fix permissions of /etc folders
Closed this issue · 9 comments
this is about the /etc/vpn-*
folders installed by the packages.
fix this in the PACKAGE not in the deploy_debian script.
use dh_perms of dh_permissions and not these ugly postinst hacks.
also /etc/php-saml-ds
the dpkg packages are using internally a tar ball. AFAIK, tar file only contain numeric id's of files. However, debian does not have static uid for system users. Although www-data is in most cases has uid 33, this is not guaranteed.
I do not have experience with dh_perm*, I think most packes are using postinst script to correct those userrights.
Currently there is an 'install' file used to create file, I think it is better to use the command install command to be sure folders are create with the right mode, and use a postinst script to change to the correct user if required. But if i recall correctly, everything in /etc/vpn* is owned by root.
But if i recall correctly, everything in /etc/vpn* is owned by root.
Yeah, but that is not good. For example on CentOS (ls -l /etc/ | grep vpn
):
drwxr-x---. 3 root apache 21 Mar 29 15:01 vpn-admin-portal
drwxr-x---. 3 root apache 21 Apr 17 08:42 vpn-server-api
drwxr-x---. 3 root openvpn 41 Apr 17 08:43 vpn-server-node
drwxr-x---. 3 root apache 21 Apr 20 13:58 vpn-user-portal
Only group apache
and group openvpn
need to be able to read some stuff, not all (system) users. On Debian this would be www-data
and I think nogroup
as OpenVPN does not have its own group...
I believe the current best way to deal with this is doing it "manually" in postinst. Beware: take precautions
about the availability of the www-data group on the system and fail in a sane way if this group is
not present. Afaik there is no dh_perm* (there is dh_fixperms which is not applicable here.)
@joostvb-gh this is fixed now for all packages?
Executing https://raw.githubusercontent.com/eduvpn/documentation/master/deploy_debian.sh on a debian/stable system
today leads to:
joostvb@oganj:~% ls -l /etc | grep vpn-
drwxr-x--- 3 root www-data 4096 Oct 4 12:55 vpn-admin-portal/
drwxr-x--- 3 root www-data 4096 Oct 4 12:55 vpn-server-api/
drwxr-x--- 3 root nogroup 4096 Oct 4 12:55 vpn-server-node/
drwxr-x--- 3 root www-data 4096 Oct 4 12:55 vpn-user-portal/
Therefore, this issue is solved.