Commit 5916161a authored by Paul Cammish's avatar Paul Cammish
Browse files

Fixes for sympl-test

parent 3368a32b
......@@ -2,7 +2,7 @@
# Check the security of various sensative directories, and fix where needed
#
@hourly root [ -x /usr/sbin/sympl-file-security ] && /usr/sbin/sympl-file-security --quiet
@hourly root [ -x /usr/sbin/sympl-reset-permissions ] && /usr/sbin/sympl-reset-permissions
#
......
#!/bin/bash
# Fairly simple bash script to enforce filesystem permissions for sensitive
# directories used by Sympl.
#
# Copyright 2019, Paul Cammish <sympl@kelduum.net>
set -e
if [ "x$1" == "x" ]; then
echo "E: A domain must be specified"
exit 1
fi
domain="$1"
if [ ! -d "/srv/${domain}" ]; then
echo "E: ${domain} doesnt exist"
exit 1
fi
# Determine uid for public from config/public-user or default to 33 (www-data)
if [ -f "/srv/${domain}/config/public-user" ]; then
public_uid="$( cat "/srv/${domain}/config/public-user" | sed 's|#.*||' | head -n 1 | grep . )"
if id -u $uid > /dev/null 2&>1 ; then
public_uid="$( id -u $public_uid )"
else
public_uid=33
fi
else
public_uid=33
fi
# Determine gid for public from config/public-group or default to 33 (www-data)
if [ -f "/srv/${domain}/config/public-group" ]; then
public_gid="$( cat "/srv/${domain}/config/public-group" | sed 's|#.*||' | head -n 1 | grep . )"
if id -g $gid > /dev/null 2&>1 ; then
public_gid="$( id -g $public_gid )"
else
public_gid=33
fi
else
public_gid=33
fi
# Add sympl use to the public group if it's >= 1000 and not already in it
if [ "$public_gid" -ge "1000" ] && [ "$(id -Gn sympl | tr ' ' '\n' | grep -c "^$( id -gn $public_gid )$" )" == "0" ]; then
# sympl is not in the $public_gid group, adding
usermod -a -G $public_gid sympl
fi
# Enforce permissions for /srv/example.org/public
find "/srv/${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
setfacl -R -P -d -m o::rwx -m g::rwx -m o::rx "/srv/$domain/public"
# Enforce permissions for /srv/example.com/config - exim requires directory traversal (+x) as steps thorugh to the target.
find "/srv/${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;
find "/srv/${domain}/config/ssl/sets" \( ! -user sympl -o ! -group ssl-cert \) -exec chown sympl:ssl-cert {} \;
find "/srv/$domain/config" \( -type f -a ! -perm 660 -exec chmod 660 {} \; \) -o \( -type d -a ! -perm 2771 -exec chmod 2771 {} \; \)
# Enforce permissions for mailboxes directory
# TODO: Need to confirm permissions for this
# Enforce permissions on /var/backups
find "/etc/sympl" "/var/backups" ! -type l \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
find "/etc/sympl" "/var/backups" ! -type l ! -perm o-rwx \( -type f -exec chmod 660 {} \; -o -type d -exec chmod 770 {} \; \)
# Enforce permisions on /etc/sympl
find "/etc/sympl" "/var/backups" ! -type l \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
find "/etc/sympl" "/var/backups" ! -type l ! -perm o-w \( -type f -exec chmod 664 {} \; -o -type d -exec chmod 775 {} \; \)
exit 0
#!/bin/bash
# Fairly simple bash script to enforce filesystem permissions for sensitive
# directories used by Sympl.
#
# Copyright 2019, Paul Cammish <sympl@kelduum.net>
set -e
if [ -f /etc/sympl/do-not-secure ]; then exit 0; fi
function secure_domain_dir()
{
domain="$1"
if [ ! -d "${domain}" ]; then
echo "E: ${domain} doesnt exist"
exit 1
fi
if [ -d ${domain}/public ]; then
# Determine uid for public from config/public-user or default to 33 (www-data)
if [ -f "${domain}/config/public-user" ]; then
public_uid="$( cat "${domain}/config/public-user" | sed 's|#.*||' | head -n 1 | grep . )"
if id -u $uid > /dev/null 2&>1 ; then
public_uid="$( id -u $public_uid )"
else
public_uid=33
fi
else
public_uid=33
fi
# Determine gid for public from config/public-group or default to 33 (www-data)
if [ -f "${domain}/config/public-group" ]; then
public_gid="$( cat "${domain}/config/public-group" | sed 's|#.*||' | head -n 1 | grep . )"
if id -g $gid > /dev/null 2&>1 ; then
public_gid="$( id -g $public_gid )"
else
public_gid=33
fi
else
public_gid=33
fi
# Add sympl use to the public group if it's >= 1000 and not already in it
if [ "$public_gid" -ge "1000" ] && [ "$(id -Gn sympl | tr ' ' '\n' | grep -c "^$( id -gn $public_gid )$" )" == "0" ]; then
# sympl is not in the $public_gid group, adding
usermod -a -G $public_gid sympl
fi
# Enforce permissions for /srv/example.org/public
find "${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
setfacl -R -P -d -m o::rwx -m g::rwx -m o::rx "$domain/public"
fi
# Enforce permissions for /srv/example.com/config - exim requires directory traversal (+x) as steps thorugh to the target.
if [ -d ${domain}/config ]; then
find "${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;
find "${domain}/config/ssl/sets" \( ! -user sympl -o ! -group ssl-cert \) -exec chown sympl:ssl-cert {} \;
find "${domain}/config" \( -type f -a ! -perm 660 -exec chmod 660 {} \; \) -o \( -type d -a ! -perm 2771 -exec chmod 2771 {} \; \)
fi
# Enforce permissions for mailboxes directory
if [ -d ${domain}/mailboxes ]; then
find "${domain}/mailboxes" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
find "${domain}/mailboxes" \( -type f -a ! -perm 660 -exec chmod 600 {} \; \) -o \( -type d -a ! -perm 2700 -exec chmod 2700 {} \; \)
fi
}
# Enforce permissions on /var/backups
if [ -d /var/backups ]; then
find "/var/backups" ! -type l \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
find "/var/backups" ! -type l ! -perm o-rwx \( -type f -exec chmod 660 {} \; -o -type d -exec chmod 770 {} \; \)
fi
# Enforce permisions on /etc/sympl
if [ -d /etc/sympl ]; then
find "/etc/sympl" ! -type l ! -path '*/test.d/*' \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
find "/etc/sympl" ! -type l ! -path '*/test.d/*' ! -perm o-w \( -type f -exec chmod 664 {} \; -o -type d -exec chmod 775 {} \; \)
fi
for domain in $( find /srv -maxdepth 1 -mindepth 1 ! -type l -type d -print | grep -v '^/srv/\.' | grep '\.' ); do
if [ ! -f ${domain}/config/do-not-secure ]; then
secure_domain_dir ${domain}
fi
done
exit 0
......@@ -27,8 +27,8 @@ class TestPhpMyAdmin < Test::Unit::TestCase
# Fetch the admin password
#
def admin_passwd()
if ( File.exist?( "/root/mysql_admin_password" ) )
File.read("/root/mysql_admin_password").chomp
if ( File.exist?( "/home/sympl/mysql_password" ) )
File.read("/home/sympl/mysql_password").chomp
else
nil
end
......@@ -230,4 +230,4 @@ class TestPhpMyAdmin < Test::Unit::TestCase
end
end
\ No newline at end of file
end
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment