Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Ian Eiloart
Sympl
Commits
3368a32b
Commit
3368a32b
authored
Jun 09, 2019
by
Paul Cammish
Browse files
Initial version of sympl-file-security
parent
7bb76ae0
Changes
6
Hide whitespace changes
Inline
Side-by-side
common/debian/control
View file @
3368a32b
...
...
@@ -10,7 +10,7 @@ XS-Ruby-Versions: all
Package: sympl-common
Architecture: all
XB-Ruby-Versions: ${ruby:Versions}
Depends: ruby | ruby-interpreter, ruby-json-jwt, ruby-password, ruby-diffy, ruby-erubis, ruby-mocha, ruby-webmock, ruby-test-unit, ruby-faraday, gnutls-bin, gcc, openssl, sudo, adduser, ssl-cert, debconf-utils, ${misc:Depends}
Depends: ruby | ruby-interpreter, ruby-json-jwt, ruby-password, ruby-diffy, ruby-erubis, ruby-mocha, ruby-webmock, ruby-test-unit, ruby-faraday, gnutls-bin, gcc, openssl, sudo, adduser, ssl-cert, debconf-utils,
acl,
${misc:Depends}
Replaces: symbiosis-common
Conflicts: symbiosis-common
Provides: symbiosis-common
...
...
common/sbin/sympl-file-security
View file @
3368a32b
#!/bin/bash
# Fairly simple bash script to enforce filesystem permissions for sensitive
# directories used by Sympl.
#
# Copyright 2019, Paul Cammish <sympl@kelduum.net>
set
-e
if
[
"x
$1
"
==
"x"
]
;
then
echo
"E: A domain must be specified"
exit
1
fi
domain
=
"
$1
"
if
[
!
-d
"/srv/
${
domain
}
"
]
;
then
echo
"E:
${
domain
}
doesnt exist"
exit
1
fi
# Determine uid for public from config/public-user or default to 33 (www-data)
if
[
-f
"/srv/
${
domain
}
/config/public-user"
]
;
then
public_uid
=
"
$(
cat
"/srv/
${
domain
}
/config/public-user"
|
sed
's|#.*||'
|
head
-n
1 |
grep
.
)
"
if
id
-u
$uid
>
/dev/null 2&>1
;
then
public_uid
=
"
$(
id
-u
$public_uid
)
"
else
public_uid
=
33
fi
else
public_uid
=
33
fi
# Determine gid for public from config/public-group or default to 33 (www-data)
if
[
-f
"/srv/
${
domain
}
/config/public-group"
]
;
then
public_gid
=
"
$(
cat
"/srv/
${
domain
}
/config/public-group"
|
sed
's|#.*||'
|
head
-n
1 |
grep
.
)
"
if
id
-g
$gid
>
/dev/null 2&>1
;
then
public_gid
=
"
$(
id
-g
$public_gid
)
"
else
public_gid
=
33
fi
else
public_gid
=
33
fi
# Add sympl use to the public group if it's >= 1000 and not already in it
if
[
"
$public_gid
"
-ge
"1000"
]
&&
[
"
$(
id
-Gn
sympl |
tr
' '
'\n'
|
grep
-c
"^
$(
id
-gn
$public_gid
)
$"
)
"
==
"0"
]
;
then
# sympl is not in the $public_gid group, adding
usermod
-a
-G
$public_gid
sympl
fi
# Enforce permissions for /srv/example.org/public
find
"/srv/
${
domain
}
/public"
\(
-type
f
-o
-type
d
\)
\(
!
-uid
${
public_uid
}
-o
!
-gid
${
public_gid
}
\)
-exec
chown
${
public_uid
}
:
${
public_gid
}
{}
\;
setfacl
-R
-P
-d
-m
o::rwx
-m
g::rwx
-m
o::rx
"/srv/
$domain
/public"
# Enforce permissions for /srv/example.com/config - exim requires directory traversal (+x) as steps thorugh to the target.
find
"/srv/
${
domain
}
/config"
\(
-type
f
-o
-type
d
\)
\(
!
-user
sympl
-o
!
-group
sympl
\)
!
-path
'*ssl/sets*'
-exec
chown
sympl:sympl
{}
\;
find
"/srv/
${
domain
}
/config/ssl/sets"
\(
!
-user
sympl
-o
!
-group
ssl-cert
\)
-exec
chown
sympl:ssl-cert
{}
\;
find
"/srv/
$domain
/config"
\(
-type
f
-a
!
-perm
660
-exec
chmod
660
{}
\;
\)
-o
\(
-type
d
-a
!
-perm
2771
-exec
chmod
2771
{}
\;
\)
# Enforce permissions for mailboxes directory
# TODO: Need to confirm permissions for this
# Enforce permissions on /var/backups
find
"/etc/sympl"
"/var/backups"
!
-type
l
\(
!
-user
sympl
-o
!
-group
sympl
\)
-exec
chown
sympl:sympl
{}
\;
find
"/etc/sympl"
"/var/backups"
!
-type
l
!
-perm
o-rwx
\(
-type
f
-exec
chmod
660
{}
\;
-o
-type
d
-exec
chmod
770
{}
\;
\)
# Enforce permisions on /etc/sympl
find
"/etc/sympl"
"/var/backups"
!
-type
l
\(
!
-user
sympl
-o
!
-group
sympl
\)
-exec
chown
sympl:sympl
{}
\;
find
"/etc/sympl"
"/var/backups"
!
-type
l
!
-perm
o-w
\(
-type
f
-exec
chmod
664
{}
\;
-o
-type
d
-exec
chmod
775
{}
\;
\)
exit
0
core/debian/control
View file @
3368a32b
...
...
@@ -30,7 +30,7 @@ Recommends: sympl-backup,
sympl-phpmyadmin,
sympl-dns,
sympl-webmail,
openssh-server
openssh-server
, nano, vim, htop, strace, wget, curl
Provides: bytemark-symbiosis
Conflicts: bytemark-symbiosis
Replaces: bytemark-symbiosis
...
...
@@ -41,7 +41,8 @@ Description: Easy, complete, and Debian-friendly server administration system
Installing this package will completely configure your system for
the virtual hosting of multiple domains with:
.
* Webhosting
* Webhosting.
* MySQL/MariaDB.
* FTP hosting.
* Email hosting (and webmail).
core/debian/sympl-core.init
View file @
3368a32b
...
...
@@ -27,30 +27,13 @@ SCRIPTNAME=/etc/init.d/$NAME
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
.
/lib/lsb/init-functions
# Allows us to use COLOURS!
if
log_use_fancy_output
;
then
B
=
"
$(
$TPUT
bold
)
"
M
=
"
$(
$TPUT
setaf 5
)
"
L
=
"
$(
$TPUT
setaf 4
)
"
Y
=
"
$(
$TPUT
setaf 3
)
"
W
=
"
$(
$TPUT
setaf 1
)
"
N
=
"
$(
$TPUT
op
)
"
U
=
"
$(
$TPUT
sgr0
)
"
else
B
=
''
L
=
''
Y
=
''
N
=
''
U
=
''
fi
case
"
$1
"
in
'start'
)
log_action_msg
"System configured with
$DESC
."
cat
<<
EOF
┌─────┐ v9.0
└─┐ │
└─┐ │
beta
┌─────────┐ ┌───┐ ┌───┐ ┌─────────────┐ ┌───────────┐ │ │
┌─┘ ┌───────┘ │ │ │ │ │ ┌─┐ ┌─┐ └─┐ │ ┌─────┐ └─┐ │ │
│ └─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
...
...
core/update-motd.d/00-sympl-banner
View file @
3368a32b
...
...
@@ -3,7 +3,7 @@
cat
<<
EOF
┌─────┐ v9.0
└─┐ │
└─┐ │
beta
┌─────────┐ ┌───┐ ┌───┐ ┌─────────────┐ ┌───────────┐ │ │
┌─┘ ┌───────┘ │ │ │ │ │ ┌─┐ ┌─┐ └─┐ │ ┌─────┐ └─┐ │ │
│ └─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
...
...
web/debian/sympl-web.links
View file @
3368a32b
usr/sbin/sympl-web-configure etc/cron.hourly/sympl-web-configure
usr/sbin/sympl-web-rotate-logs etc/cron.daily/sympl-web-rotate-logs
usr/share/sympl/ssl-hooks.d/sympl-web
i
etc/sympl/ssl-hooks.d/sympl-web
usr/share/sympl/ssl-hooks.d/sympl-web
etc/sympl/ssl-hooks.d/sympl-web
etc/php/7.0/conf.d/sympl-web.ini etc/php/7.0/apache2/conf.d/00-sympl-web.ini
usr/sbin/sympl-web-configure usr/sbin/symbiosis-httpd-configure
usr/sbin/sympl-web-rotate-logs usr/sbin/symbiosis-httpd-rotate-logs
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment