[fix] Create a dedicated system user with proper sudo permissions.
Ref. #41.
This commit is contained in:
pitchum
pitchum
13
conf/sudoers.conf
Normal file
13
conf/sudoers.conf
Normal file
@@ -0,0 +1,13 @@
|
|||||||
|
Cmnd_Alias VPNCLIENTTASKS = /bin/systemctl stop ynh-vpnclient, \
|
||||||
|
/bin/systemctl start ynh-vpnclient, \
|
||||||
|
/usr/local/bin/ynh-vpnclient *
|
||||||
|
|
||||||
|
Cmnd_Alias YUNOHOST = /usr/bin/yunohost app setting vpnclient *,\
|
||||||
|
/usr/bin/yunohost app info hotspot *
|
||||||
|
|
||||||
|
Cmnd_Alias HOTSPOT = /bin/systemctl stop ynh-hotspot,\
|
||||||
|
/bin/systemctl start ynh-hotspot,\
|
||||||
|
/usr/bin/yunohost app setting hotspot *
|
||||||
|
|
||||||
|
__VPNCLIENT_SYSUSER__ ALL = NOPASSWD: /bin/grep, VPNCLIENTTASKS, YUNOHOST, HOTSPOT
|
||||||
|
|
||||||
@@ -169,6 +169,20 @@ ynh_abort_if_up_to_date () {
|
|||||||
# Operations needed by both 'install' and 'upgrade' scripts
|
# Operations needed by both 'install' and 'upgrade' scripts
|
||||||
function vpnclient_deploy_files_and_services()
|
function vpnclient_deploy_files_and_services()
|
||||||
{
|
{
|
||||||
|
local domain=$1
|
||||||
|
local app=$2
|
||||||
|
local sysuser="${app}"
|
||||||
|
|
||||||
|
# Ensure vpnclient_ynh has its own system user
|
||||||
|
if ! ynh_system_user_exists ${sysuser}
|
||||||
|
then
|
||||||
|
ynh_system_user_create ${sysuser}
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Ensure the system user has enough sudo permissions
|
||||||
|
sudo install -b -o root -g root -m 0440 ../conf/sudoers.conf /etc/sudoers.d/${app}_ynh
|
||||||
|
ynh_replace_string "__VPNCLIENT_SYSUSER__" "${sysuser}" /etc/sudoers.d/${app}_ynh
|
||||||
|
|
||||||
# Install IPv6 scripts
|
# Install IPv6 scripts
|
||||||
sudo install -o root -g root -m 0755 ../conf/ipv6_expanded /usr/local/bin/
|
sudo install -o root -g root -m 0755 ../conf/ipv6_expanded /usr/local/bin/
|
||||||
sudo install -o root -g root -m 0755 ../conf/ipv6_compressed /usr/local/bin/
|
sudo install -o root -g root -m 0755 ../conf/ipv6_compressed /usr/local/bin/
|
||||||
@@ -178,11 +192,11 @@ function vpnclient_deploy_files_and_services()
|
|||||||
|
|
||||||
# Copy confs
|
# Copy confs
|
||||||
sudo mkdir -pm 0755 /var/log/nginx/
|
sudo mkdir -pm 0755 /var/log/nginx/
|
||||||
sudo chown root:admins /etc/openvpn/
|
sudo chown root:${sysuser} /etc/openvpn/
|
||||||
sudo chmod 775 /etc/openvpn/
|
sudo chmod 775 /etc/openvpn/
|
||||||
sudo mkdir -pm 0755 /etc/yunohost/hooks.d/post_iptable_rules/
|
sudo mkdir -pm 0755 /etc/yunohost/hooks.d/post_iptable_rules/
|
||||||
|
|
||||||
sudo install -b -o root -g admins -m 0664 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl
|
sudo install -b -o root -g ${sysuser} -m 0664 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl
|
||||||
sudo install -o root -g root -m 0644 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl.restore
|
sudo install -o root -g root -m 0644 ../conf/openvpn_client.conf.tpl /etc/openvpn/client.conf.tpl.restore
|
||||||
sudo install -b -o root -g root -m 0644 ../conf/nginx_vpnadmin.conf "/etc/nginx/conf.d/${domain}.d/${app}.conf"
|
sudo install -b -o root -g root -m 0644 ../conf/nginx_vpnadmin.conf "/etc/nginx/conf.d/${domain}.d/${app}.conf"
|
||||||
sudo install -b -o root -g root -m 0644 ../conf/phpfpm_vpnadmin.conf /etc/php5/fpm/pool.d/${app}.conf
|
sudo install -b -o root -g root -m 0644 ../conf/phpfpm_vpnadmin.conf /etc/php5/fpm/pool.d/${app}.conf
|
||||||
@@ -199,7 +213,7 @@ function vpnclient_deploy_files_and_services()
|
|||||||
|
|
||||||
# Create certificates directory
|
# Create certificates directory
|
||||||
sudo mkdir -pm 0770 /etc/openvpn/keys/
|
sudo mkdir -pm 0770 /etc/openvpn/keys/
|
||||||
sudo chown root:admins /etc/openvpn/keys/
|
sudo chown root:${sysuser} /etc/openvpn/keys/
|
||||||
|
|
||||||
#=================================================
|
#=================================================
|
||||||
# NGINX CONFIGURATION
|
# NGINX CONFIGURATION
|
||||||
@@ -214,8 +228,8 @@ function vpnclient_deploy_files_and_services()
|
|||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
sudo sed "s|<TPL:PHP_NAME>|${app}|g" -i /etc/php5/fpm/pool.d/${app}.conf
|
sudo sed "s|<TPL:PHP_NAME>|${app}|g" -i /etc/php5/fpm/pool.d/${app}.conf
|
||||||
sudo sed "s|<TPL:PHP_USER>|www-data|g" -i /etc/php5/fpm/pool.d/${app}.conf
|
sudo sed "s|<TPL:PHP_USER>|${sysuser}|g" -i /etc/php5/fpm/pool.d/${app}.conf
|
||||||
sudo sed "s|<TPL:PHP_GROUP>|www-data|g" -i /etc/php5/fpm/pool.d/${app}.conf
|
sudo sed "s|<TPL:PHP_GROUP>|${sysuser}|g" -i /etc/php5/fpm/pool.d/${app}.conf
|
||||||
sudo sed "s|<TPL:NGINX_REALPATH>|/var/www/${app}/|g" -i /etc/php5/fpm/pool.d/${app}.conf
|
sudo sed "s|<TPL:NGINX_REALPATH>|/var/www/${app}/|g" -i /etc/php5/fpm/pool.d/${app}.conf
|
||||||
|
|
||||||
# Fix sources
|
# Fix sources
|
||||||
|
|||||||
@@ -67,7 +67,7 @@ export DEBIAN_FRONTEND=noninteractive
|
|||||||
# DEPLOY FILES FROM PACKAGE
|
# DEPLOY FILES FROM PACKAGE
|
||||||
#=================================================
|
#=================================================
|
||||||
|
|
||||||
vpnclient_deploy_files_and_services
|
vpnclient_deploy_files_and_services "${domain}" "${app}"
|
||||||
|
|
||||||
ynh_app_setting_set $app final_path $final_path
|
ynh_app_setting_set $app final_path $final_path
|
||||||
|
|
||||||
|
|||||||
@@ -50,4 +50,7 @@ sudo systemctl reload nginx
|
|||||||
# Remove sources
|
# Remove sources
|
||||||
sudo rm -rf /var/www/${app}/
|
sudo rm -rf /var/www/${app}/
|
||||||
|
|
||||||
|
# Removed system user
|
||||||
|
ynh_system_user_delete ${app}
|
||||||
|
|
||||||
exit 0
|
exit 0
|
||||||
|
|||||||
@@ -21,12 +21,15 @@ source /usr/share/yunohost/helpers
|
|||||||
# Exit if an error occurs during the execution of the script
|
# Exit if an error occurs during the execution of the script
|
||||||
ynh_abort_if_errors
|
ynh_abort_if_errors
|
||||||
|
|
||||||
|
#sysuser="${app}"
|
||||||
|
sysuser="vpnclient" # XXX hard-coded variable
|
||||||
|
|
||||||
backup_dir="${1}/apps/vpnclient"
|
backup_dir="${1}/apps/vpnclient"
|
||||||
|
|
||||||
sudo mkdir -p /etc/openvpn/
|
sudo mkdir -p /etc/openvpn/
|
||||||
sudo cp -a "${backup_dir}/keys/" /etc/openvpn/
|
sudo cp -a "${backup_dir}/keys/" /etc/openvpn/
|
||||||
sudo cp -a "${backup_dir}/client.conf.tpl" /etc/openvpn/
|
sudo cp -a "${backup_dir}/client.conf.tpl" /etc/openvpn/
|
||||||
sudo chown -R root:admins /etc/openvpn/keys/
|
sudo chown -R root:${sysuser} /etc/openvpn/keys/
|
||||||
|
|
||||||
gitcommit=$(sudo grep revision /etc/yunohost/apps/vpnclient/status.json | sed 's/.*"revision": "\([^"]\+\)".*/\1/')
|
gitcommit=$(sudo grep revision /etc/yunohost/apps/vpnclient/status.json | sed 's/.*"revision": "\([^"]\+\)".*/\1/')
|
||||||
tmpdir=$(mktemp -dp /tmp/ vpnclient-restore-XXXXX)
|
tmpdir=$(mktemp -dp /tmp/ vpnclient-restore-XXXXX)
|
||||||
|
|||||||
@@ -71,7 +71,7 @@ tmpdir=$(mktemp -d /tmp/vpnclient-upgrade-XXX)
|
|||||||
sudo cp -r /etc/openvpn/client* ${tmpdir}
|
sudo cp -r /etc/openvpn/client* ${tmpdir}
|
||||||
|
|
||||||
# Deploy files from package
|
# Deploy files from package
|
||||||
vpnclient_deploy_files_and_services
|
vpnclient_deploy_files_and_services "${domain}" "${app}"
|
||||||
|
|
||||||
# Restore previously existing config files
|
# Restore previously existing config files
|
||||||
sudo cp -r ${tmpdir}/client* /etc/openvpn/
|
sudo cp -r ${tmpdir}/client* /etc/openvpn/
|
||||||
|
|||||||
Reference in New Issue
Block a user