Commit 8b1623b4 authored by Paul Cammish's avatar Paul Cammish
Browse files

Merge branch 'rename_admin_user_to_sympl' into 'master'

Rename admin user to sympl, secure permissions

See merge request sympl/sympl!24
parents ca1ac43a b820b965
* 2019-06-10 - Significant changes to 'admin' user
- Replaced 'admin' user with 'sympl' user, with the home directory at /home/sympl
- sympl-mysql writes /home/sympl/.my.cnf and 'mysql_password' files on install
- FTP users inherit uid/gid from target chroot directory, Umask is set rw for group.
- Improved filesystem security and added 'sympl-filesystem-security' to enforce it.
prevents a compromised site from accessing configurations, mail, backups, etc.
runs hourly, and enforces permissions on /srv, /var/backup and /etc/sympl
config/public-user, config/public-group specify user which owns the public directory
defaults to www-data:www-data
can be disabled with do-not-secure (domain) in config and /etc/sympl (global)
- Removed symbiosis-skel/sympl-skel service as it's superflous
- Added htop, nano, vim to recommends, along with basic configs for usability
* 2019-06-06 - First Public Build
- Renamed packages and files, replaced references to Symbiosis with Sympl.
bytemark-symbiosis -> sympl-core
symbiosis-httpd -> sympl-web
symbiosis-email -> sympl-mail
symbiosis-ftpd -> sympl-ftp
symbiosis-meta -> sympl-core
symbiosis-* -> sympl-*
- Renamed command-line tools, with new package names, added symlinks from old names.
- /etc/symbiosis is now /etc/sympl, with symlink for compatibilty.
- Folded old metapackages into relevant packages.
- Dropped support for old Exchange Activesync.
- Dropped support for XMPP.
- A lot of tidying up.
* 2019-05-28 - Implemented autotest suite, updated docs.
* 2019-04-16 - Fixed Gitlab CI
* 2019-04-13 - Initial fork from GitHub
* 2019-06-06 - First Beta
* * Renamed packages and files, replaced references to Symbiosis with Sympl.
* * * bytemark-symbiosis -> sympl-core
* * * symbiosis-httpd -> sympl-web
* * * symbiosis-email -> sympl-mail
* * * symbiosis-ftpd -> sympl-ftp
* * * symbiosis-meta -> sympl-core
* * * symbiosis-* -> sympl-*
* * Renamed command-line tools, with new package names, added symlinks from old names.
* * /etc/symbiosis is now /etc/sympl, with symlink for compatibilty.
* * Folded old metapackages into relevant packages.
* * Dropped support for old Exchange Activesync.
* * Dropped support for XMPP.
* * A lot of tidying up.
* 2019-05-28 - Implemented autotest suite, updated docs.
* 2019-04-16 - Fixed Gitlab CI
* 2019-04-13 - Initial fork from GitHub
......@@ -2,6 +2,8 @@
# Prepare the system for runnign the sympl-test suite
sympl-filesystem-security
export LC_ALL="en_GB.UTF-8"
echo "I: Creating local system user for testing if it doesnt exist."
......
......@@ -19,13 +19,13 @@ ruby -e "ans='$ans'.sub(/^\{CRYPT\}/,'') ; exit '$pw'.crypt(ans) == ans"
# Set the mailbox password using our newly encrypted password
#
echo "$ans" > /srv/$(hostname)/mailboxes/root/password
chown admin.admin /srv/$(hostname)/mailboxes/root/password
chown sympl.sympl /srv/$(hostname)/mailboxes/root/password
#
# Set the FTP password
#
echo "$ans" > /srv/$(hostname)/config/ftp-password
chown admin.admin /srv/$(hostname)/config/ftp-password
chown sympl.sympl /srv/$(hostname)/config/ftp-password
#
# This just returns the IP address
......
......@@ -9,8 +9,7 @@ echo -n 'I: Checking backups run ok.'
if [ $? -ne 0 ]; then echo ' FAIL'; exit 1; else echo " PASS"; fi
echo -n 'I: Checking backups verify ok.'
backup2l -v > /dev/null
if [ $? -ne 0 ]; then echo ' FAIL'; exit 1; else echo " PASS"; fi
if [ $( backup2l -v | grep -c 'ERROR' ) -ne 0 ]; then echo ' FAIL'; exit 1; else echo " PASS"; fi
state_post="$( find /var/backups/localhost/ | md5sum )"
......
