Fixes for sympl-test

5916161a · Paul Cammish · 3368a32b · 5916161a · 3368a32b · 5916161a
Commit 5916161a authored Jun 09, 2019 by Paul Cammish
--- a/common/debian/cron.d
+++ b/common/debian/cron.d
@@ -2,7 +2,7 @@
 # Check the security of various sensative directories, and fix where needed
 #

-@hourly root [ -x /usr/sbin/sympl-file-security ] && /usr/sbin/sympl-file-security --quiet
+@hourly root [ -x /usr/sbin/sympl-reset-permissions ] && /usr/sbin/sympl-reset-permissions


 #

--- a/common/sbin/sympl-file-security
+++ b/common/sbin/sympl-file-security
-#!/bin/bash
-# Fairly simple bash script to enforce filesystem permissions for sensitive
-# directories used by Sympl.
-#
-# Copyright 2019, Paul Cammish <sympl@kelduum.net>
-
-
-set -e
-
-if [ "x$1" == "x" ]; then
-  echo "E: A domain must be specified"
-  exit 1
-fi
-
-domain="$1"
-
-if [ ! -d "/srv/${domain}" ]; then
-
-  echo "E: ${domain} doesnt exist"
-  exit 1
-
-fi
-
-# Determine uid for public from config/public-user or default to 33 (www-data)
-
-if [ -f "/srv/${domain}/config/public-user" ]; then
-  public_uid="$( cat "/srv/${domain}/config/public-user" | sed 's|#.*||' | head -n 1 | grep . )"
-  if id -u $uid > /dev/null 2&>1 ; then
-    public_uid="$( id -u $public_uid )"
-  else
-    public_uid=33
-  fi
-else
-  public_uid=33
-fi
-
-# Determine gid for public from config/public-group or default to 33 (www-data)
-
-if [ -f "/srv/${domain}/config/public-group" ]; then
-  public_gid="$( cat "/srv/${domain}/config/public-group" | sed 's|#.*||' | head -n 1 | grep . )"
-  if id -g $gid > /dev/null 2&>1 ; then
-    public_gid="$( id -g $public_gid )"
-  else
-    public_gid=33
-  fi
-else
-  public_gid=33
-fi
-
-
-# Add sympl use to the public group if it's >= 1000 and not already in it
-
-if [ "$public_gid" -ge "1000" ] && [ "$(id -Gn sympl | tr ' ' '\n' | grep -c "^$( id -gn $public_gid )$" )" == "0" ]; then
-  # sympl is not in the $public_gid group, adding
-  usermod -a -G $public_gid sympl
-fi
-
-
-# Enforce permissions for /srv/example.org/public
-
-find "/srv/${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
-
-setfacl -R -P -d -m o::rwx -m g::rwx -m o::rx "/srv/$domain/public"
-
-
-# Enforce permissions for /srv/example.com/config - exim requires directory traversal (+x) as steps thorugh to the target.
-
-find "/srv/${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;
-
-find "/srv/${domain}/config/ssl/sets" \( ! -user sympl -o ! -group ssl-cert \) -exec chown sympl:ssl-cert {} \;
-
-find "/srv/$domain/config" \( -type f -a ! -perm 660 -exec chmod 660 {} \; \) -o \( -type d -a ! -perm 2771 -exec chmod 2771 {} \; \)
-
-
-# Enforce permissions for mailboxes directory
-
-# TODO: Need to confirm permissions for this
-
-
-# Enforce permissions on /var/backups
-
-find "/etc/sympl" "/var/backups" ! -type l \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
-
-find "/etc/sympl" "/var/backups" ! -type l ! -perm o-rwx \( -type f -exec chmod 660 {} \; -o -type d -exec chmod 770 {} \; \)
-
-
-# Enforce permisions on /etc/sympl
-
-find "/etc/sympl" "/var/backups" ! -type l \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
-
-find "/etc/sympl" "/var/backups" ! -type l ! -perm o-w \( -type f -exec chmod 664 {} \; -o -type d -exec chmod 775 {} \; \)
-
-
-exit 0
--- a/common/sbin/sympl-reset-permissions
+++ b/common/sbin/sympl-reset-permissions
+#!/bin/bash
+# Fairly simple bash script to enforce filesystem permissions for sensitive
+# directories used by Sympl.
+#
+# Copyright 2019, Paul Cammish <sympl@kelduum.net>
+
+
+set -e
+
+if [ -f /etc/sympl/do-not-secure ]; then exit 0; fi
+
+function secure_domain_dir()
+{
+
+  domain="$1"
+
+  if [ ! -d "${domain}" ]; then
+
+    echo "E: ${domain} doesnt exist"
+    exit 1
+
+  fi
+
+  if [ -d ${domain}/public ]; then
+
+    # Determine uid for public from config/public-user or default to 33 (www-data)
+
+    if [ -f "${domain}/config/public-user" ]; then
+      public_uid="$( cat "${domain}/config/public-user" | sed 's|#.*||' | head -n 1 | grep . )"
+      if id -u $uid > /dev/null 2&>1 ; then
+        public_uid="$( id -u $public_uid )"
+      else
+        public_uid=33
+      fi
+    else
+      public_uid=33
+    fi
+
+    # Determine gid for public from config/public-group or default to 33 (www-data)
+
+    if [ -f "${domain}/config/public-group" ]; then
+      public_gid="$( cat "${domain}/config/public-group" | sed 's|#.*||' | head -n 1 | grep . )"
+      if id -g $gid > /dev/null 2&>1 ; then
+        public_gid="$( id -g $public_gid )"
+      else
+        public_gid=33
+      fi
+    else
+      public_gid=33
+    fi
+
+
+    # Add sympl use to the public group if it's >= 1000 and not already in it
+ 
+    if [ "$public_gid" -ge "1000" ] && [ "$(id -Gn sympl | tr ' ' '\n' | grep -c "^$( id -gn $public_gid )$" )" == "0" ]; then
+      # sympl is not in the $public_gid group, adding
+      usermod -a -G $public_gid sympl
+    fi
+
+
+    # Enforce permissions for /srv/example.org/public
+
+    find "${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
+
+    setfacl -R -P -d -m o::rwx -m g::rwx -m o::rx "$domain/public"
+
+  fi
+
+
+  # Enforce permissions for /srv/example.com/config - exim requires directory traversal (+x) as steps thorugh to the target.
+
+  if [ -d ${domain}/config ]; then
+
+    find "${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;
+
+    find "${domain}/config/ssl/sets" \( ! -user sympl -o ! -group ssl-cert \) -exec chown sympl:ssl-cert {} \;
+
+    find "${domain}/config" \( -type f -a ! -perm 660 -exec chmod 660 {} \; \) -o \( -type d -a ! -perm 2771 -exec chmod 2771 {} \; \)
+
+  fi
+
+  # Enforce permissions for mailboxes directory
+  if [ -d ${domain}/mailboxes ]; then 
+
+    find "${domain}/mailboxes" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
+
+    find "${domain}/mailboxes" \( -type f -a ! -perm 660 -exec chmod 600 {} \; \) -o \( -type d -a ! -perm 2700 -exec chmod 2700 {} \; \)
+
+  fi
+
+}
+
+# Enforce permissions on /var/backups
+
+if [ -d /var/backups ]; then
+
+  find "/var/backups" ! -type l \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
+
+  find "/var/backups" ! -type l ! -perm o-rwx \( -type f -exec chmod 660 {} \; -o -type d -exec chmod 770 {} \; \)
+
+fi
+
+# Enforce permisions on /etc/sympl
+
+if [ -d /etc/sympl ]; then
+
+  find "/etc/sympl" ! -type l ! -path '*/test.d/*' \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
+
+  find "/etc/sympl" ! -type l ! -path '*/test.d/*' ! -perm o-w \( -type f -exec chmod 664 {} \; -o -type d -exec chmod 775 {} \; \)
+
+fi
+
+for domain in $( find /srv -maxdepth 1 -mindepth 1 ! -type l -type d -print | grep -v '^/srv/\.' | grep '\.' ); do
+  if [ ! -f ${domain}/config/do-not-secure ]; then
+    secure_domain_dir ${domain}
+  fi
+done
+
+exit 0
--- a/phpmyadmin/test.d/tc_phpmyadmin.rb
+++ b/phpmyadmin/test.d/tc_phpmyadmin.rb
@@ -27,8 +27,8 @@ class TestPhpMyAdmin < Test::Unit::TestCase
  #  Fetch the admin password
  #
  def admin_passwd()
-    if ( File.exist?( "/root/mysql_admin_password" ) )
-      File.read("/root/mysql_admin_password").chomp
+    if ( File.exist?( "/home/sympl/mysql_password" ) )
+      File.read("/home/sympl/mysql_password").chomp
    else
      nil
    end
@@ -230,4 +230,4 @@ class TestPhpMyAdmin < Test::Unit::TestCase
  end


-end
\ No newline at end of file
+end