
 
-ynh_replace_string --match_string="^\s*// installed plugins" --replace_string="&\n $installed_plugins" --target_file="$rc_conf"
+ynh_replace_string --match_string="^\s*// installed plugins" --replace_string="&\n $installed_plugins" --target_file="$final_path/config/config.inc.php"
 
 # Update javascript dependencies
 (cd "$final_path"
 /usr/bin/php -q ./bin/install-jsdeps.sh)
 
 # Store the config file checksum into the app settings
-ynh_store_file_checksum --file="$rc_conf"
+ynh_store_file_checksum --file="$final_path/config/config.inc.php"
 
 #=================================================
 # GENERIC FINALIZATION
@@ -224,6 +228,9 @@ chown -R root: "$final_path"
 mkdir -p "$final_path/plugins/enigma/home"
 chown -R $app: "$final_path/"{temp,logs,plugins/enigma/home}
 
+chmod 600 "$final_path/config/config.inc.php"
+chown $app:$app "$final_path/some_config_file"
+
 #=================================================
 # RELOAD NGINX
 #=================================================
diff --git a/scripts/restore b/scripts/restore
index a7cd2b5..a105622 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -46,6 +46,13 @@ test ! -d $final_path \
 #=================================================
 
 ynh_restore_file --origin_path="/etc/nginx/conf.d/$domain.d/$app.conf"
+#=================================================
+# RECREATE THE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Recreating the dedicated system user..." --weight=4
+
+# Create the dedicated user (if not existing)
+ynh_system_user_create --username=$app --home_dir="$final_path"
 
 #=================================================
 # RESTORE THE APP MAIN DIR
@@ -54,14 +61,6 @@ ynh_script_progression --message="Restoring $app main directory..."
 
 ynh_restore_file --origin_path="$final_path"
 
-#=================================================
-# RECREATE THE DEDICATED USER
-#=================================================
-ynh_script_progression --message="Recreating the dedicated system user..." --weight=4
-
-# Create the dedicated user (if not existing)
-ynh_system_user_create --username=$app
-
 #=================================================
 # RESTORE USER RIGHTS
 #=================================================
@@ -71,6 +70,9 @@ chown -R root: "$final_path"
 mkdir -p "$final_path/plugins/enigma/home"
 chown -R $app: "$final_path/"{temp,logs,plugins/enigma/home}
 
+chmod 600 "$final_path/config/config.inc.php"
+chown $app:$app "$final_path/some_config_file"
+
 #=================================================
 # RESTORE THE PHP-FPM CONFIGURATION
 #=================================================
diff --git a/scripts/upgrade b/scripts/upgrade
index b6cf121..5d93a7f 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -91,6 +91,14 @@ ynh_clean_setup () {
 # Exit if an error occurs during the execution of the script
 ynh_abort_if_errors
 
+#=================================================
+# CREATE DEDICATED USER
+#=================================================
+ynh_script_progression --message="Making sure dedicated system user exists..."
+
+# Create a dedicated user (if not existing)
+ynh_system_user_create --username=$app --home_dir="$final_path"
+
 #=================================================
 # STANDARD UPGRADE STEPS
 #=================================================
@@ -116,14 +124,6 @@ ynh_script_progression --message="Upgrading NGINX web server configuration..."
 # Create a dedicated NGINX config
 ynh_add_nginx_config
 
-#=================================================
-# CREATE DEDICATED USER
-#=================================================
-ynh_script_progression --message="Making sure dedicated system user exists..."
-
-# Create a dedicated user (if not existing)
-ynh_system_user_create --username=$app
-
 #=================================================
 # PHP-FPM CONFIGURATION
 #=================================================
@@ -145,15 +145,18 @@ then
     rc_conf="$final_path/config/config.inc.php"
 
     # Verify the checksum and backup the file if it's different
-    ynh_backup_if_checksum_is_different "$rc_conf"
+    # ynh_backup_if_checksum_is_different "$rc_conf"
 
-    cp ../conf/config.inc.php "$rc_conf"
+    # cp ../conf/config.inc.php "$rc_conf"
 
-    ynh_replace_string --match_string="__DESKEY__" --replace_string="$(ynh_string_random --length=24)" --target_file="$rc_conf"
-    ynh_replace_string --match_string="__DB_USER__" --replace_string="$db_name" --target_file="$rc_conf"
-    ynh_replace_string --match_string="__DB_PWD__" --replace_string="$db_pwd" --target_file="$rc_conf"
-    ynh_replace_string --match_string="__DB_NAME__" --replace_string="$db_name" --target_file="$rc_conf"
-    ynh_replace_string --match_string="__LANGUAGE__" --replace_string="$language" --target_file="$rc_conf"
+    # ynh_replace_string --match_string="__DESKEY__" --replace_string="$(ynh_string_random --length=24)" --target_file="$rc_conf"
+    # ynh_replace_string --match_string="__DB_USER__" --replace_string="$db_name" --target_file="$rc_conf"
+    # ynh_replace_string --match_string="__DB_PWD__" --replace_string="$db_pwd" --target_file="$rc_conf"
+    # ynh_replace_string --match_string="__DB_NAME__" --replace_string="$db_name" --target_file="$rc_conf"
+    # ynh_replace_string --match_string="__LANGUAGE__" --replace_string="$language" --target_file="$rc_conf"
+
+    deskey=$(ynh_string_random --length=24)
+    ynh_add_config --template="../conf/config.inc.php" --destination="$final_path/config/config.inc.php"
 
     #=================================================
     # UPDATE DEPENDENCIES WITH COMPOSER
@@ -245,14 +248,14 @@ then
     #=================================================
     ynh_script_progression --message="Updating $app configuration..." --weight=4
 
-    ynh_replace_string --match_string="^\s*// installed plugins" --replace_string="&\n $installed_plugins" --target_file="$rc_conf"
+    ynh_replace_string --match_string="^\s*// installed plugins" --replace_string="&\n $installed_plugins" --target_file="$final_path/config/config.inc.php"
 
     # Update JavaScript dependencies
     (cd "$final_path"
     /usr/bin/php -q ./bin/install-jsdeps.sh)
 
     # Store the config file checksum into the app settings
-    ynh_store_file_checksum --file="$rc_conf"
+    ynh_store_file_checksum --file="$final_path/config/config.inc.php"
 
     #=================================================
     # UPDATE ROUNDCUBE CORE
@@ -274,6 +277,9 @@ chown -R root: "$final_path"
 mkdir -p "$final_path/plugins/enigma/home"
 chown -R $app: "$final_path/"{temp,logs,plugins/enigma/home}
 
+chmod 600 "$final_path/config/config.inc.php"
+chown $app:$app "$final_path/some_config_file"
+
 #=================================================
 # RELOAD NGINX
 #=================================================