Merge branch 'issue280_buster' into 'buster-testing'

Fixes #280, Adds --verbose switch.

See merge request sympl/sympl!174

CHANGELOG

 CHANGELOG
 ---------
 
+2020-04-15
+  sympl-core
+    * Added --verbose switch to sympl-filesystem-security
+    * Fixed issue #280 with sympl-filesystem-security
+
 2020-03-26
   sympl-monit
     * Don't use sudo when writing cursor. Fixes issue #279.

core/debian/changelog

+sympl-core (10.0.200415.0) stable; urgency=medium
+
+  * Added --verbose switch to sympl-filesystem-security
+  * Fixed issue #280 with sympl-filesystem-security
+  
+ -- Paul Cammish <sympl@kelduum.net>  Wed, 15 Apr 2020 15:18:05 +0100
+ 
 sympl-core (10.0.191231.0) stable; urgency=medium
 
   * Fixed inconsistency with disable-filesystem-security switches.

core/sbin/sympl-filesystem-security

@@ -2,7 +2,7 @@
 # Fairly simple bash script to enforce filesystem permissions for sensitive
 # directories used by Sympl.
 #
-# Copyright 2019, Paul Cammish <sympl@kelduum.net>
+# Copyright 2019-2020, Paul Cammish <sympl@kelduum.net>
 # Licensed under GPL3+
 
 
@@ -10,6 +10,12 @@ set -e
 
 if [ -f /etc/sympl/do-not-secure ] || [ -f /etc/sympl/disable-filesystem-security ] ; then exit 0; fi
 
+if [ "x$1" == "x--verbose" ]; then
+  VERBOSE='-ls'
+else
+  VERBOSE=''
+fi
+
 function secure_domain_dir()
 {
 
@@ -61,21 +67,21 @@ function secure_domain_dir()
 
     # Enforce permissions for /srv/example.org/public, /php_sessions, /php_tmp
 
-    find "${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
-    find "${domain}/public" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)
+    find "${domain}/public" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) $VERBOSE -exec chown ${public_uid}:${public_gid} {} \;
+    find "${domain}/public" \( -type f ! -perm 664 $VERBOSE -exec chmod 664 {} \; -o -type d ! -perm 2775 $VERBOSE -exec chmod 2775 {} \; \)
 
 
     if [ -d "${domain}/php_sessions" ]; then
 
-      find "${domain}/php_sessions" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
-      find "${domain}/php_sessions" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)
+      find "${domain}/php_sessions" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) $VERBOSE -exec chown ${public_uid}:${public_gid} {} \;
+      find "${domain}/php_sessions" \( -type f ! -perm 664 $VERBOSE -exec chmod 664 {} \; -o -type d ! -perm 2775 $VERBOSE -exec chmod 2775 {} \; \)
 
     fi
 
     if [ -d "${domain}/php_tmp" ]; then
 
-      find "${domain}/php_tmp" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) -exec chown ${public_uid}:${public_gid} {} \;
-      find "${domain}/php_tmp" \( -type f ! -perm 664 -exec chmod 664 {} \; -o -type d ! -perm 2775 -exec chmod 2775 {} \; \)
+      find "${domain}/php_tmp" \( -type f -o -type d \) \( ! -uid ${public_uid} -o ! -gid ${public_gid} \) $VERBOSE -exec chown ${public_uid}:${public_gid} {} \;
+      find "${domain}/php_tmp" \( -type f ! -perm 664 $VERBOSE -exec chmod 664 {} \; -o -type d ! -perm 2775 $VERBOSE -exec chmod 2775 {} \; \)
 
     fi
 
@@ -103,13 +109,18 @@ Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"
 
   if [ -d ${domain}/config ]; then
 
-    find "${domain}/config" \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -path '*ssl/sets*' -exec chown sympl:sympl {} \;
+    find "${domain}/config" ! -name 'stats-htaccess' \( -type f -o -type d \) \( ! -user sympl -o ! -group sympl \) ! -path '*ssl/sets*' $VERBOSE -exec chown sympl:sympl {} \;
 
     if [ -d "${domain}/config/ssl/sets" ]; then
-      find "${domain}/config/ssl/sets" \( ! -user sympl -o ! -group ssl-cert \) -exec chown sympl:ssl-cert {} \;
+      find "${domain}/config/ssl/sets" \( ! -user sympl -o ! -group ssl-cert \) $VERBOSE -exec chown sympl:ssl-cert {} \;
     fi
 
-    find "${domain}/config" \( -type f -a ! -perm 660 -exec chmod 660 {} \; \) -o \( -type d -a ! -perm 2771 -exec chmod 2771 {} \; \)
+    find "${domain}/config" \( -type f ! -perm 660 $VERBOSE -exec chmod 660 {} \; \) -o \( -type d ! -perm 2771 $VERBOSE -exec chmod 2771 {} \; \)
+
+    if [ -f "${domain}/config/stats-htaccess" ]; then
+      find "${domain}/config/stats-htaccess" \( ! -user sympl -o ! -group www-data \) $VERBOSE -exec chown sympl:www-data {} \;
+      find "${domain}/config/stats-htaccess" ! -perm 660 $VERBOSE -exec echo chmod 660 {} \;
+    fi
 
   fi
 
@@ -119,9 +130,9 @@ Require valid-user" > "${domain}/public/htdocs/stats/.htaccess"
 
 if [ -d /var/backups ]; then
 
-  find "/var/backups" ! -type l \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
+  find "/var/backups" ! -type l \( ! -user sympl -o ! -group sympl \) $VERBOSE -exec chown sympl:sympl {} \;
 
-  find "/var/backups" ! -type l ! -perm o-rwx \( -type f -exec chmod 660 {} \; -o -type d -exec chmod 770 {} \; \)
+  find "/var/backups" ! -type l \( -type f ! -perm 660 $VERBOSE -exec chmod 660 {} \; -o -type d ! -perm 770 $VERBOSE -exec chmod 770 {} \; \)
 
 fi
 
@@ -129,9 +140,9 @@ fi
 
 if [ -d /etc/sympl ]; then
 
-  find "/etc/sympl" ! -type l ! -path '*/test.d/*' \( ! -user sympl -o ! -group sympl \) -exec chown sympl:sympl {} \;
+  find "/etc/sympl" ! -type l ! -path '*/test.d/*' \( ! -user sympl -o ! -group sympl \) $VERBOSE -exec echo chown sympl:sympl {} \;
 
-  find "/etc/sympl" ! -type l ! -path '*/test.d/*' ! -perm o-w \( -type f -exec chmod o-w {} \; -o -type d -exec chmod 775 {} \; \)
+  find "/etc/sympl" ! -type l ! -path '*/test.d/*' \( -type f ! -perm 664 $VERBOSE -exec chmod 664 {} \; -o -type d ! -perm 775 $VERBOSE -exec chmod 775 {} \; \)
 
 fi