Merge branch 'issue290a_stretch' into 'stretch-testing'

Fixes issue 290 See merge request !194

Merge branch 'issue290a_stretch' into 'stretch-testing'
Fixes issue 290 See merge request !194
00ff6a1a · Paul Cammish · 0b4bf38f · 6a6f5ad7 · 00ff6a1a · 00ff6a1a
Commit 00ff6a1a authored Apr 27, 2020 by Paul Cammish
--- a/CHANGELOG
+++ b/CHANGELOG
 CHANGELOG
 ---------

+2020-04-27
+  sympl-core
+    * Further fixes to prevent sympl-filesystem-security from changing permissions where it shouldn't. (#280) 
+
 2020-04-22
  sympl-web
    * Switch to individual packages for sympl-web (#292)

--- a/core/debian/changelog
+++ b/core/debian/changelog
+sympl-core (9.0.200427.0) stable; urgency=medium
+
+  * Further fixes to prevent sympl-filesystem-security from changing permissions where it shouldn't. (#290)
+
+ -- Paul Cammish <sympl@kelduum.net>  Mon, 27 Apr 2020 13:47:07 +0100
+
 sympl-core (9.0.200420.0) stable; urgency=medium

  * Prevent sympl-filesystem-security from changing permissions of /etc/firewall/local.d/ contents.

--- a/core/sbin/sympl-filesystem-security
+++ b/core/sbin/sympl-filesystem-security
@@ -140,9 +140,29 @@ fi

 if [ -d /etc/sympl ]; then

-  find "/etc/sympl" ! -type l ! -path '*/test.d/*' ! -path '*/firewall/local.d/*' \( ! -user sympl -o ! -group sympl \) $VERBOSE -exec echo chown sympl:sympl {} \;
-
-  find "/etc/sympl" ! -type l ! -path '*/test.d/*' ! -path '*/firewall/local.d/*' \( -type f ! -perm 664 $VERBOSE -exec chmod 664 {} \; -o -type d ! -perm 775 $VERBOSE -exec chmod 775 {} \; \)
+  # Make (almost) everything owned by sympl:sympl
+  find "/etc/sympl" ! -type l \
+    ! -path '*/test.d/*' \
+    ! -path '*/firewall/local.d/*' \
+    \( ! -user sympl -o ! -group sympl \) \
+    $VERBOSE -exec echo chown sympl:sympl {} \;
+
+  # Make (almost) everything read-only for others
+  find "/etc/sympl" ! -type l \
+    ! -path '*/test.d/*' \
+    ! -path '*/firewall/local.d/*' \
+    ! -path '*/backup.d/post-backup.d/*' \
+    ! -path '*/backup.d/pre-backup.d/*' \
+    \( -type f ! -perm 664 $VERBOSE -exec chmod 664 {} \; \
+    -o -type d ! -perm 775 $VERBOSE -exec chmod 775 {} \; \)
+
+  if [ -d /etc/sympl/backup.d/post-backup.d ] || [ -d /etc/sympl/backup.d/pre-backup.d ]; then
+    # Make sure theres at least something executable in the backup pre/post scripts
+    if [ $(find "/etc/sympl/backup.d/" -type f \( -path '*/backup.d/post-backup.d/*' -o -path '*/backup.d/pre-backup.d/*' \) -name '*-*' -executable | wc -l) == 0 ]; then
+      chmod +x /etc/sympl/backup.d/post-backup.d/* 2&> /dev/null || true
+      chmod +x /etc/sympl/backup.d/pre-backup.d/*  2&> /dev/null || true
+    fi
+  fi

 fi