From a817f30f3835ccb7795aafe9d51f09dcb70b461c Mon Sep 17 00:00:00 2001 From: Benjamin Sonntag Date: Tue, 17 May 2016 15:25:59 +0200 Subject: [PATCH 1/4] removing all reference to .svn / svn in makefile --- Makefile | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/Makefile b/Makefile index 5871b584..77115cf3 100644 --- a/Makefile +++ b/Makefile @@ -21,8 +21,7 @@ # Purpose of file: Global Makefile # ---------------------------------------------------------------------- MAJOR=$(shell sed -ne 's/^[^(]*(\([^)]*\)).*/\1/;1p' debian/changelog) -REV=$(shell env LANG=C svn info --non-interactive | awk '/^Revision:/ { print $$2 }') -VERSION="${MAJOR}~svn${REV}" +VERSION=$MAJOR export VERSION build: @@ -44,14 +43,11 @@ install-common: cp -r etc/alternc $(DESTDIR)/etc cp -r etc/incron.d $(DESTDIR)/etc install -o root -g root -m 440 etc/sudoers.d/alternc $(DESTDIR)/etc/sudoers.d -# SVN cleanup (bad if installing without DESTDIR, FIXME) - find $(DESTDIR)/etc/ -depth -type d -name ".svn" -exec rm {} -rf \; chmod 755 $(DESTDIR)/etc/alternc etc/incron.d # Installer and upgrade scripts test -d $(DESTDIR)/usr/share/alternc/install || mkdir -p $(DESTDIR)/usr/share/alternc/install cp -r install/* $(DESTDIR)/usr/share/alternc/install - find $(DESTDIR)/usr/share/alternc/install -depth -type d -name ".svn" -exec rm {} -rf \; chmod a+x $(DESTDIR)/usr/share/alternc/install/alternc.install $(DESTDIR)/usr/share/alternc/install/dopo.sh $(DESTDIR)/usr/share/alternc/install/mysql.sh $(DESTDIR)/usr/share/alternc/install/newone.php $(DESTDIR)/usr/share/alternc/install/reset_root.php $(DESTDIR)/usr/share/alternc/install/upgrade_check.sh $(DESTDIR)/usr/share/alternc/install/upgrades/*.php $(DESTDIR)/usr/share/alternc/install/upgrades/*.sh @@ -60,9 +56,7 @@ install-alternc: install-common # Web Panel test -d $(DESTDIR)/usr/share/alternc/panel || mkdir $(DESTDIR)/usr/share/alternc/panel cp -r bureau/* $(DESTDIR)/usr/share/alternc/panel - find $(DESTDIR)/usr/share/alternc/panel -depth -type d -name ".svn" -exec rm {} -rf \; sed -i -e "s/@@REPLACED_DURING_BUILD@@/${MAJOR}/" $(DESTDIR)/usr/share/alternc/panel/class/local.php - echo ${VERSION} > $(DESTDIR)/usr/share/alternc/panel/class/.svn-infos chown -R root:root $(DESTDIR)/usr/share/alternc/panel chmod -R 644 $(DESTDIR)/usr/share/alternc/panel chmod -R a+X $(DESTDIR)/usr/share/alternc/panel From 6e12c8902a23a010f5b3e556628fdb7c27a5049b Mon Sep 17 00:00:00 2001 From: Benjamin Sonntag Date: Tue, 17 May 2016 15:26:52 +0200 Subject: [PATCH 2/4] removing all reference to .svn / svn in makefile --- debian/rules | 4 ---- 1 file changed, 4 deletions(-) diff --git a/debian/rules b/debian/rules index 12874b55..5888859e 100755 --- a/debian/rules +++ b/debian/rules @@ -7,10 +7,6 @@ # Uncomment this to turn on verbose mode. export DH_VERBOSE=1 -MAJOR=$(shell sed -ne 's/^[^(]*(\([^)]*\)).*/\1/;1p' debian/changelog) -REV=$(shell env LANG=C svn info --non-interactive | awk '/^Revision:/ { print $$2 }') -VERSION="${MAJOR}~svn${REV}" -export VERSION override_dh_install: #dh install From 82e81b255b48969af0b0647a29cf45e024cdcc15 Mon Sep 17 00:00:00 2001 From: Benjamin Sonntag Date: Tue, 17 May 2016 15:28:18 +0200 Subject: [PATCH 3/4] removing all reference to .svn / svn in makefile --- jessie/patch.sh | 2 +- src/alternc-check | 2 +- wheezy/patch.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/jessie/patch.sh b/jessie/patch.sh index 8b7d210d..d0cc47fd 100755 --- a/jessie/patch.sh +++ b/jessie/patch.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Migrate a svn repository to WHEEZY +# Migrate a repository to WHEEZY # DON'T COMMIT ANYTHING AFTER launching this # reset your subversion repos back to the serverside one! diff --git a/src/alternc-check b/src/alternc-check index 41ed8533..1672275c 100755 --- a/src/alternc-check +++ b/src/alternc-check @@ -200,7 +200,7 @@ if ($r=="8" || $r=="a") { // Send anonymous statistics to AlternC team. if ($r=="100" || $r=="a") { - $f=fopen("http://svn.alternc.org/stats.php?m1=$m1&m2=$m2&m3=$m3&m4=$m4&m5=$m5&m6=$m6&m7=$m7","rb"); + $f=fopen("https://alternc.com/stats.php?m1=$m1&m2=$m2&m3=$m3&m4=$m4&m5=$m5&m6=$m6&m7=$m7","rb"); if ($f) { while ($s=fgets($f,1024)) { } diff --git a/wheezy/patch.sh b/wheezy/patch.sh index 58a63380..83bc8628 100755 --- a/wheezy/patch.sh +++ b/wheezy/patch.sh @@ -1,6 +1,6 @@ #!/bin/bash -# Migrate a svn repository to WHEEZY +# Migrate a repository to WHEEZY # DON'T COMMIT ANYTHING AFTER launching this # reset your subversion repos back to the serverside one! From d79f83502bd961533036a1407d4db132935a33dd Mon Sep 17 00:00:00 2001 From: Benjamin Sonntag Date: Tue, 17 May 2016 15:51:33 +0200 Subject: [PATCH 4/4] [security] fix of most ownership/accessmode issues, fixes possible root escalation --- debian/alternc.postinst | 8 ++------ debian/rules | 4 ++++ install/alternc.install | 1 + install/upgrades/3.4.5.sh | 10 ++++++++++ 4 files changed, 17 insertions(+), 6 deletions(-) create mode 100644 install/upgrades/3.4.5.sh diff --git a/debian/alternc.postinst b/debian/alternc.postinst index 89b894c1..40be48cd 100644 --- a/debian/alternc.postinst +++ b/debian/alternc.postinst @@ -56,12 +56,8 @@ case "$1" in test -d "$VMAIL_HOME" || mkdir -p "$VMAIL_HOME" chown vmail:vmail "$VMAIL_HOME" chown vmail:vmail "$VMAIL_HOME"/* 2>/dev/null || true # It may be empty - chmod u+rxw "$VMAIL_HOME" - chmod u+rxw "$VMAIL_HOME"/* 2>/dev/null || true # It may be empty - chmod g+rxw "$VMAIL_HOME" - chmod g+rxw "$VMAIL_HOME"/* 2>/dev/null || true # It may be empty - - chown alterncpanel:alterncpanel "/var/lib/alternc/panel" + chmod 770 "$VMAIL_HOME" + chmod 770 "$VMAIL_HOME"/* 2>/dev/null || true # It may be empty # build local.sh if it does not exist if [ ! -f $CONFIGFILE ]; then diff --git a/debian/rules b/debian/rules index 5888859e..55cc87f9 100755 --- a/debian/rules +++ b/debian/rules @@ -19,6 +19,10 @@ override_dh_install: $(MAKE) install-api DESTDIR=$(CURDIR)/debian/alternc-api $(MAKE) -C ssl install DESTDIR=$(CURDIR)/debian/alternc-ssl +override_dh_fixperms: + dh_fixperms + chmod 700 debian/alternc/var/lib/alternc/backups + %: dh $@ diff --git a/install/alternc.install b/install/alternc.install index 849a0f69..9ab2234d 100644 --- a/install/alternc.install +++ b/install/alternc.install @@ -259,6 +259,7 @@ done BACKUPS="$BACKUPS etc/postfix/main.cf" tar -zcf "$BACKUP_FILE" -C / $BACKUPS 2>/dev/null || true +chmod 600 "$BACKUP_FILE" ####################################################################### # Expand templates in the right place diff --git a/install/upgrades/3.4.5.sh b/install/upgrades/3.4.5.sh new file mode 100644 index 00000000..005dbe22 --- /dev/null +++ b/install/upgrades/3.4.5.sh @@ -0,0 +1,10 @@ +#!/bin/sh + +# change ownership of the panel's file, MUST be root:root +# since some cron-script of AlternC are launched as root. + +chown -R root:root /usr/share/alternc/panel + +# AlternC's backup of system files must NOT be readable but everyone ! +chmod -R og-rwx /var/lib/alternc/backups +