Commit 61031dda authored by Paul Cammish's avatar Paul Cammish

Merge branch 'buster-testing' into 'buster'

push buster-testing -> buster

Closes #281, #280, and #279

See merge request !176
parents f83007ab 3d7cd5fd
Pipeline #858 passed with stages
in 25 minutes and 24 seconds
CHANGELOG
---------
2020-04-18
sympl-mail
* Fixed sympl-mail-dovecot-sni issue with filesystem loops (#281)
2020-04-15
sympl-core
* Added --verbose switch to sympl-filesystem-security
* Fixed issue #280 with sympl-filesystem-security
2020-03-26
sympl-monit
* Don't use sudo when writing cursor. Fixes issue #279.
......
sympl-core (10.0.200415.0) stable; urgency=medium
* Added --verbose switch to sympl-filesystem-security
* Fixed issue #280 with sympl-filesystem-security
-- Paul Cammish <sympl@kelduum.net> Wed, 15 Apr 2020 15:18:05 +0100
sympl-core (10.0.191231.0) stable; urgency=medium
* Fixed inconsistency with disable-filesystem-security switches.
......
......@@ -2,7 +2,7 @@
# Fairly simple bash script to enforce filesystem permissions for sensitive
# directories used by Sympl.
#
# Copyright 2019, Paul Cammish <sympl@kelduum.net>
# Copyright 2019-2020, Paul Cammish <sympl@kelduum.net>
# Licensed under GPL3+
......@@ -10,6 +10,12 @@ set -e
if [ -f /etc/sympl/do-not-secure ] || [ -f /etc/sympl/disable-filesystem-security ] ; then exit 0; fi
if [ "x$1" == "x--verbose" ]; then
VERBOSE='-ls'
else
VERBOSE=''
fi
function secure_domain_dir()
{
......@@ -61,21 +67,21 @@ function secure_domain_dir()
# Enforce permissions for /srv/example.org/public, /php_sessions, /php_tmp
find "${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
find "${domain}/public" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)
find "${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) $VERBOSE -exec chown ${public_uid}:${public_gid} {} \;
find "${domain}/public" \( -type f ! -perm 664 $VERBOSE -exec chmod 664 {} \; -o -type d ! -perm 2775 $VERBOSE -exec chmod 2775 {} \; \)
if [ -d "${domain}/php_sessions" ]; then
find "${domain}/php_sessions" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
find "${domain}/php_sessions" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)
find "${domain}/php_sessions" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) $VERBOSE -exec chown ${public_uid}:${public_gid} {} \;
find "${domain}/php_sessions" \( -type f ! -perm 664 $VERBOSE -exec chmod 664 {} \; -o -type d ! -perm 2775 $VERBOSE -exec chmod 2775 {} \; \)
fi
if [ -d "${domain}/php_tmp" ]; then
find "${domain}/php_tmp" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
find "${domain}/php_tmp" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)
find "${domain}/php_tmp" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) $VERBOSE -exec chown ${public_uid}:${public_gid} {} \;
find "${domain}/php_tmp" \( -type f ! -perm 664 $VERBOSE -exec chmod 664 {} \; -o -type d ! -perm 2775 $VERBOSE -exec chmod 2775 {} \; \)
fi
......@@ -103,13 +109,18 @@ Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"
if [ -d ${domain}/config ]; then
find "${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;
find "${domain}/config" ! -name 'stats-htaccess' \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -path '*ssl/sets*' $VERBOSE -exec chown sympl:sympl {} \;
if [ -d "${domain}/config/ssl/sets" ]; then
find "${domain}/config/ssl/sets" \( ! -user sympl -o ! -group ssl-cert \) -exec chown sympl:ssl-cert {} \;
find "${domain}/config/ssl/sets" \( ! -user sympl -o ! -group ssl-cert \) $VERBOSE -exec chown sympl:ssl-cert {} \;
fi
find "${domain}/config" \( -type f -a ! -perm 660 -exec chmod 660 {} \; \) -o \( -type d -a ! -perm 2771 -exec chmod 2771 {} \; \)
find "${domain}/config" \( -type f ! -perm 660 $VERBOSE -exec chmod 660 {} \; \) -o \( -type d ! -perm 2771 $VERBOSE -exec chmod 2771 {} \; \)
if [ -f "${domain}/config/stats-htaccess" ]; then
find "${domain}/config/stats-htaccess" \( ! -user sympl -o ! -group www-data \) $VERBOSE -exec chown sympl:www-data {} \;
find "${domain}/config/stats-htaccess" ! -perm 660 $VERBOSE -exec echo chmod 660 {} \;
fi
fi
......@@ -119,9 +130,9 @@ Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"
if [ -d /var/backups ]; then
find "/var/backups" ! -type l \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
find "/var/backups" ! -type l \( ! -user sympl -o ! -group sympl \) $VERBOSE -exec chown sympl:sympl {} \;
find "/var/backups" ! -type l ! -perm o-rwx \( -type f -exec chmod 660 {} \; -o -type d -exec chmod 770 {} \; \)
find "/var/backups" ! -type l \( -type f ! -perm 660 $VERBOSE -exec chmod 660 {} \; -o -type d ! -perm 770 $VERBOSE -exec chmod 770 {} \; \)
fi
......@@ -129,9 +140,9 @@ fi
if [ -d /etc/sympl ]; then
find "/etc/sympl" ! -type l ! -path '*/test.d/*' \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
find "/etc/sympl" ! -type l ! -path '*/test.d/*' \( ! -user sympl -o ! -group sympl \) $VERBOSE -exec echo chown sympl:sympl {} \;
find "/etc/sympl" ! -type l ! -path '*/test.d/*' ! -perm o-w \( -type f -exec chmod o-w {} \; -o -type d -exec chmod 775 {} \; \)
find "/etc/sympl" ! -type l ! -path '*/test.d/*' \( -type f ! -perm 664 $VERBOSE -exec chmod 664 {} \; -o -type d ! -perm 775 $VERBOSE -exec chmod 775 {} \; \)
fi
......
sympl-mail (10.0.200418.0) stable; urgency=medium
* Fixed sympl-mail-dovecot-sni issue with filesystem loops (#281)
-- Paul Cammish <sympl@kelduum.net> Sat, 18 Apr 2019 10:59:18 +0100
sympl-mail (10.0.191227.0) stable; urgency=medium
* Improves default PCI Compliance by disabling TLS1.0
......
......@@ -2,8 +2,8 @@
set -e
if [ "$( find -L /srv -mindepth 5 -maxdepth 5 -name 'ssl.crt' -path '*/config/ssl/current/*' -print | wc -l )" == "0" ]; then
# No certs avaialable, so check if /etc/dovecot/sympl.d/10-main/60-sni exists
if [ $( find -L /srv/*/config/ssl/current/ -maxdepth 1 -mindepth 1 -name 'ssl.crt' -print | wc -l ) -eq 0 ]; then
# No certs available, so check if /etc/dovecot/sympl.d/10-main/60-sni exists
if [ -f /etc/dovecot/sympl.d/10-main/60-sni ]; then
# it exists, so remove it
rm /etc/dovecot/sympl.d/10-main/60-sni
......@@ -21,7 +21,7 @@ if [ "$( find -L /srv -mindepth 5 -maxdepth 5 -name 'ssl.crt' -path '*/config/ss
fi
fi
for certificate in $( find -L /srv -mindepth 5 -maxdepth 5 -name 'ssl.crt' -path '*/config/ssl/current/*' -print ); do
for certificate in $( find -L /srv/*/config/ssl/current/ -maxdepth 1 -mindepth 1 -name 'ssl.crt' -print); do
certpath="$( echo $certificate | sed 's|/config/ssl/current/.*$|/config/ssl/current|' )"
# Ensure there is a matching key file, and the path doesnt include an underscore
if [ -f "${certpath}/ssl.key" ] && [ -f "${certpath}/ssl.combined" ] && [ "$certpath" != "*_*" ] ; then
......@@ -67,4 +67,4 @@ fi
if [ -f /dev/shm/sympl-mail-dovecot-sni.data ]; then rm /dev/shm/sympl-mail-dovecot-sni.data; fi
exit 0
\ No newline at end of file
exit 0
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment