Browse Source

[fix] Create a dedicated system user with proper sudo permissions.

Ref. #41.
pitchum 6 years ago
parent
commit
94bbcdb2db
6 changed files with 41 additions and 8 deletions
  1. 13 0
      conf/sudoers.conf
  2. 19 5
      scripts/_common.sh
  3. 1 1
      scripts/install
  4. 3 0
      scripts/remove
  5. 4 1
      scripts/restore
  6. 1 1
      scripts/upgrade

+ 13 - 0
conf/sudoers.conf

@@ -0,0 +1,13 @@
+Cmnd_Alias VPNCLIENTTASKS = /bin/systemctl stop ynh-vpnclient, \
+                            /bin/systemctl start ynh-vpnclient, \
+                            /usr/local/bin/ynh-vpnclient *
+
+Cmnd_Alias YUNOHOST = /usr/bin/yunohost app setting vpnclient *,\
+                      /usr/bin/yunohost app info hotspot *
+
+Cmnd_Alias HOTSPOT = /bin/systemctl stop ynh-hotspot,\
+                     /bin/systemctl start ynh-hotspot,\
+                     /usr/bin/yunohost app setting hotspot *
+
+__VPNCLIENT_SYSUSER__ ALL = NOPASSWD: /bin/grep, VPNCLIENTTASKS, YUNOHOST, HOTSPOT
+

+ 19 - 5
scripts/_common.sh

@@ -169,6 +169,20 @@ ynh_abort_if_up_to_date () {
 # Operations needed by both 'install' and 'upgrade' scripts
 function vpnclient_deploy_files_and_services()
 {
+  local domain=$1
+  local app=$2
+  local sysuser="${app}"
+
+  # Ensure vpnclient_ynh has its own system user
+  if ! ynh_system_user_exists ${sysuser}
+  then
+    ynh_system_user_create ${sysuser}
+  fi
+
+  # Ensure the system user has enough sudo permissions
+  sudo install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh
+  ynh_replace_string "__VPNCLIENT_SYSUSER__" "${sysuser}" /etc/sudoers.d/${app}_ynh
+
   # Install IPv6 scripts
   sudo install -o root -g root -m 0755 ../conf/ipv6_expanded /usr/local/bin/
   sudo install -o root -g root -m 0755 ../conf/ipv6_compressed /usr/local/bin/
@@ -178,11 +192,11 @@ function vpnclient_deploy_files_and_services()
 
   # Copy confs
   sudo mkdir -pm 0755 /var/log/nginx/
-  sudo chown root:admins /etc/openvpn/
+  sudo chown root:${sysuser} /etc/openvpn/
   sudo chmod 775 /etc/openvpn/
   sudo mkdir -pm 0755 /etc/yunohost/hooks.d/post_iptable_rules/
 
-  sudo install -b -o root -g admins -m 0664 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl
+  sudo install -b -o root -g ${sysuser} -m 0664 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl
   sudo install -o root -g root -m 0644 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl.restore
   sudo install -b -o root -g root -m 0644 ../conf/nginx_vpnadmin.conf "/etc/nginx/conf.d/${domain}.d/${app}.conf"
   sudo install -b -o root -g root -m 0644 ../conf/phpfpm_vpnadmin.conf /etc/php5/fpm/pool.d/${app}.conf
@@ -199,7 +213,7 @@ function vpnclient_deploy_files_and_services()
 
   # Create certificates directory
   sudo mkdir -pm 0770 /etc/openvpn/keys/
-  sudo chown root:admins /etc/openvpn/keys/
+  sudo chown root:${sysuser} /etc/openvpn/keys/
 
   #=================================================
   # NGINX CONFIGURATION
@@ -214,8 +228,8 @@ function vpnclient_deploy_files_and_services()
   #=================================================
 
   sudo sed "s|<TPL:PHP_NAME>|${app}|g" -i /etc/php5/fpm/pool.d/${app}.conf
-  sudo sed "s|<TPL:PHP_USER>|www-data|g" -i /etc/php5/fpm/pool.d/${app}.conf
-  sudo sed "s|<TPL:PHP_GROUP>|www-data|g" -i /etc/php5/fpm/pool.d/${app}.conf
+  sudo sed "s|<TPL:PHP_USER>|${sysuser}|g" -i /etc/php5/fpm/pool.d/${app}.conf
+  sudo sed "s|<TPL:PHP_GROUP>|${sysuser}|g" -i /etc/php5/fpm/pool.d/${app}.conf
   sudo sed "s|<TPL:NGINX_REALPATH>|/var/www/${app}/|g" -i /etc/php5/fpm/pool.d/${app}.conf
 
   # Fix sources

+ 1 - 1
scripts/install

@@ -67,7 +67,7 @@ export DEBIAN_FRONTEND=noninteractive
 # DEPLOY FILES FROM PACKAGE
 #=================================================
 
-vpnclient_deploy_files_and_services
+vpnclient_deploy_files_and_services "${domain}" "${app}"
 
 ynh_app_setting_set $app final_path $final_path
 

+ 3 - 0
scripts/remove

@@ -50,4 +50,7 @@ sudo systemctl reload nginx
 # Remove sources
 sudo rm -rf /var/www/${app}/
 
+# Removed system user
+ynh_system_user_delete ${app}
+
 exit 0

+ 4 - 1
scripts/restore

@@ -21,12 +21,15 @@ source /usr/share/yunohost/helpers
 # Exit if an error occurs during the execution of the script
 ynh_abort_if_errors
 
+#sysuser="${app}"
+sysuser="vpnclient" # XXX hard-coded variable
+
 backup_dir="${1}/apps/vpnclient"
 
 sudo mkdir -p /etc/openvpn/
 sudo cp -a "${backup_dir}/keys/" /etc/openvpn/
 sudo cp -a "${backup_dir}/client.conf.tpl" /etc/openvpn/
-sudo chown -R root:admins /etc/openvpn/keys/
+sudo chown -R root:${sysuser} /etc/openvpn/keys/
 
 gitcommit=$(sudo grep revision /etc/yunohost/apps/vpnclient/status.json | sed 's/.*"revision": "\([^"]\+\)".*/\1/')
 tmpdir=$(mktemp -dp /tmp/ vpnclient-restore-XXXXX)

+ 1 - 1
scripts/upgrade

@@ -71,7 +71,7 @@ tmpdir=$(mktemp -d /tmp/vpnclient-upgrade-XXX)
 sudo cp -r /etc/openvpn/client* ${tmpdir}
 
 # Deploy files from package
-vpnclient_deploy_files_and_services
+vpnclient_deploy_files_and_services "${domain}" "${app}"
 
 # Restore previously existing config files
 sudo cp -r ${tmpdir}/client* /etc/openvpn/