Commit 5d3c64e0 authored by Paul Cammish's avatar Paul Cammish
Browse files

Renamed 'admin' user to 'sympl', adjusted permission compatability

parent 22051148
...@@ -19,13 +19,13 @@ ruby -e "ans='$ans'.sub(/^\{CRYPT\}/,'') ; exit '$pw'.crypt(ans) == ans" ...@@ -19,13 +19,13 @@ ruby -e "ans='$ans'.sub(/^\{CRYPT\}/,'') ; exit '$pw'.crypt(ans) == ans"
# Set the mailbox password using our newly encrypted password # Set the mailbox password using our newly encrypted password
# #
echo "$ans" > /srv/$(hostname)/mailboxes/root/password echo "$ans" > /srv/$(hostname)/mailboxes/root/password
chown admin.admin /srv/$(hostname)/mailboxes/root/password chown sympl.sympl /srv/$(hostname)/mailboxes/root/password
# #
# Set the FTP password # Set the FTP password
# #
echo "$ans" > /srv/$(hostname)/config/ftp-password echo "$ans" > /srv/$(hostname)/config/ftp-password
chown admin.admin /srv/$(hostname)/config/ftp-password chown sympl.sympl /srv/$(hostname)/config/ftp-password
# #
# This just returns the IP address # This just returns the IP address
......
...@@ -20,8 +20,8 @@ esac ...@@ -20,8 +20,8 @@ esac
ERRORCOUNT=0 ERRORCOUNT=0
declare -r MYSQL_USER="admin" declare -r MYSQL_USER="sympl"
declare -r MYSQL_PASS="$(head -n 1 /root/mysql_admin_password)" declare -r MYSQL_PASS="$(head -n 1 /home/sympl/mysql_password)"
declare -r MYSQL_DATABASE="sympl_test_$(printf "d\\303\\242tabase")_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)" declare -r MYSQL_DATABASE="sympl_test_$(printf "d\\303\\242tabase")_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
declare -r MYSQL_DUMP_SCRIPT="/etc/symbiosis/backup.d/pre-backup.d/10-dump-mysql" declare -r MYSQL_DUMP_SCRIPT="/etc/symbiosis/backup.d/pre-backup.d/10-dump-mysql"
declare -r MYSQL_DUMP_PATH="/var/backups/mysql" declare -r MYSQL_DUMP_PATH="/var/backups/mysql"
...@@ -156,4 +156,4 @@ main ...@@ -156,4 +156,4 @@ main
_echo "D: Exiting $ERRORCOUNT" _echo "D: Exiting $ERRORCOUNT"
exit $ERRORCOUNT exit $ERRORCOUNT
\ No newline at end of file
...@@ -6,7 +6,7 @@ ...@@ -6,7 +6,7 @@
# List of directories to make backups of. /var/backups/mysql is included here # List of directories to make backups of. /var/backups/mysql is included here
# such that versioned database backups are kept. # such that versioned database backups are kept.
# #
SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /var/backups/mysql /var/backups/postgresql) SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /var/backups/mysql)
# The following expression specifies the files not to be archived. # The following expression specifies the files not to be archived.
# #
...@@ -16,7 +16,7 @@ SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /va ...@@ -16,7 +16,7 @@ SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /va
# Exclude mysql binary dirs, as these are dumped to /var/backups/mysql before # Exclude mysql binary dirs, as these are dumped to /var/backups/mysql before
# the backup. Also exclude php5 session files. # the backup. Also exclude php5 session files.
# #
SKIPCOND=(-path "*.nobackup*" -o -name "*.o" -o '(' -path '/var/lib/mysql' -o -path '/var/lib/php5' -o -path '/var/lib/postgresql' ')' -prune ) SKIPCOND=(-path "*.nobackup*" -o -name "*.o" -o '(' -path '/var/lib/mysql' -o -path '/var/lib/php5' )' -prune )
################################################## ##################################################
# Destination # Destination
......
sympl-backup (9.0.190609.0) stable; urgency=medium
* Updated backup paths
-- Paul Cammish <sympl@kelduum.net> Sun, 09 Jun 2019 00:53:13 +0100
sympl-backup (9.0.190604.0) stable; urgency=medium sympl-backup (9.0.190604.0) stable; urgency=medium
* Replaced mentions of Symbiosis with Sympl. * Replaced mentions of Symbiosis with Sympl.
......
sympl-common (9.0.190609.0) stable; urgency=medium
* Renamed admin user to sympl.
* Adjusted permissions to allow public/htdocs to be owned by www-data.
* Added sympl-file-permissions to enforce security.
-- Paul Cammish <sympl@kelduum.net> Sun, 09 Jun 2019 00:53:13 +0100
sympl-common (9.0.190604.0) stable; urgency=medium sympl-common (9.0.190604.0) stable; urgency=medium
* Replaced mentions of Symbiosis with Sympl. * Replaced mentions of Symbiosis with Sympl.
......
#
# Check the security of various sensative directories, and fix where needed
#
@hourly root [ -x /usr/sbin/sympl-file-security ] && /usr/sbin/sympl-file-security --quiet
# #
# Test the strength of user passwords. # Test the strength of user passwords.
# #
......
...@@ -24,30 +24,30 @@ fi ...@@ -24,30 +24,30 @@ fi
shadowconfig on shadowconfig on
# #
# If there isn't an admin account add it. # If there isn't a Sympl account, add it.
# #
if ( ! grep ^admin: /etc/passwd 2>/dev/null >/dev/null ); then if ( ! grep ^sympl: /etc/passwd 2>/dev/null >/dev/null ); then
echo "Adding 'admin' account" echo "Adding 'sympl' account"
adduser --home=/srv --shell=/bin/bash --no-create-home --disabled-login --gecos='Sympl Administrator,,,' admin adduser --home=/home/sympl --shell=/bin/bash --disabled-login --gecos='Sympl Administrator,,,' sympl
# #
# Now set the password for admin to that used by root if it isn't there # Now set the password for Sympl to that used by root.
# #
usermod -p "$(grep root /etc/shadow | cut -f 2 -d :)" admin usermod -p "$(grep root /etc/shadow | cut -f 2 -d :)" sympl
# #
# If we have an adm group - which we should - add the admin user to it. # If we have an adm group - which we should - add the Sympl user to it.
# #
if ( getent group adm >/dev/null ); then if ( getent group adm >/dev/null ); then
adduser admin adm adduser sympl adm
fi fi
# #
# Ensure the admin user is added to the www-data group too # Ensure the Sympl user is added to the www-data group too
# #
if ( getent group www-data >/dev/null ); then if ( getent group www-data >/dev/null ); then
adduser admin www-data adduser sympl www-data
fi fi
fi fi
...@@ -56,7 +56,7 @@ fi ...@@ -56,7 +56,7 @@ fi
# Add a stat override for the /srv directory. # Add a stat override for the /srv directory.
# #
if ( ! dpkg-statoverride --list /srv > /dev/null ) ; then if ( ! dpkg-statoverride --list /srv > /dev/null ) ; then
dpkg-statoverride --add --update admin admin 2755 /srv dpkg-statoverride --add --update sympl sympl 2755 /srv
fi fi
# #
...@@ -88,7 +88,7 @@ if [ ! -e "/srv/$HOSTNAME" ] ; then ...@@ -88,7 +88,7 @@ if [ ! -e "/srv/$HOSTNAME" ] ; then
mkdir -p /srv/$HOSTNAME/config mkdir -p /srv/$HOSTNAME/config
mkdir -p /srv/$HOSTNAME/mailboxes/root mkdir -p /srv/$HOSTNAME/mailboxes/root
chown -R admin:admin /srv/$HOSTNAME chown -R sympl:sympl /srv/$HOSTNAME
fi fi
# #
...@@ -143,6 +143,11 @@ if [ ! -e "/etc/ssl/ssl.key" ] && ...@@ -143,6 +143,11 @@ if [ ! -e "/etc/ssl/ssl.key" ] &&
fi fi
# If sympl-permissions is in the path, run it.
if [ "x$( which sympl-permissions )" != "x" ]; then
sympl-permissions --verbose
fi
#DEBHELPER# #DEBHELPER#
exit 0 exit 0
...@@ -20,10 +20,10 @@ fi ...@@ -20,10 +20,10 @@ fi
if [ "purge" = "$1" ] ; then if [ "purge" = "$1" ] ; then
# #
# Remove admin account and group # Remove sympl account and group
# #
if [ getent passwd admin >/dev/null 2>&1 ] ; then if [ getent passwd sympl >/dev/null 2>&1 ] ; then
deluser admin deluser sympl
fi fi
# We won't delete the SSL key/crt. # We won't delete the SSL key/crt.
...@@ -36,6 +36,7 @@ if [ "purge" = "$1" ] ; then ...@@ -36,6 +36,7 @@ if [ "purge" = "$1" ] ; then
chmod 0755 /srv chmod 0755 /srv
fi fi
# If theres a symlink from /etc/symbiosis to /etc/sympl, remove it
if [ "x$( readlink /etc/sympl )" == "x/etc/symbiosis" ]; then if [ "x$( readlink /etc/sympl )" == "x/etc/symbiosis" ]; then
rm /etc/symbiosis rm /etc/symbiosis
fi fi
......
...@@ -139,15 +139,15 @@ module Symbiosis ...@@ -139,15 +139,15 @@ module Symbiosis
@gid = directory_stat.gid @gid = directory_stat.gid
else else
# #
# If this is a system proces, use the prefix owner, if poss, admin # If this is a system proces, use the prefix owner, if poss, sympl
# otherwise. # otherwise.
# #
if Process.uid < 1000 if Process.uid < 1000
prefix_stat = File.stat(@prefix) prefix_stat = File.stat(@prefix)
if prefix_stat.uid < 1000 if prefix_stat.uid < 1000
@uid = Etc.getpwnam("admin").uid @uid = Etc.getpwnam("sympl").uid
@gid = Etc.getpwnam("admin").gid @gid = Etc.getpwnam("sympl").gid
else else
@uid = prefix_stat.uid @uid = prefix_stat.uid
@gid = prefix_stat.gid @gid = prefix_stat.gid
......