......@@ -20,8 +20,8 @@ esac
ERRORCOUNT=0
declare -r MYSQL_USER="admin"
declare -r MYSQL_PASS="$(head -n 1 /root/mysql_admin_password)"
declare -r MYSQL_USER="sympl"
declare -r MYSQL_PASS="$(head -n 1 /home/sympl/mysql_password)"
declare -r MYSQL_DATABASE="sympl_test_$(printf "d\\303\\242tabase")_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 16 | head -n 1)"
declare -r MYSQL_DUMP_SCRIPT="/etc/symbiosis/backup.d/pre-backup.d/10-dump-mysql"
declare -r MYSQL_DUMP_PATH="/var/backups/mysql"
......
......@@ -6,7 +6,7 @@
# List of directories to make backups of. /var/backups/mysql is included here
# such that versioned database backups are kept.
#
SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /var/backups/mysql /var/backups/postgresql)
SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /var/backups/mysql)
# The following expression specifies the files not to be archived.
#
......@@ -16,7 +16,7 @@ SRCLIST=(/etc /root /srv /home /usr/local /var/mail /var/lib /var/spool/cron /va
# Exclude mysql binary dirs, as these are dumped to /var/backups/mysql before
# the backup. Also exclude php5 session files.
#
SKIPCOND=(-path "*.nobackup*" -o -name "*.o" -o '(' -path '/var/lib/mysql' -o -path '/var/lib/php5' -o -path '/var/lib/postgresql' ')' -prune )
SKIPCOND=(-path "*.nobackup*" -o -name "*.o" -o '(' -path '/var/lib/mysql' -o -path '/var/lib/php5' ')' -prune )
##################################################
# Destination
......
sympl-backup (9.0.190609.0) stable; urgency=medium
* Updated backup paths
-- Paul Cammish <sympl@kelduum.net> Sun, 09 Jun 2019 00:53:13 +0100
sympl-backup (9.0.190604.0) stable; urgency=medium
* Replaced mentions of Symbiosis with Sympl.
......
#!/usr/bin/ruby
#
# NAME
# sympl-skel - Populate new domains from a skeleton
#
# SYNOPSIS
# sympl-skel [ --etc path ] [ --prefix prefix ] [ domain ... ]
#
# OPTIONS
# --etc path Set the directory in which configuration is stored.
# Defaults to /etc
#
# --prefix prefix Set the directory prefix for sympl. Defaults to /srv.
#
# --help Show the help information for this script.
#
# --manual Show the manual for this script.
#
# --verbose Show verbose information.
#
# --debug Show debug information.
#
# USAGE
#
# This command checks to see if any domains do not have config dirs and
# populates the ones that don't with the contents of the skeleton directory.
#
# If domains are passed as arguments, it only checks and populates those
# domains.
#
# At the end of this process, hooks are run (see HOOKS)
#
# If an error occurred populating a domain, the script exits with exit code 1
# If a hook returns a non-zero exit code, this script exits with exit code 2
#
# HOOKS
#
# Hooks are executed from the /etc/sympl/skel-hooks.d directory, given the
# following conditions:
#
# * The file is executable
# * The file's name is made up only of alphanumerics, underscore (_) and hyphen
# (-)
#
# If any domain is altered by sympl-skel, at the end of the process all
# the hooks are called with 'domain-populated' passed as their only command-line
# argument and the list of domains that were altered is written to standard
# input, one per line.
#
# AUTHOR
# Telyn <telyn@bytemark.co.uk>
#
require 'English'
require 'getoptlong'
opts = GetoptLong.new(
['--help', '-h', GetoptLong::NO_ARGUMENT],
['--manual', '-m', GetoptLong::NO_ARGUMENT],
['--verbose', '-v', GetoptLong::NO_ARGUMENT],
['--debug', '-d', GetoptLong::NO_ARGUMENT],
['--prefix', '-p', GetoptLong::REQUIRED_ARGUMENT],
['--etc', '-e', GetoptLong::REQUIRED_ARGUMENT]
)
manual = help = false
$VERBOSELOCAL = false
$DEBUG = false
prefix = '/srv'
etc = '/etc'
opts.each do |opt, arg|
case opt
when '--help'
help = true
when '--manual'
manual = true
when '--verbose'
$VERBOSELOCAL = true
when '--debug'
$DEBUG = true
when '--prefix'
prefix = arg
when '--etc'
etc = arg
end
end
if help || manual
require 'symbiosis/utils'
Symbiosis::Utils.show_help(__FILE__) if help
Symbiosis::Utils.show_manual(__FILE__) if manual
exit 0
end
v = $VERBOSELOCAL
$VERBOSELOCAL = false
#
# The requires spawn a massive stack of warnings in verbose mode. So let's
# hide them.
#
require 'symbiosis'
require 'symbiosis/domains'
require 'symbiosis/domain_skeleton'
$VERBOSELOCAL = v
Symbiosis.etc = etc
Symbiosis.prefix = prefix
domains = []
ARGV.each do |arg|
domain = Symbiosis::Domains.find(arg.to_s, prefix)
if domain.nil?
warn "** Unable to find/parse domain #{arg.inspect}"
next
end
domains << domain
end
domains = Symbiosis::Domains.all(prefix) if ARGV.empty?
%w[INT TERM].each do |sig|
trap(sig) do
if Process.uid.zero?
Process.euid = 0
Process.egid = 0
end
exit 1
end
end
exit_code = 0
updated_domains = Symbiosis::DomainSkeleton.new.populate!(domains)
domain_errors = updated_domains.reject { |_, err| err.nil? }
unless domain_errors.empty?
# some error occurred
exit_code = 1
end
domains_for_hooks = updated_domains.select { |_, err| err.nil? }
.keys
exit exit_code if domains_for_hooks.empty?
exit_code = 2 unless Symbiosis::DomainSkeleton::Hooks.run!('domains-populated',
domains_for_hooks)
exit exit_code
sympl-common (9.0.190609.0) stable; urgency=medium
* Removed support for sympl-skel/symbiosis-skel.
* Renamed admin user to sympl.
* Adjusted permissions to allow public/htdocs to be owned by www-data.
* Added public-user, public-group and do-not-secure config files.
* Added sympl-filesystem-security to enforce security.
* Full support and enforcement for specific owners of a domains public directory.
-- Paul Cammish <sympl@kelduum.net> Sun, 09 Jun 2019 23:00:13 +0100
sympl-common (9.0.190604.0) stable; urgency=medium
* Replaced mentions of Symbiosis with Sympl.
......
......@@ -10,7 +10,7 @@ XS-Ruby-Versions: all
Package: sympl-common
Architecture: all
XB-Ruby-Versions: ${ruby:Versions}
Depends: ruby | ruby-interpreter, ruby-json-jwt, ruby-password, ruby-diffy, ruby-erubis, ruby-mocha, ruby-webmock, ruby-test-unit, ruby-faraday, gnutls-bin, gcc, openssl, sudo, adduser, ssl-cert, debconf-utils, ${misc:Depends}
Depends: ruby | ruby-interpreter, ruby-json-jwt, ruby-password, ruby-diffy, ruby-erubis, ruby-mocha, ruby-webmock, ruby-test-unit, ruby-faraday, gnutls-bin, gcc, openssl, sudo, adduser, ssl-cert, debconf-utils, acl, ${misc:Depends}
Replaces: symbiosis-common
Conflicts: symbiosis-common
Provides: symbiosis-common
......
#
# Check the security of various sensative directories, and fix where needed
#
@hourly root [ -x /usr/sbin/sympl-filesystem-security ] && /usr/sbin/sympl-filesystem-security
#
# Test the strength of user passwords.
#
......
usr/bin/sympl-encrypt-password usr/bin/symbiosis-encrypt-password
usr/bin/sympl-ip usr/bin/symbiosis-ip
usr/bin/sympl-skel usr/bin/symbiosis-skel
usr/bin/sympl-ssl usr/bin/symbiosis-ssl
usr/bin/sympl-test usr/bin/symbiosis-test
usr/sbin/sympl-configure-ips usr/sbin/symbiosis-configure-ips
......
rm_conffile /etc/ssl/Makefile 2015:1101
......@@ -24,30 +24,30 @@ fi
shadowconfig on
#
# If there isn't an admin account add it.
# If there isn't a Sympl account, add it.
#
if ( ! grep ^admin: /etc/passwd 2>/dev/null >/dev/null ); then
if ( ! grep ^sympl: /etc/passwd 2>/dev/null >/dev/null ); then
echo "Adding 'admin' account"
adduser --home=/srv --shell=/bin/bash --no-create-home --disabled-login --gecos='Sympl Administrator,,,' admin
echo "Adding 'sympl' account"
adduser --home=/home/sympl --shell=/bin/bash --disabled-login --gecos='Sympl Administrator,,,' sympl
#
# Now set the password for admin to that used by root if it isn't there
# Now set the password for Sympl to that used by root.
#
usermod -p "$(grep root /etc/shadow | cut -f 2 -d :)" admin
usermod -p "$(grep root /etc/shadow | cut -f 2 -d :)" sympl
#
# If we have an adm group - which we should - add the admin user to it.
# If we have an adm group - which we should - add the Sympl user to it.
#
if ( getent group adm >/dev/null ); then
adduser admin adm
adduser sympl adm
fi
#
# Ensure the admin user is added to the www-data group too
# Ensure the Sympl user is added to the www-data group too
#
if ( getent group www-data >/dev/null ); then
adduser admin www-data
adduser sympl www-data
fi
fi
......@@ -56,7 +56,7 @@ fi
# Add a stat override for the /srv directory.
#
if ( ! dpkg-statoverride --list /srv > /dev/null ) ; then
dpkg-statoverride --add --update admin admin 2755 /srv
dpkg-statoverride --add --update sympl sympl 2755 /srv
fi
#
......@@ -88,7 +88,8 @@ if [ ! -e "/srv/$HOSTNAME" ] ; then
mkdir -p /srv/$HOSTNAME/config
mkdir -p /srv/$HOSTNAME/mailboxes/root
chown -R admin:admin /srv/$HOSTNAME
chown -R sympl:sympl /srv/$HOSTNAME
chown -R www-data:www-data /srv/$HOSTNAME/public
fi
#
......@@ -143,6 +144,52 @@ if [ ! -e "/etc/ssl/ssl.key" ] &&
fi
# If sympl-filesystem-security is in the path, run it.
if [ "x$( which sympl-filesystem-security )" != "x" ]; then
sympl-filesystem-security
fi
if [ ! -f /home/sympl/.config/htop/htoprc ]; then
mkdir -p /home/sympl/.config/htop/
echo "hide_threads=0
hide_kernel_threads=1
hide_userland_threads=1
shadow_other_users=0
show_thread_names=1
show_program_path=1
highlight_base_name=1
highlight_megabytes=1
highlight_threads=1
tree_view=1
header_margin=0
detailed_cpu_time=1
cpu_count_from_zero=0
update_process_names=1
account_guest_in_cpu_meter=1" > /home/sympl/.config/htop/htoprc
chown sympl:sympl -R /home/sympl/.config
fi
if [ ! -f /root/.config/htop/htoprc ]; then
mkdir -p /root/.config/htop/
echo "hide_threads=0
hide_kernel_threads=1
hide_userland_threads=1
shadow_other_users=0
show_thread_names=1
show_program_path=1
highlight_base_name=1
highlight_megabytes=1
highlight_threads=1
tree_view=1
header_margin=0
detailed_cpu_time=1
cpu_count_from_zero=0
update_process_names=1
account_guest_in_cpu_meter=1" > /root/.config/htop/htoprc
chown root:root /root/.config/htop/htoprc
fi
#DEBHELPER#
exit 0
......@@ -20,10 +20,10 @@ fi
if [ "purge" = "$1" ] ; then
#
# Remove admin account and group
# Remove sympl account and group
#
if [ getent passwd admin >/dev/null 2>&1 ] ; then
deluser admin
if [ getent passwd sympl >/dev/null 2>&1 ] ; then
deluser sympl
fi
# We won't delete the SSL key/crt.
......@@ -36,6 +36,7 @@ if [ "purge" = "$1" ] ; then
chmod 0755 /srv
fi
# If theres a symlink from /etc/symbiosis to /etc/sympl, remove it
if [ "x$( readlink /etc/sympl )" == "x/etc/symbiosis" ]; then
rm /etc/symbiosis
fi
......
......@@ -16,15 +16,15 @@
%:
dh $@ --buildsystem=ruby --with ruby --with-systemd
override_dh_installinit:
# This service is called by sympl-skel.path, so no need to do
# anything other than install it.
dh_installinit --no-start --no-scripts --name sympl-skel
# GROSS HACK. dh_installinit doesn't seem to support systemd units
# other than service, so install it directly.
dh_install debian/sympl-skel.path lib/systemd/system/
dh_systemd_enable sympl-skel.path
dh_systemd_start sympl-skel.path
#override_dh_installinit:
# # This service is called by sympl-skel.path, so no need to do
# # anything other than install it.
# dh_installinit --no-start --no-scripts --name sympl-skel
# # GROSS HACK. dh_installinit doesn't seem to support systemd units
# # other than service, so install it directly.
# dh_install debian/sympl-skel.path lib/systemd/system/
# dh_systemd_enable sympl-skel.path
# dh_systemd_start sympl-skel.path
override_dh_auto_build-indep:
$(MAKE) docs
......
[Unit]
Description=Service for sympl-skel. Activated by sympl-skel.path
[Service]
ExecStart=/usr/bin/sympl-skel
[Unit]
Description=Watcher for sympl-skel automated domain population
[Path]
PathExistsGlob=/srv/*
[Install]
WantedBy=multi-user.target
......@@ -139,15 +139,15 @@ module Symbiosis
@gid = directory_stat.gid
else
#
# If this is a system proces, use the prefix owner, if poss, admin
# If this is a system proces, use the prefix owner, if poss, sympl
# otherwise.
#
if Process.uid < 1000
prefix_stat = File.stat(@prefix)
if prefix_stat.uid < 1000
@uid = Etc.getpwnam("admin").uid
@gid = Etc.getpwnam("admin").gid
@uid = Etc.getpwnam("sympl").uid
@gid = Etc.getpwnam("sympl").gid
else
@uid = prefix_stat.uid
@gid = prefix_stat.gid
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment