Commit 5d3c64e0 authored by Paul Cammish's avatar Paul Cammish
Browse files

Renamed 'admin' user to 'sympl', adjusted permission compatability

parent 22051148
......@@ -19,13 +19,13 @@ ruby -e "ans='$ans'.sub(/^\{CRYPT\}/,'') ; exit '$pw'.crypt(ans) == ans"
# Set the mailbox password using our newly encrypted password
#
echo "$ans" > /srv/$(hostname)/mailboxes/root/password
chown admin.admin /srv/$(hostname)/mailboxes/root/password
chown sympl.sympl /srv/$(hostname)/mailboxes/root/password
#
# Set the FTP password
#
echo "$ans" > /srv/$(hostname)/config/ftp-password
chown admin.admin /srv/$(hostname)/config/ftp-password
chown sympl.sympl /srv/$(hostname)/config/ftp-password
#
# This just returns the IP address
......
......@@ -20,8 +20,8 @@ esac
ERRORCOUNT=0
declare -r MYSQL_USER="admin"
declare -r MYSQL_PASS="$(head -n 1 /root/mysql_admin_password)"
declare -r MYSQL_USER="sympl"
declare -r MYSQL_PASS="$(head -n 1 /home/sympl/mysql_password)"
declare -r MYSQL_DATABASE="sympl_test_$(printf "d\\303\\242tabase")_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
declare -r MYSQL_DUMP_SCRIPT="/etc/symbiosis/backup.d/pre-backup.d/10-dump-mysql"
declare -r MYSQL_DUMP_PATH="/var/backups/mysql"
......
......@@ -6,7 +6,7 @@
# List of directories to make backups of. /var/backups/mysql is included here
# such that versioned database backups are kept.
#
SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /var/backups/mysql /var/backups/postgresql)
SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /var/backups/mysql)
# The following expression specifies the files not to be archived.
#
......@@ -16,7 +16,7 @@ SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /va
# Exclude mysql binary dirs, as these are dumped to /var/backups/mysql before
# the backup. Also exclude php5 session files.
#
SKIPCOND=(-path "*.nobackup*" -o -name "*.o" -o '(' -path '/var/lib/mysql' -o -path '/var/lib/php5' -o -path '/var/lib/postgresql' ')' -prune )
SKIPCOND=(-path "*.nobackup*" -o -name "*.o" -o '(' -path '/var/lib/mysql' -o -path '/var/lib/php5' )' -prune )
##################################################
# Destination
......
sympl-backup (9.0.190609.0) stable; urgency=medium
* Updated backup paths
-- Paul Cammish <sympl@kelduum.net> Sun, 09 Jun 2019 00:53:13 +0100
sympl-backup (9.0.190604.0) stable; urgency=medium
* Replaced mentions of Symbiosis with Sympl.
......
sympl-common (9.0.190609.0) stable; urgency=medium
* Renamed admin user to sympl.
* Adjusted permissions to allow public/htdocs to be owned by www-data.
* Added sympl-file-permissions to enforce security.
-- Paul Cammish <sympl@kelduum.net> Sun, 09 Jun 2019 00:53:13 +0100
sympl-common (9.0.190604.0) stable; urgency=medium
* Replaced mentions of Symbiosis with Sympl.
......
#
# Check the security of various sensative directories, and fix where needed
#
@hourly root [ -x /usr/sbin/sympl-file-security ] && /usr/sbin/sympl-file-security --quiet
#
# Test the strength of user passwords.
#
......
......@@ -24,30 +24,30 @@ fi
shadowconfig on
#
# If there isn't an admin account add it.
# If there isn't a Sympl account, add it.
#
if ( ! grep ^admin: /etc/passwd 2>/dev/null >/dev/null ); then
if ( ! grep ^sympl: /etc/passwd 2>/dev/null >/dev/null ); then
echo "Adding 'admin' account"
adduser --home=/srv --shell=/bin/bash --no-create-home --disabled-login --gecos='Sympl Administrator,,,' admin
echo "Adding 'sympl' account"
adduser --home=/home/sympl --shell=/bin/bash --disabled-login --gecos='Sympl Administrator,,,' sympl
#
# Now set the password for admin to that used by root if it isn't there
# Now set the password for Sympl to that used by root.
#
usermod -p "$(grep root /etc/shadow | cut -f 2 -d :)" admin
usermod -p "$(grep root /etc/shadow | cut -f 2 -d :)" sympl
#
# If we have an adm group - which we should - add the admin user to it.
# If we have an adm group - which we should - add the Sympl user to it.
#
if ( getent group adm >/dev/null ); then
adduser admin adm
adduser sympl adm
fi
#
# Ensure the admin user is added to the www-data group too
# Ensure the Sympl user is added to the www-data group too
#
if ( getent group www-data >/dev/null ); then
adduser admin www-data
adduser sympl www-data
fi
fi
......@@ -56,7 +56,7 @@ fi
# Add a stat override for the /srv directory.
#
if ( ! dpkg-statoverride --list /srv > /dev/null ) ; then
dpkg-statoverride --add --update admin admin 2755 /srv
dpkg-statoverride --add --update sympl sympl 2755 /srv
fi
#
......@@ -88,7 +88,7 @@ if [ ! -e "/srv/$HOSTNAME" ] ; then
mkdir -p /srv/$HOSTNAME/config
mkdir -p /srv/$HOSTNAME/mailboxes/root
chown -R admin:admin /srv/$HOSTNAME
chown -R sympl:sympl /srv/$HOSTNAME
fi
#
......@@ -143,6 +143,11 @@ if [ ! -e "/etc/ssl/ssl.key" ] &&
fi
# If sympl-permissions is in the path, run it.
if [ "x$( which sympl-permissions )" != "x" ]; then
sympl-permissions --verbose
fi
#DEBHELPER#
exit 0
......@@ -20,10 +20,10 @@ fi
if [ "purge" = "$1" ] ; then
#
# Remove admin account and group
# Remove sympl account and group
#
if [ getent passwd admin >/dev/null 2>&1 ] ; then
deluser admin
if [ getent passwd sympl >/dev/null 2>&1 ] ; then
deluser sympl
fi
# We won't delete the SSL key/crt.
......@@ -36,6 +36,7 @@ if [ "purge" = "$1" ] ; then
chmod 0755 /srv
fi
# If theres a symlink from /etc/symbiosis to /etc/sympl, remove it
if [ "x$( readlink /etc/sympl )" == "x/etc/symbiosis" ]; then
rm /etc/symbiosis
fi
......
......@@ -139,15 +139,15 @@ module Symbiosis
@gid = directory_stat.gid
else
#
# If this is a system proces, use the prefix owner, if poss, admin
# If this is a system proces, use the prefix owner, if poss, sympl
# otherwise.
#
if Process.uid < 1000
prefix_stat = File.stat(@prefix)
if prefix_stat.uid < 1000
@uid = Etc.getpwnam("admin").uid
@gid = Etc.getpwnam("admin").gid
@uid = Etc.getpwnam("sympl").uid
@gid = Etc.getpwnam("sympl").gid
else
@uid = prefix_stat.uid
@gid = prefix_stat.gid
......
......@@ -251,9 +251,11 @@ module Symbiosis
parent_dir_stat = File.stat(parent_dir)
#
# Refuse to write to directories owned by UIDs < 1000.
# Refuse to write to directories not owned UID 33 (www-data) or UID >= 1000
#
raise ArgumentError, "Parent directory #{parent_dir} is owned by a system user." unless parent_dir_stat.uid >= 1000
if ( parent_dir_stat.uid < 1000 && parent_dir_stat.uid != 33 )
raise ArgumentError, "Parent directory #{parent_dir} is owned by a system user other than www-data."
end
if false == value or value.nil?
......
#
# This allows the Admin user sudo access.
# This allows the Sympl user sudo access.
#
admin ALL = (ALL) ALL
sympl ALL = (ALL) ALL
......@@ -10,7 +10,7 @@ class TestUtils < Test::Unit::TestCase
def setup
#
# The prefix has to be in a directory admin can read..
# The prefix has to be in a directory sympl can read..
#
@prefix = Dir.mktmpdir("srv","/tmp")
@prefix.freeze
......
sympl-firewall (9.0.190609.0) stable; urgency=medium
* Renamed 'admin' user to 'sympl'
-- Paul Cammish <sympl@kelduum.net> Sun, 09 Jun 2019 00:53:13 +0100
sympl-firewall (9.0.190604.0) stable; urgency=medium
* Replaced mentions of Symbiosis with Sympl.
......
......@@ -14,7 +14,7 @@ fi
#
PREFIX=/etc/sympl/firewall
chown -R admin:admin $PREFIX
chown -R sympl:sympl $PREFIX
#DEBHELPER#
......
sympl-common (9.0.190609.0) stable; urgency=medium
* Renamed admin user to sympl.
-- Paul Cammish <sympl@kelduum.net> Sun, 09 Jun 2019 00:53:13 +0100
sympl-mail (9.0.190605.0) stable; urgency=medium
* Renamed package to sympl-mail
......
......@@ -4,7 +4,7 @@ local_users_forward:
driver = redirect
domains = $primary_hostname
check_local_user
local_parts = ! root : ! admin
local_parts = ! root : ! sympl
local_part_suffix = +*
local_part_suffix_optional
# Make sure the files exists to avoid awkward failures
......
......@@ -10,7 +10,7 @@ local_users_forward_sieve:
# Set permissions for any actions we might take
user = $local_user_uid
group = $local_user_gid
local_parts = ! root : ! admin
local_parts = ! root : ! sympl
local_part_suffix = +*
local_part_suffix_optional
transport = dovecot_lda
......
......@@ -4,7 +4,7 @@ local_users_vacation:
driver = accept
domains = $primary_hostname
check_local_user
local_parts = ! root : ! admin
local_parts = ! root : ! sympl
local_part_suffix = +*
local_part_suffix_optional
# This condition is mostly cribbed from the default value for
......
......@@ -4,7 +4,7 @@ local_users_mailbox:
driver = redirect
domains = $primary_hostname
check_local_user
local_parts = ! root : ! admin
local_parts = ! root : ! sympl
local_part_suffix = +*
local_part_suffix_optional
data = ${home}/Maildir/${if eqi{$h_X-Spam-Status:}{spam}{.Spam/}{}}
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment