eduvpn/eduvpn-debian

fix permissions of /etc folders

Closed this issue · 9 comments

this is about the /etc/vpn-* folders installed by the packages.

fix this in the PACKAGE not in the deploy_debian script.

use dh_perms of dh_permissions and not these ugly postinst hacks.

also /etc/php-saml-ds

the dpkg packages are using internally a tar ball. AFAIK, tar file only contain numeric id's of files. However, debian does not have static uid for system users. Although www-data is in most cases has uid 33, this is not guaranteed.

I do not have experience with dh_perm*, I think most packes are using postinst script to correct those userrights.

Currently there is an 'install' file used to create file, I think it is better to use the command install command to be sure folders are create with the right mode, and use a postinst script to change to the correct user if required. But if i recall correctly, everything in /etc/vpn* is owned by root.

But if i recall correctly, everything in /etc/vpn* is owned by root.

Yeah, but that is not good. For example on CentOS (ls -l /etc/ | grep vpn):

drwxr-x---.  3 root apache      21 Mar 29 15:01 vpn-admin-portal
drwxr-x---.  3 root apache      21 Apr 17 08:42 vpn-server-api
drwxr-x---.  3 root openvpn     41 Apr 17 08:43 vpn-server-node
drwxr-x---.  3 root apache      21 Apr 20 13:58 vpn-user-portal

Only group apache and group openvpn need to be able to read some stuff, not all (system) users. On Debian this would be www-data and I think nogroup as OpenVPN does not have its own group...

I believe the current best way to deal with this is doing it "manually" in postinst. Beware: take precautions
about the availability of the www-data group on the system and fail in a sane way if this group is
not present. Afaik there is no dh_perm* (there is dh_fixperms which is not applicable here.)

@joostvb-gh this is fixed now for all packages?

Executing https://raw.githubusercontent.com/eduvpn/documentation/master/deploy_debian.sh on a debian/stable system
today leads to:

joostvb@oganj:~% ls -l /etc | grep vpn-
drwxr-x--- 3 root www-data 4096 Oct 4 12:55 vpn-admin-portal/
drwxr-x--- 3 root www-data 4096 Oct 4 12:55 vpn-server-api/
drwxr-x--- 3 root nogroup 4096 Oct 4 12:55 vpn-server-node/
drwxr-x--- 3 root www-data 4096 Oct 4 12:55 vpn-user-portal/

Therefore, this issue is solved.