diff --git a/check_process b/check_process index 53881e3..2145e14 100644 --- a/check_process +++ b/check_process @@ -3,21 +3,20 @@ # Commentaire ignoré ; Manifest domain="$DOMAIN" (DOMAIN) - path="$PATH" (PATH) is_public=1 (PUBLIC|public=1|private=0) ; Checks pkg_linter=1 setup_sub_dir=1 - setup_root=1 - setup_nourl=0 + setup_root=0 + setup_nourl=1 setup_private=1 setup_public=1 upgrade=1 backup_restore=1 multi_instance=0 - wrong_user=1 - wrong_path=1 - incorrect_path=1 + wrong_user=0 + wrong_path=2 + incorrect_path=0 corrupt_source=1 fail_download_source=1 port_already_use=1 (8008) diff --git a/scripts/_common.sh b/scripts/_common.sh index 46f7cda..8c45ee6 100755 --- a/scripts/_common.sh +++ b/scripts/_common.sh @@ -50,13 +50,53 @@ GET_DEBIAN_VERSION() { } enable_backport_repos() { - if [[ -z "$(grep -e "^deb .*/.* $debian_version-backports main" /etc/apt/sources.list ; grep -e "^deb .*/.* $debian_version-backports main" /etc/apt/sources.list.d/*)" ]] + if [[ -z "$(grep -e "^deb .*/.* $debian_version-backports main" /etc/apt/sources.list ; grep -e "^deb .*/.* $debian_version-backports main" /etc/apt/sources.list.d/*.list)" ]] then echo "deb $(grep -m 1 "^deb .* $debian_version .*main" /etc/apt/sources.list | cut -d ' ' -f2) $debian_version-backports main contrib non-free" | sudo tee -a "/etc/apt/sources.list" fi ynh_package_update } +set_access() { # example : set_access USER FILE +user="$1" +file_to_set="$2" +while [[ 0 ]] +do + path_to_set="" + oldIFS="$IFS" + IFS="/" + for dirname in $file_to_set + do + if [[ -n "$dirname" ]] + then + sudo test -f "$path_to_set"/"$dirname" && sudo setfacl -m d:u:$user:r "$path_to_set" + + path_to_set="$path_to_set/$dirname" + + if $(sudo sudo -u $user test ! -r "$path_to_set") + then + sudo test -d "$path_to_set" && sudo setfacl -m user:$user:rx "$path_to_set" + sudo test -f "$path_to_set" && sudo setfacl -m user:$user:r "$path_to_set" + sudo test -L "$path_to_set" && sudo setfacl -m user:$user:r "$path_to_set" + fi + fi + done + IFS="$oldIFS" + + if $(sudo test -L "$file_to_set") + then + if [[ -n "$(sudo readlink "$file_to_set" | grep -e "^/")" ]] + then + file_to_set=$(sudo readlink "$file_to_set") # If it is an absolute path + else + file_to_set=$(sudo realpath -s -m "$(echo "$file_to_set" | cut -d'/' -f-$(echo "$file_to_set" | grep -o '/' | wc -l))/$(sudo readlink "$file_to_set")") # If it is an relative path (we get with realpath the absolute path) + fi + else + break + fi +done +} + CHECK_VAR () { # Vérifie que la variable n'est pas vide. # $1 = Variable à vérifier # $2 = Texte à afficher en cas d'erreur diff --git a/scripts/install b/scripts/install index 89c401d..7f674cd 100644 --- a/scripts/install +++ b/scripts/install @@ -99,13 +99,13 @@ sudo sed -i "s@__DOMAIN__@$domain@g" /etc/turnserver.conf sudo sed -i "s@__TLS_PORT__@$turnserver_tls_port@g" /etc/turnserver.conf # Configure access for certificates -sudo setfacl -m user:matrix-synapse:r /etc/yunohost/certs/$domain/crt.pem -sudo setfacl -m user:matrix-synapse:r /etc/yunohost/certs/$domain/key.pem -sudo setfacl -m user:matrix-synapse:r /etc/yunohost/certs/$domain/dh.pem +set_access matrix-synapse /etc/yunohost/certs/$domain/crt.pem +set_access matrix-synapse /etc/yunohost/certs/$domain/key.pem +set_access matrix-synapse /etc/yunohost/certs/$domain/dh.pem -sudo setfacl -m user:turnserver:r /etc/yunohost/certs/$domain/crt.pem -sudo setfacl -m user:turnserver:r /etc/yunohost/certs/$domain/key.pem -sudo setfacl -m user:turnserver:r /etc/yunohost/certs/$domain/dh.pem +set_access turnserver /etc/yunohost/certs/$domain/crt.pem +set_access turnserver /etc/yunohost/certs/$domain/key.pem +set_access turnserver /etc/yunohost/certs/$domain/dh.pem # Configuration de logrotate sed -i "s@__APP__@$app@g" ../conf/logrotate diff --git a/scripts/restore b/scripts/restore index 21cf499..128f7ab 100644 --- a/scripts/restore +++ b/scripts/restore @@ -66,6 +66,45 @@ enable_backport_repos() { ynh_package_update } +set_access() { # example : set_access USER FILE +user="$1" +file_to_set="$2" +while [[ 0 ]] +do + path_to_set="" + oldIFS="$IFS" + IFS="/" + for dirname in $file_to_set + do + if [[ -n "$dirname" ]] + then + sudo test -f "$path_to_set"/"$dirname" && sudo setfacl -m d:u:$user:r "$path_to_set" + + path_to_set="$path_to_set/$dirname" + + if $(sudo sudo -u $user test ! -r "$path_to_set") + then + sudo test -d "$path_to_set" && sudo setfacl -m user:$user:rx "$path_to_set" + sudo test -f "$path_to_set" && sudo setfacl -m user:$user:r "$path_to_set" + fi + fi + done + IFS="$oldIFS" + + if $(sudo test -L "$file_to_set") + then + if [[ -n "$(sudo readlink "$file_to_set" | grep -e "^/")" ]] + then + file_to_set=$(sudo readlink "$file_to_set") # If it is an absolute path + else + file_to_set=$(sudo realpath -s -m "$(echo "$file_to_set" | cut -d'/' -f-$(echo "$file_to_set" | grep -o '/' | wc -l))/$(sudo readlink "$file_to_set")") # If it is an relative path (we get with realpath the absolute path) + fi + else + break + fi +done +} + CHECK_VAR () { # Vérifie que la variable n'est pas vide. # $1 = Variable à vérifier # $2 = Texte à afficher en cas d'erreur @@ -201,13 +240,13 @@ sudo cp -a ./coturn_config_default "/etc/default/coturn" sudo cp -a ./data/. "/var/lib/matrix-synapse/." # Configure access for certificates -sudo setfacl -m user:matrix-synapse:r /etc/yunohost/certs/$domain/crt.pem -sudo setfacl -m user:matrix-synapse:r /etc/yunohost/certs/$domain/key.pem -sudo setfacl -m user:matrix-synapse:r /etc/yunohost/certs/$domain/dh.pem +set_access matrix-synapse /etc/yunohost/certs/$domain/crt.pem +set_access matrix-synapse /etc/yunohost/certs/$domain/key.pem +set_access matrix-synapse /etc/yunohost/certs/$domain/dh.pem -sudo setfacl -m user:turnserver:r /etc/yunohost/certs/$domain/crt.pem -sudo setfacl -m user:turnserver:r /etc/yunohost/certs/$domain/key.pem -sudo setfacl -m user:turnserver:r /etc/yunohost/certs/$domain/dh.pem +set_access turnserver /etc/yunohost/certs/$domain/crt.pem +set_access turnserver /etc/yunohost/certs/$domain/key.pem +set_access turnserver /etc/yunohost/certs/$domain/dh.pem # Ouvre le port dans le firewall sudo yunohost firewall allow --no-upnp TCP $synapse_tls_port > /dev/null 2>&1 diff --git a/scripts/upgrade b/scripts/upgrade index f8b8dec..27e402c 100644 --- a/scripts/upgrade +++ b/scripts/upgrade @@ -37,6 +37,15 @@ sudo sed -i "s@__TLS_PORT__@$synapse_tls_port@g" /etc/matrix-synapse/homeserver. sudo sed -i "s@__TURNSERVER_TLS_PORT__@$turnserver_tls_port@g" /etc/matrix-synapse/homeserver.yaml sudo sed -i "s@__TURNPWD__@$turnserver_pwd@g" /etc/matrix-synapse/homeserver.yaml +# Configure access for certificates +set_access matrix-synapse /etc/yunohost/certs/$domain/crt.pem +set_access matrix-synapse /etc/yunohost/certs/$domain/key.pem +set_access matrix-synapse /etc/yunohost/certs/$domain/dh.pem + +set_access turnserver /etc/yunohost/certs/$domain/crt.pem +set_access turnserver /etc/yunohost/certs/$domain/key.pem +set_access turnserver /etc/yunohost/certs/$domain/dh.pem + if [ "$is_public" = "0" ] then sudo sed -i "s@__ALLOWED_ACCESS__@False@g" /etc/matrix-synapse/homeserver.yaml