ACL pour MPM-itk

debian/alternc.preinst

@@ -4,6 +4,11 @@ set -e
 
 . /usr/share/debconf/confmodule
 
+# Create AlternC Panel user for web server
+addgroup --system --gid 1999 alterncpanel
+adduser --system --home "$ALTERNC_LOC/bureau" --no-create-home \
+  --disabled-password --uid 1999 --ingroup alterncpanel alterncpanel
+
 case "$1" in
   install)
     ;;

debian/control

@@ -10,7 +10,7 @@ Standards-Version: 3.8.0
 Package: alternc
 Architecture: all
 Pre-depends: debconf (>= 0.5.00) | debconf-2.0
-Depends: debianutils (>= 1.13.1), apache2-mpm-itk, libapache2-mod-php5, courier-ssl, courier-imap-ssl, courier-pop-ssl, php5-mysql, phpmyadmin, postfix, proftpd-mod-mysql, proftpd-basic, squirrelmail, squirrelmail-locales, postfix-tls, bind9, wget, rsync, quota, courier-authmysql | courier-authlib-mysql, ca-certificates, locales, perl-suid, perl, postfix-mysql, wwwconfig-common, sasl2-bin, fam, libsasl2-modules, php5-cli, lockfile-progs (>= 0.1.9), gettext (>= 0.10.40-5), pdksh (>= 5.2.14-6), adduser, mysql-client, dnsutils, bash
+Depends: debianutils (>= 1.13.1), apache2-mpm-itk, libapache2-mod-php5, courier-ssl, courier-imap-ssl, courier-pop-ssl, php5-mysql, phpmyadmin, postfix, proftpd-mod-mysql, proftpd-basic, squirrelmail, squirrelmail-locales, postfix-tls, bind9, wget, rsync, quota, courier-authmysql | courier-authlib-mysql, ca-certificates, locales, perl-suid, perl, postfix-mysql, wwwconfig-common, sasl2-bin, fam, libsasl2-modules, php5-cli, lockfile-progs (>= 0.1.9), gettext (>= 0.10.40-5), pdksh (>= 5.2.14-6), adduser, mysql-client, dnsutils, bash, acl
 Recommends: apache2, mysql-server
 Conflicts: alternc-admintools, alternc-awstats (<= 0.3.2), alternc-webalizer (<= 0.9.4)
 Provides: alternc-admintools

etc/alternc/templates/alternc/bureau.conf

@@ -1,5 +1,5 @@
 
-  AssignUserId www-data www-data
+  AssignUserId alterncpanel alterncpanel
 
   DocumentRoot /var/alternc/bureau/admin
   ServerName %%fqdn%%

etc/alternc/templates/apache2/panel.conf

@@ -1,6 +1,6 @@
 <VirtualHost *:80>
   DocumentRoot /var/alternc/bureau/admin
-  AssignUserId www-data www-data
+  AssignUserId alterncpanel alterncpanel
   ServerName %%fqdn%%
   RewriteEngine on
   RewriteRule   ^/admin/(.*)  /$1

etc/alternc/templates/proftpd/proftpd.conf

@@ -68,7 +68,7 @@ AccessGrantMsg  "Welcome on AlternC, %u"
 # database@host:port login password
 SQLConnectInfo                  %%dbname%%@%%dbhost%%:3306 %%dbuser%% %%dbpwd%%
 # Table :
-SQLUserInfo ftpusers name encrypted_password 33 uid homedir NULL
+SQLUserInfo ftpusers name encrypted_password uid uid homedir NULL
 
 # Use mysql PASSWORD function
 SQLAuthTypes                    Crypt

install/alternc.install

@@ -105,7 +105,7 @@ if [ -r /etc/alternc/my.cnf ]; then
     # * convert mysql variables into our MYSQL_ naming convention (;s)
     # * print the result (;p)
     eval `sed -n -e "/=/{s/ *= *\"\?/='/;s/\"\?\$/'/;s/host/MYSQL_HOST/;s/user/MYSQL_USER/;s/password/MYSQL_PASS/;s/database/MYSQL_DATABASE/;p}" /etc/alternc/my.cnf`
-    chown root:www-data /etc/alternc/my.cnf
+    chown root:alterncpanel /etc/alternc/my.cnf
     chmod 640 /etc/alternc/my.cnf
 fi
 
@@ -201,11 +201,11 @@ if [ -x /usr/sbin/apache2 ]; then
     fi 
     if ! [ -L /etc/apache2/mods-enabled/$php.load ]
     then
-	a2enmod $php
+	    a2enmod $php
     fi
     if ! [ -L /etc/apache2/mods-enabled/rewrite.load ]
     then
-	a2enmod rewrite
+	    a2enmod rewrite
     fi
     if [ -e /etc/alternc/apache.pem ]; then
         # We enable proftpd tls module
@@ -320,6 +320,16 @@ done
 # Last touches
 #
 
+# Changing owner of web panel's files
+chown -R alterncpanel:alterncpanel "$ALTERNC_LOC/bureau"
+
+# Set correct rights on files
+echo "/!\ Warning /!\ Defaults ACL will be applied"
+echo "If error, please remount $ALTERNC_LOC with ACL"
+echo "and re-run /usr/lib/alternc/fixperms.sh "
+echo "<press enter to continue>"
+read
+/usr/lib/alternc/fixperms.sh
 
 # Creating admin user if needed
 HAS_ROOT=`mysql --defaults-file=/etc/alternc/my.cnf -e "SELECT COUNT(*) FROM membres WHERE login = 'admin' OR login = 'root' and su = 1" | tail -1`

src/fixperms.sh

@@ -49,17 +49,25 @@ fi
 
 doone() {
     read GID LOGIN
-    while [ "$LOGIN" ] 
-      do
+    while [ "$LOGIN" ] ; do
       if [ "$DEBUG" ]; then
-	  echo "Setting rights and ownership for user $LOGIN having gid $GID"
+	      echo "Setting rights and ownership for user $LOGIN having gid $GID"
       fi
       INITIALE=`echo $LOGIN |cut -c1`
       REP="$ALTERNC_LOC/html/$INITIALE/$LOGIN"
             
-      find $REP -type d -exec chmod g+s \{\} \;
-	  chown -R 33.$GID $REP
-	  read GID LOGIN
+      # Set the file readable only for the AlternC User
+	    chown -R $GID:$GID "$REP"
+      chmod 2770 -R "$REP"
+
+      # Delete existings ACL
+      find $REP -exec setfacl -bk '{}' \;
+      # Set the defaults acl on directory
+      find $REP -type d -exec setfacl -m d:g:alterncpanel:rw- '{}' \;
+      # Set the acl on all the files
+      find $REP -exec setfacl -m g:alterncpanel:rw- '{}' \;
+
+	    read GID LOGIN
     done
 }