YunoHost/yunohost
1
0
Fork 0
mirror of https://github.com/YunoHost/yunohost.git synced 2024-09-03 20:06:10 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #963 from YunoHost/enforce-permissions-in-etc-yunhost

Browse source 
[fix] Enforce permissions for stuff in /etc/yunohost/
This commit is contained in:
Alexandre Aubin 2020-05-08 04:15:10 +02:00 committed by GitHub
commit ba709be534
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 28 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
data/hooks/conf_regen/01-yunohost
View file

@ -65,6 +65,30 @@ EOF
}
do_post_regen() {
regen_conf_files=$1
######################
# Enfore permissions #
######################
# Certs
# We do this with find because there could be a lot of them...
chown -R root:ssl-cert /etc/yunohost/certs
chmod 750 /etc/yunohost/certs
find /etc/yunohost/certs/ -type f -exec chmod 640 {} \;
find /etc/yunohost/certs/ -type d -exec chmod 750 {} \;
# Misc configuration / state files
chown root:root $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
chmod 600 $(ls /etc/yunohost/{*.yml,*.yaml,*.json,mysql,psql} 2>/dev/null)
# Apps folder, custom hooks folder
[[ ! -e /etc/yunohost/hooks.d ]] || (chown root /etc/yunohost/hooks.d && chmod 700 /etc/yunohost/hooks.d)
[[ ! -e /etc/yunohost/apps ]] || (chown root /etc/yunohost/apps && chmod 700 /etc/yunohost/apps)
}
_update_services() {
python2 - << EOF
import yaml
@ -132,6 +156,7 @@ case "$1" in
do_pre_regen $4
;;
post)
do_post_regen $4
;;
init)
do_init_regen

3
data/hooks/conf_regen/06-slapd
View file

@ -82,9 +82,6 @@ do_post_regen() {
chown root:openldap /etc/ldap/slapd.conf
chown -R openldap:openldap /etc/ldap/schema/
chown -R openldap:openldap /etc/ldap/slapd.d/
chown -R root:ssl-cert /etc/yunohost/certs/yunohost.org/
chmod o-rwx /etc/yunohost/certs/yunohost.org/
chmod -R g+rx /etc/yunohost/certs/yunohost.org/
# If we changed the systemd ynh-override conf
if echo "$regen_conf_files" | sed 's/,/\n/g' | grep -q "^/etc/systemd/system/slapd.service.d/ynh-override.conf$"

3
data/hooks/conf_regen/12-metronome
View file

@ -57,6 +57,9 @@ do_post_regen() {
done
# fix some permissions
# metronome should be in ssl-cert group to let it access SSL certificates
usermod -aG ssl-cert metronome
chown -R metronome: /var/lib/metronome/
chown -R metronome: /etc/metronome/conf.d/