...@@ -251,9 +251,11 @@ module Symbiosis ...@@ -251,9 +251,11 @@ module Symbiosis
parent_dir_stat = File.stat(parent_dir) parent_dir_stat = File.stat(parent_dir)
# #
# Refuse to write to directories owned by UIDs < 1000. # Refuse to write to directories not owned UID 33 (www-data) or UID >= 1000
# #
raise ArgumentError, "Parent directory #{parent_dir} is owned by a system user." unless parent_dir_stat.uid >= 1000 if ( parent_dir_stat.uid < 1000 && parent_dir_stat.uid != 33 )
raise ArgumentError, "Parent directory #{parent_dir} is owned by a system user other than www-data."
end
if false == value or value.nil? if false == value or value.nil?
......
# #
# This allows the Admin user sudo access. # This allows the Sympl user sudo access.
# #
admin ALL = (ALL) ALL sympl ALL = (ALL) ALL
...@@ -10,7 +10,7 @@ class TestUtils < Test::Unit::TestCase ...@@ -10,7 +10,7 @@ class TestUtils < Test::Unit::TestCase
def setup def setup
# #
# The prefix has to be in a directory admin can read.. # The prefix has to be in a directory sympl can read..
# #
@prefix = Dir.mktmpdir("srv","/tmp") @prefix = Dir.mktmpdir("srv","/tmp")
@prefix.freeze @prefix.freeze
......
sympl-firewall (9.0.190609.0) stable; urgency=medium
* Renamed 'admin' user to 'sympl'
-- Paul Cammish <sympl@kelduum.net> Sun, 09 Jun 2019 00:53:13 +0100
sympl-firewall (9.0.190604.0) stable; urgency=medium sympl-firewall (9.0.190604.0) stable; urgency=medium
* Replaced mentions of Symbiosis with Sympl. * Replaced mentions of Symbiosis with Sympl.
......
...@@ -14,7 +14,7 @@ fi ...@@ -14,7 +14,7 @@ fi
# #
PREFIX=/etc/sympl/firewall PREFIX=/etc/sympl/firewall
chown -R admin:admin $PREFIX chown -R sympl:sympl $PREFIX
#DEBHELPER# #DEBHELPER#
......
sympl-common (9.0.190609.0) stable; urgency=medium
* Renamed admin user to sympl.
-- Paul Cammish <sympl@kelduum.net> Sun, 09 Jun 2019 00:53:13 +0100
sympl-mail (9.0.190605.0) stable; urgency=medium sympl-mail (9.0.190605.0) stable; urgency=medium
* Renamed package to sympl-mail * Renamed package to sympl-mail
......
...@@ -4,7 +4,7 @@ local_users_forward: ...@@ -4,7 +4,7 @@ local_users_forward:
driver = redirect driver = redirect
domains = $primary_hostname domains = $primary_hostname
check_local_user check_local_user
local_parts = ! root : ! admin local_parts = ! root : ! sympl
local_part_suffix = +* local_part_suffix = +*
local_part_suffix_optional local_part_suffix_optional
# Make sure the files exists to avoid awkward failures # Make sure the files exists to avoid awkward failures
......
...@@ -10,7 +10,7 @@ local_users_forward_sieve: ...@@ -10,7 +10,7 @@ local_users_forward_sieve:
# Set permissions for any actions we might take # Set permissions for any actions we might take
user = $local_user_uid user = $local_user_uid
group = $local_user_gid group = $local_user_gid
local_parts = ! root : ! admin local_parts = ! root : ! sympl
local_part_suffix = +* local_part_suffix = +*
local_part_suffix_optional local_part_suffix_optional
transport = dovecot_lda transport = dovecot_lda
......
...@@ -4,7 +4,7 @@ local_users_vacation: ...@@ -4,7 +4,7 @@ local_users_vacation:
driver = accept driver = accept
domains = $primary_hostname domains = $primary_hostname
check_local_user check_local_user
local_parts = ! root : ! admin local_parts = ! root : ! sympl
local_part_suffix = +* local_part_suffix = +*
local_part_suffix_optional local_part_suffix_optional
# This condition is mostly cribbed from the default value for # This condition is mostly cribbed from the default value for
......
...@@ -4,7 +4,7 @@ local_users_mailbox: ...@@ -4,7 +4,7 @@ local_users_mailbox:
driver = redirect driver = redirect
domains = $primary_hostname domains = $primary_hostname
check_local_user check_local_user
local_parts = ! root : ! admin local_parts = ! root : ! sympl
local_part_suffix = +* local_part_suffix = +*
local_part_suffix_optional local_part_suffix_optional
data = ${home}/Maildir/${if eqi{$h_X-Spam-Status:}{spam}{.Spam/}{}} data = ${home}/Maildir/${if eqi{$h_X-Spam-Status:}{spam}{.Spam/}{}}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment