Ported changes from strtech-testing !49

da156678 · Paul Cammish · 99a84513 · da156678 · da156678 · da156678
Commit da156678 authored Jun 24, 2019 by Paul Cammish
--- a/core/debian/changelog
+++ b/core/debian/changelog
+sympl-core (10.0.190624.0) stable; urgency=medium
+
+  * Adjusted MOTD Banner
+  * Updated sympl-filesystem-security with tweaks to paths/logic
+
+ -- Paul Cammish <sympl@kelduum.net>  Mon, 24 Jun 2019 10:27:00 +0100
+
 sympl-core (10.0.190621.0) stable; urgency=medium

  * Created Sympl v10.0 (Debian Buster)

--- a/core/sbin/sympl-filesystem-security
+++ b/core/sbin/sympl-filesystem-security
@@ -3,6 +3,7 @@
 # directories used by Sympl.
 #
 # Copyright 2019, Paul Cammish <sympl@kelduum.net>
+# Licensed under GPL3+


 set -e
@@ -51,22 +52,35 @@ function secure_domain_dir()


    # Add sympl use to the public group if it's >= 1000 and not already in it
- 
+
    if [ "$public_gid" -ge "1000" ] && [ "$(id -Gn sympl | tr ' ' '\n' | grep -c "^$( id -gn $public_gid )$" )" == "0" ]; then
      # sympl is not in the $public_gid group, adding
      usermod -a -G $public_gid sympl
    fi


-    # Enforce permissions for /srv/example.org/public
+    # Enforce permissions for /srv/example.org/public, /php_sessions, /php_tmp

    find "${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
+    find "${domain}/public" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)
+
+
+    if [ -d "${domain}/php_sessions" ]; then

-    find "${domain}/public" ! -type l \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d -perm 2775 -exec chmod 2775 {} \; \)
+      find "${domain}/php_sessions" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
+      find "${domain}/php_sessions" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)

+    fi
+
+    if [ -d "${domain}/php_tmp" ]; then

+      find "${domain}/php_tmp" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
+      find "${domain}/php_tmp" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)

-    # Lock down the public/htdocs/logs directory, if it exists and contains webalizer html
+    fi
+
+
+    # Lock down the public/htdocs/stats directory, if it exists and contains webalizer html
    # By default this is left unprotected, and includes IP addresses which are classified
    #   under GDPR as personally identifiable

@@ -80,16 +94,16 @@ AuthType Basic
 AuthName \"Access Restricted\"
 AuthUserFile ${domain}/config/stats-htaccess
 Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"
-      fi 
+      fi
    fi

  fi

-  # Enforce permissions for /srv/example.com/config - exim requires directory traversal (+x) as steps thorugh to the target.
+  # Enforce permissions for /srv/example.com/config - exim requires directory traversal (+x) as steps through to the target.

  if [ -d ${domain}/config ]; then

-    find "${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;
+    find "${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -name 'dkim.key' ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;

    if [ -d "${domain}/config/ssl/sets" ]; then
      find "${domain}/config/ssl/sets" \( ! -user sympl -o ! -group ssl-cert \) -exec chown sympl:ssl-cert {} \;
@@ -97,10 +111,16 @@ Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"

    find "${domain}/config" \( -type f -a ! -perm 660 -exec chmod 660 {} \; \) -o \( -type d -a ! -perm 2771 -exec chmod 2771 {} \; \)

+    # The group doesn't exist if exim/sympl-mail is not installed.
+    if [ $( grep -c '^Debian-exim:' /etc/group ) == 1 ]; then
+      find "${domain}/config" -maxdepth 1 -type f -name 'dkim.key' \( ! -group Debian-exim -o ! -user sympl \) -exec chown sympl:Debian-exim {} \;
+      find "${domain}/config" -maxdepth 1 -type f -name 'dkim.key' ! -perm 640 -exec chmod 640 {} \;
+    fi
+
  fi

  # Enforce permissions for mailboxes directory
-  if [ -d ${domain}/mailboxes ]; then 
+  if [ -d ${domain}/mailboxes ]; then

    find "${domain}/mailboxes" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;


--- a/core/update-motd.d/00-sympl-banner
+++ b/core/update-motd.d/00-sympl-banner
 #!/bin/sh

-echo -e "\033[1m"
+echo "\033[1m"
 cat <<EOF
                                                                  ┌─────┐ v10.0
-                                                                  └─┐   │
+                                                                  └─┐   │  beta
    ┌─────────┐ ┌───┐     ┌───┐ ┌─────────────┐   ┌───────────┐     │   │
  ┌─┘ ┌───────┘ │   │     │   │ │   ┌─┐   ┌─┐ └─┐ │   ┌─────┐ └─┐   │   │
  │   └─┐       │   │     │   │ │   │ │   │ │   │ │   │     │   │   │   │
@@ -15,4 +15,4 @@ cat <<EOF
                  ┌───────┘ ┌─┘                   │   │
                  └─────────┘                     └───┘   https://sympl.host
 EOF
-echo -e "\033[0m"
+echo "\033[0m"
--- a/ftp/debian/changelog
+++ b/ftp/debian/changelog
+sympl-ftp (10.0.190624.0) stable; urgency=medium
+
+  * Adjusted configuration to allow www-data
+
+ -- Paul Cammish <sympl@kelduum.net>  Mon, 24 Jun 2019 10:26:00 +0100
+
 sympl-ftp (10.0.190621.0) stable; urgency=medium

  * Created Sympl v10.0 (Debian Buster)

--- a/ftp/debian/postinst
+++ b/ftp/debian/postinst
@@ -50,6 +50,12 @@ if [ ! -e /etc/ssl/private/pure-ftpd.pem ]; then
    ln -s /etc/ssl/ssl.combined /etc/ssl/private/pure-ftpd.pem
 fi

+#
+# Adjust config to allow UIDs lower than 1000
+#
+echo '33' > /etc/pure-ftpd/conf/MinUID
+
+
 if [ -e /etc/ssl/private/pure-ftpd.pem ] ; then
  #
  #  TLS should be enforced if we did the linking.

--- a/web/apache.d/zz-mass-hosting.ssl.template.erb
+++ b/web/apache.d/zz-mass-hosting.ssl.template.erb
@@ -67,6 +67,7 @@
  <LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /__sympl/index.html
+    ErrorDocument 404 /__sympl/index.html
  </LocationMatch>

  #

--- a/web/apache.d/zz-mass-hosting.template.erb
+++ b/web/apache.d/zz-mass-hosting.template.erb
@@ -36,6 +36,7 @@
  <LocationMatch "^/+$">
    Options -Indexes
    ErrorDocument 403 /__sympl/index.html
+    ErrorDocument 404 /__sympl/index.html
  </LocationMatch>

  #

--- a/web/debian/changelog
+++ b/web/debian/changelog
+sympl-web (10.0.190624.0) stable; urgency=medium
+
+  * Adjusted template slightly.
+
+ -- Paul Cammish <sympl@kelduum.net>  Mon, 24 Jun 2019 10:27:00 +0100
+
 sympl-web (10.0.190621.2) stable; urgency=medium

  * Updated dependencies/build-dependencies