From 6958ea3b0fa227b48e74fd608e00f74ef2615a86 Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Sat, 3 Feb 2024 20:00:13 +0100 Subject: [PATCH] regenconf: more factorizing in yunohost hook --- hooks/conf_regen/01-yunohost | 76 ++++++++++++++++++++---------------- 1 file changed, 42 insertions(+), 34 deletions(-) diff --git a/hooks/conf_regen/01-yunohost b/hooks/conf_regen/01-yunohost index e60dd5be0..c4db1455f 100755 --- a/hooks/conf_regen/01-yunohost +++ b/hooks/conf_regen/01-yunohost @@ -24,6 +24,8 @@ base_folder_and_perm_init() { # Portal folders # ################## + getent passwd ynh-portal &>/dev/null || useradd --no-create-home --shell /usr/sbin/nologin --system --user-group ynh-portal + mkdir -p /etc/yunohost/portal chmod 500 /etc/yunohost/portal chown ynh-portal:ynh-portal /etc/yunohost/portal @@ -36,9 +38,9 @@ base_folder_and_perm_init() { chown ynh-portal:root /var/log/yunohost-portalapi.log chmod 600 /var/log/yunohost-portalapi.log - ################### - # Sessions folder # - ################### + ############################### + # Sessions folder and secrets # + ############################### # Portal mkdir -p /var/cache/yunohost-portal/sessions @@ -52,6 +54,24 @@ base_folder_and_perm_init() { chown root:root /var/cache/yunohost/sessions chmod 700 /var/cache/yunohost/sessions + if test -e /etc/yunohost/installed + then + # Initialize session secrets + # Obviously we only do this in the post_regen, ie during the postinstall, because we don't want every pre-installed instance to have the same secret + if [ ! -e /etc/yunohost/.admin_cookie_secret ]; then + dd if=/dev/urandom bs=1 count=1000 2>/dev/null | tr --complement --delete 'A-Za-z0-9' | head -c 64 > /etc/yunohost/.admin_cookie_secret + fi + chown root:root /etc/yunohost/.admin_cookie_secret + chmod 400 /etc/yunohost/.admin_cookie_secret + + if [ ! -e /etc/yunohost/.ssowat_cookie_secret ]; then + # NB: we need this to be exactly 32 char long, because it is later used as a key for AES256 + dd if=/dev/urandom bs=1 count=1000 2>/dev/null | tr --complement --delete 'A-Za-z0-9' | head -c 32 > /etc/yunohost/.ssowat_cookie_secret + fi + chown ynh-portal:root /etc/yunohost/.ssowat_cookie_secret + chmod 400 /etc/yunohost/.ssowat_cookie_secret + fi + ################## # Domain folders # ################## @@ -93,7 +113,16 @@ base_folder_and_perm_init() { mkdir -p /home/yunohost.backup/archives chmod 770 /home/yunohost.backup chmod 770 /home/yunohost.backup/archives - chown root:root /home/yunohost.backup/archives # This is later changed to root:admins once the admins group exists + + if test -e /etc/yunohost/installed + then + # The admins group only exist after the postinstall + chown root:admins /home/yunohost.backup + chown root:admins /home/yunohost.backup/archives + else + chown root:root /home/yunohost.backup + chown root:root /home/yunohost.backup/archives + fi ######## # Misc # @@ -107,14 +136,21 @@ base_folder_and_perm_init() { chown root:root /var/cache/yunohost chmod 700 /var/cache/yunohost + [ ! -e /var/www/.well-known/ynh-diagnosis/ ] || chmod 775 /var/www/.well-known/ynh-diagnosis/ + + if test -e /etc/yunohost/installed + then + setfacl -m g:all_users:--- /var/www + setfacl -m g:all_users:--- /var/log/nginx + setfacl -m g:all_users:--- /etc/yunohost + setfacl -m g:all_users:--- /etc/ssowat + fi } do_init_regen() { cd /usr/share/yunohost/conf/yunohost - getent passwd ynh-portal &>/dev/null || useradd --no-create-home --shell /usr/sbin/nologin --system --user-group ynh-portal - base_folder_and_perm_init # Empty ssowat json persistent conf @@ -258,37 +294,9 @@ EOF do_post_regen() { regen_conf_files=$1 - # Initialize session secrets - # Obviously we only do this in the post_regen, ie during the postinstall, because we don't want every pre-installed instance to have the same secret - if [ ! -e /etc/yunohost/.admin_cookie_secret ]; then - dd if=/dev/urandom bs=1 count=1000 2>/dev/null | tr --complement --delete 'A-Za-z0-9' | head -c 64 > /etc/yunohost/.admin_cookie_secret - fi - chown root:root /etc/yunohost/.admin_cookie_secret - chmod 400 /etc/yunohost/.admin_cookie_secret - - getent passwd ynh-portal &>/dev/null || useradd --no-create-home --shell /usr/sbin/nologin --system --user-group ynh-portal - if [ ! -e /etc/yunohost/.ssowat_cookie_secret ]; then - # NB: we need this to be exactly 32 char long, because it is later used as a key for AES256 - dd if=/dev/urandom bs=1 count=1000 2>/dev/null | tr --complement --delete 'A-Za-z0-9' | head -c 32 > /etc/yunohost/.ssowat_cookie_secret - fi - chown ynh-portal:root /etc/yunohost/.ssowat_cookie_secret - chmod 400 /etc/yunohost/.ssowat_cookie_secret - # Re-mkdir / apply permission to all basic folders etc base_folder_and_perm_init - # Only doing this once postinstall is done such that the admins group exist - chown root:admins /home/yunohost.backup - chown root:admins /home/yunohost.backup/archives - - # Same here, all_users only exist after posinstall - setfacl -m g:all_users:--- /var/www - setfacl -m g:all_users:--- /var/log/nginx - setfacl -m g:all_users:--- /etc/yunohost - setfacl -m g:all_users:--- /etc/ssowat - - [ ! -e /var/www/.well-known/ynh-diagnosis/ ] || chmod 775 /var/www/.well-known/ynh-diagnosis/ - # Legacy log tree structure if [ ! -e /var/log/yunohost/operations ] && [ -d /var/log/yunohost/categories/operation ] && [ ! -L /var/log/yunohost/categories/operation ] then