Commit da156678 authored by Paul Cammish's avatar Paul Cammish
Browse files

Ported changes from strtech-testing !49

parent 99a84513
sympl-core (10.0.190624.0) stable; urgency=medium
* Adjusted MOTD Banner
* Updated sympl-filesystem-security with tweaks to paths/logic
-- Paul Cammish <sympl@kelduum.net> Mon, 24 Jun 2019 10:27:00 +0100
sympl-core (10.0.190621.0) stable; urgency=medium
* Created Sympl v10.0 (Debian Buster)
......
......@@ -3,6 +3,7 @@
# directories used by Sympl.
#
# Copyright 2019, Paul Cammish <sympl@kelduum.net>
# Licensed under GPL3+
set -e
......@@ -51,22 +52,35 @@ function secure_domain_dir()
# Add sympl use to the public group if it's >= 1000 and not already in it
if [ "$public_gid" -ge "1000" ] && [ "$(id -Gn sympl | tr ' ' '\n' | grep -c "^$( id -gn $public_gid )$" )" == "0" ]; then
# sympl is not in the $public_gid group, adding
usermod -a -G $public_gid sympl
fi
# Enforce permissions for /srv/example.org/public
# Enforce permissions for /srv/example.org/public, /php_sessions, /php_tmp
find "${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
find "${domain}/public" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)
if [ -d "${domain}/php_sessions" ]; then
find "${domain}/public" ! -type l \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d -perm 2775 -exec chmod 2775 {} \; \)
find "${domain}/php_sessions" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
find "${domain}/php_sessions" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)
fi
if [ -d "${domain}/php_tmp" ]; then
find "${domain}/php_tmp" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
find "${domain}/php_tmp" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)
# Lock down the public/htdocs/logs directory, if it exists and contains webalizer html
fi
# Lock down the public/htdocs/stats directory, if it exists and contains webalizer html
# By default this is left unprotected, and includes IP addresses which are classified
# under GDPR as personally identifiable
......@@ -80,16 +94,16 @@ AuthType Basic
AuthName \"Access Restricted\"
AuthUserFile ${domain}/config/stats-htaccess
Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"
fi
fi
fi
fi
# Enforce permissions for /srv/example.com/config - exim requires directory traversal (+x) as steps thorugh to the target.
# Enforce permissions for /srv/example.com/config - exim requires directory traversal (+x) as steps through to the target.
if [ -d ${domain}/config ]; then
find "${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;
find "${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -name 'dkim.key' ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;
if [ -d "${domain}/config/ssl/sets" ]; then
find "${domain}/config/ssl/sets" \( ! -user sympl -o ! -group ssl-cert \) -exec chown sympl:ssl-cert {} \;
......@@ -97,10 +111,16 @@ Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"
find "${domain}/config" \( -type f -a ! -perm 660 -exec chmod 660 {} \; \) -o \( -type d -a ! -perm 2771 -exec chmod 2771 {} \; \)
# The group doesn't exist if exim/sympl-mail is not installed.
if [ $( grep -c '^Debian-exim:' /etc/group ) == 1 ]; then
find "${domain}/config" -maxdepth 1 -type f -name 'dkim.key' \( ! -group Debian-exim -o ! -user sympl \) -exec chown sympl:Debian-exim {} \;
find "${domain}/config" -maxdepth 1 -type f -name 'dkim.key' ! -perm 640 -exec chmod 640 {} \;
fi
fi
# Enforce permissions for mailboxes directory
if [ -d ${domain}/mailboxes ]; then
if [ -d ${domain}/mailboxes ]; then
find "${domain}/mailboxes" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
......
#!/bin/sh
echo -e "\033[1m"
echo "\033[1m"
cat <<EOF
┌─────┐ v10.0
└─┐ │
└─┐ │ beta
┌─────────┐ ┌───┐ ┌───┐ ┌─────────────┐ ┌───────────┐ │ │
┌─┘ ┌───────┘ │ │ │ │ │ ┌─┐ ┌─┐ └─┐ │ ┌─────┐ └─┐ │ │
│ └─┐ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │ │
......@@ -15,4 +15,4 @@ cat <<EOF
┌───────┘ ┌─┘ │ │
└─────────┘ └───┘ https://sympl.host
EOF
echo -e "\033[0m"
echo "\033[0m"
sympl-ftp (10.0.190624.0) stable; urgency=medium
* Adjusted configuration to allow www-data
-- Paul Cammish <sympl@kelduum.net> Mon, 24 Jun 2019 10:26:00 +0100
sympl-ftp (10.0.190621.0) stable; urgency=medium
* Created Sympl v10.0 (Debian Buster)
......
......@@ -50,6 +50,12 @@ if [ ! -e /etc/ssl/private/pure-ftpd.pem ]; then
ln -s /etc/ssl/ssl.combined /etc/ssl/private/pure-ftpd.pem
fi
#
# Adjust config to allow UIDs lower than 1000
#
echo '33' > /etc/pure-ftpd/conf/MinUID
if [ -e /etc/ssl/private/pure-ftpd.pem ] ; then
#
# TLS should be enforced if we did the linking.
......
......@@ -67,6 +67,7 @@
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
ErrorDocument 404 /__sympl/index.html
</LocationMatch>
#
......
......@@ -36,6 +36,7 @@
<LocationMatch "^/+$">
Options -Indexes
ErrorDocument 403 /__sympl/index.html
ErrorDocument 404 /__sympl/index.html
</LocationMatch>
#
......
sympl-web (10.0.190624.0) stable; urgency=medium
* Adjusted template slightly.
-- Paul Cammish <sympl@kelduum.net> Mon, 24 Jun 2019 10:27:00 +0100
sympl-web (10.0.190621.2) stable; urgency=medium
* Updated dependencies/build-dependencies
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment