Renamed 'admin' user to 'sympl', adjusted permission compatability

autotest/test.d/50-test-cli

@@ -19,13 +19,13 @@ ruby -e "ans='$ans'.sub(/^\{CRYPT\}/,'') ; exit '$pw'.crypt(ans) == ans"
 # Set the mailbox password using our newly encrypted password
 #
 echo "$ans" > /srv/$(hostname)/mailboxes/root/password
-chown admin.admin /srv/$(hostname)/mailboxes/root/password
+chown sympl.sympl /srv/$(hostname)/mailboxes/root/password
 
 #
 # Set the FTP password
 #
 echo "$ans" > /srv/$(hostname)/config/ftp-password
-chown admin.admin /srv/$(hostname)/config/ftp-password
+chown sympl.sympl /srv/$(hostname)/config/ftp-password
 
 #
 # This just returns the IP address

autotest/test.d/99-mysql_backup

@@ -20,8 +20,8 @@ esac
 
 ERRORCOUNT=0
 
-declare -r MYSQL_USER="admin"
-declare -r MYSQL_PASS="$(head -n 1 /root/mysql_admin_password)"
+declare -r MYSQL_USER="sympl"
+declare -r MYSQL_PASS="$(head -n 1 /home/sympl/mysql_password)"
 declare -r MYSQL_DATABASE="sympl_test_$(printf "d\\303\\242tabase")_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
 declare -r MYSQL_DUMP_SCRIPT="/etc/symbiosis/backup.d/pre-backup.d/10-dump-mysql"
 declare -r MYSQL_DUMP_PATH="/var/backups/mysql"
@@ -156,4 +156,4 @@ main
 
 _echo "D: Exiting $ERRORCOUNT"
 
-exit $ERRORCOUNT
\ No newline at end of file
+exit $ERRORCOUNT

backup/backup.d/conf.d/10-directories.conf

@@ -6,7 +6,7 @@
 # List of directories to make backups of.  /var/backups/mysql is included here
 # such that versioned database backups are kept.
 #
-SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /var/backups/mysql /var/backups/postgresql)
+SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /var/backups/mysql)
 
 # The following expression specifies the files not to be archived.
 #
@@ -16,7 +16,7 @@ SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /va
 # Exclude mysql binary dirs, as these are dumped to /var/backups/mysql before
 # the backup.  Also exclude php5 session files.
 #
-SKIPCOND=(-path "*.nobackup*" -o -name "*.o" -o '(' -path '/var/lib/mysql' -o -path '/var/lib/php5' -o -path '/var/lib/postgresql' ')' -prune )
+SKIPCOND=(-path "*.nobackup*" -o -name "*.o" -o '(' -path '/var/lib/mysql' -o -path '/var/lib/php5' )' -prune )
 
 ##################################################
 # Destination

backup/debian/changelog

+sympl-backup (9.0.190609.0) stable; urgency=medium
+
+  * Updated backup paths
+
+ -- Paul Cammish <sympl@kelduum.net>  Sun, 09 Jun 2019 00:53:13 +0100
+
 sympl-backup (9.0.190604.0) stable; urgency=medium
 
   * Replaced mentions of Symbiosis with Sympl.

common/debian/changelog

+sympl-common (9.0.190609.0) stable; urgency=medium
+
+  * Renamed admin user to sympl.
+  * Adjusted permissions to allow public/htdocs to be owned by www-data.
+  * Added sympl-file-permissions to enforce security.
+
+ -- Paul Cammish <sympl@kelduum.net>  Sun, 09 Jun 2019 00:53:13 +0100
+
 sympl-common (9.0.190604.0) stable; urgency=medium
 
   * Replaced mentions of Symbiosis with Sympl.

common/debian/cron.d

+#
+# Check the security of various sensative directories, and fix where needed
+#
+
+@hourly root [ -x /usr/sbin/sympl-file-security ] && /usr/sbin/sympl-file-security --quiet
+
+
 #
 #  Test the strength of user passwords.
 #

common/debian/postinst

@@ -24,30 +24,30 @@ fi
 shadowconfig on
 
 #
-#  If there isn't an admin account add it.
+#  If there isn't a Sympl account, add it.
 #
-if ( ! grep ^admin: /etc/passwd 2>/dev/null >/dev/null ); then
+if ( ! grep ^sympl: /etc/passwd 2>/dev/null >/dev/null ); then
 
-  echo "Adding 'admin' account"
-  adduser --home=/srv --shell=/bin/bash --no-create-home --disabled-login --gecos='Sympl Administrator,,,' admin
+  echo "Adding 'sympl' account"
+  adduser --home=/home/sympl --shell=/bin/bash --disabled-login --gecos='Sympl Administrator,,,' sympl
 
   #
-  #  Now set the password for admin to that used by root if it isn't there
+  #  Now set the password for Sympl to that used by root.
   #
-  usermod -p "$(grep root /etc/shadow | cut -f 2 -d :)" admin
+  usermod -p "$(grep root /etc/shadow | cut -f 2 -d :)" sympl
 
   #
-  #  If we have an adm group - which we should - add the admin user to it.
+  #  If we have an adm group - which we should - add the Sympl user to it.
   #
   if ( getent group adm >/dev/null ); then
-    adduser admin adm
+    adduser sympl adm
   fi
   
   #
-  #  Ensure the admin user is added to the www-data group too 
+  #  Ensure the Sympl user is added to the www-data group too 
   #
   if ( getent group www-data >/dev/null ); then
-    adduser admin www-data
+    adduser sympl www-data
   fi
 
 fi
@@ -56,7 +56,7 @@ fi
 # Add a stat override for the /srv directory.
 #
 if ( ! dpkg-statoverride --list /srv > /dev/null ) ; then
-  dpkg-statoverride --add --update admin admin 2755 /srv
+  dpkg-statoverride --add --update sympl sympl 2755 /srv
 fi
 
 #
@@ -88,7 +88,7 @@ if [ ! -e "/srv/$HOSTNAME" ] ; then
   mkdir -p /srv/$HOSTNAME/config
   mkdir -p /srv/$HOSTNAME/mailboxes/root
 
-  chown -R admin:admin /srv/$HOSTNAME
+  chown -R sympl:sympl /srv/$HOSTNAME
 fi
 
 #
@@ -143,6 +143,11 @@ if [ ! -e "/etc/ssl/ssl.key" ] &&
 
 fi
 
+# If sympl-permissions is in the path, run it.
+if [ "x$( which sympl-permissions )" != "x" ]; then
+  sympl-permissions --verbose
+fi
+
 #DEBHELPER#
 
 exit 0

common/debian/prerm

@@ -20,10 +20,10 @@ fi
 
 if [ "purge" = "$1" ] ; then
   #
-  # Remove admin account and group
+  # Remove sympl account and group
   #
-  if [ getent passwd admin >/dev/null 2>&1 ] ; then
-    deluser admin
+  if [ getent passwd sympl >/dev/null 2>&1 ] ; then
+    deluser sympl
   fi
 
   # We won't delete the SSL key/crt.
@@ -36,6 +36,7 @@ if [ "purge" = "$1" ] ; then
     chmod 0755 /srv
   fi
 
+  # If theres a symlink from /etc/symbiosis to /etc/sympl, remove it
   if [ "x$( readlink /etc/sympl )" == "x/etc/symbiosis" ]; then
     rm /etc/symbiosis
   fi

common/lib/symbiosis/domain.rb

@@ -139,15 +139,15 @@ module Symbiosis
         @gid = directory_stat.gid
       else
         #
-        # If this is a system proces, use the prefix owner, if poss, admin
+        # If this is a system proces, use the prefix owner, if poss, sympl
         # otherwise.
         #
         if Process.uid < 1000
           prefix_stat = File.stat(@prefix)
 
           if prefix_stat.uid < 1000
-            @uid = Etc.getpwnam("admin").uid
-            @gid = Etc.getpwnam("admin").gid
+            @uid = Etc.getpwnam("sympl").uid
+            @gid = Etc.getpwnam("sympl").gid
           else
             @uid = prefix_stat.uid
             @gid = prefix_stat.gid

common/lib/symbiosis/utils.rb

@@ -251,9 +251,11 @@ module Symbiosis
       parent_dir_stat = File.stat(parent_dir)
 
       #
-      # Refuse to write to directories owned by UIDs < 1000.
+      # Refuse to write to directories not owned UID 33 (www-data) or UID >= 1000
       #
-      raise ArgumentError, "Parent directory #{parent_dir} is owned by a system user." unless parent_dir_stat.uid >= 1000
+      if ( parent_dir_stat.uid < 1000 && parent_dir_stat.uid != 33 )
+        raise ArgumentError, "Parent directory #{parent_dir} is owned by a system user other than www-data."
+      end
 
 
       if false == value or value.nil?

common/sbin/sympl-file-security

+#!/bin/bash
+
+exit 0

common/sudoers.d/sympl

 #
-# This allows the Admin user sudo access.
+# This allows the Sympl user sudo access.
 #
-admin ALL = (ALL) ALL
+sympl ALL = (ALL) ALL

common/test.d/tc_utils.rb

@@ -10,7 +10,7 @@ class TestUtils < Test::Unit::TestCase
 
   def setup
     #
-    # The prefix has to be in a directory admin can read..
+    # The prefix has to be in a directory sympl can read..
     #
     @prefix = Dir.mktmpdir("srv","/tmp")
     @prefix.freeze

firewall/debian/changelog

+sympl-firewall (9.0.190609.0) stable; urgency=medium
+
+  * Renamed 'admin' user to 'sympl'
+
+ -- Paul Cammish <sympl@kelduum.net>  Sun, 09 Jun 2019 00:53:13 +0100
+
 sympl-firewall (9.0.190604.0) stable; urgency=medium
 
   * Replaced mentions of Symbiosis with Sympl.

firewall/debian/postinst

@@ -14,7 +14,7 @@ fi
 #
 PREFIX=/etc/sympl/firewall
 
-chown -R admin:admin $PREFIX
+chown -R sympl:sympl $PREFIX
 
 
 #DEBHELPER#

mail/debian/changelog

+sympl-common (9.0.190609.0) stable; urgency=medium
+
+  * Renamed admin user to sympl.
+
+ -- Paul Cammish <sympl@kelduum.net>  Sun, 09 Jun 2019 00:53:13 +0100
+
 sympl-mail (9.0.190605.0) stable; urgency=medium
 
   * Renamed package to sympl-mail

mail/exim4/sympl.d/20-routers/35-local-users-forward

@@ -4,7 +4,7 @@ local_users_forward:
   driver = redirect
   domains = $primary_hostname
   check_local_user
-  local_parts = ! root : ! admin
+  local_parts = ! root : ! sympl
   local_part_suffix = +*
   local_part_suffix_optional
   # Make sure the files exists to avoid awkward failures

mail/exim4/sympl.d/20-routers/36-local-users-forward-sieve

@@ -10,7 +10,7 @@ local_users_forward_sieve:
   # Set permissions for any actions we might take
   user  = $local_user_uid
   group = $local_user_gid
-  local_parts = ! root : ! admin
+  local_parts = ! root : ! sympl
   local_part_suffix = +*
   local_part_suffix_optional
   transport = dovecot_lda

mail/exim4/sympl.d/20-routers/37-local-users-vacation

@@ -4,7 +4,7 @@ local_users_vacation:
   driver = accept
   domains = $primary_hostname
   check_local_user
-  local_parts = ! root : ! admin
+  local_parts = ! root : ! sympl
   local_part_suffix = +*
   local_part_suffix_optional
   # This condition is mostly cribbed from the default value for

mail/exim4/sympl.d/20-routers/38-local-users-mailbox

@@ -4,7 +4,7 @@ local_users_mailbox:
   driver = redirect
   domains = $primary_hostname
   check_local_user
-  local_parts = ! root : ! admin
+  local_parts = ! root : ! sympl
   local_part_suffix = +*
   local_part_suffix_optional
   data  = ${home}/Maildir/${if eqi{$h_X-Spam-Status:}{spam}{.Spam/}{}}