From 1cea4926564ac22afa3551ffaaf3000c3ecc80b7 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Sun, 7 Jan 2018 12:09:16 +0000 Subject: [PATCH] Ownership permissions on lockdown of letsencrypt --- src/freedombone-addcert | 2 ++ src/freedombone-utils-setup | 1 + tests/output.sh | 4 +++- 3 files changed, 6 insertions(+), 1 deletion(-) diff --git a/src/freedombone-addcert b/src/freedombone-addcert index 725692f5..350aac33 100755 --- a/src/freedombone-addcert +++ b/src/freedombone-addcert @@ -239,6 +239,7 @@ function add_cert_letsencrypt { chgrp -R ssl-cert /etc/letsencrypt chmod -R 600 /etc/letsencrypt chmod -R g=rX /etc/letsencrypt + chown -R root:ssl-cert /etc/letsencrypt systemctl start nginx exit 63216 fi @@ -288,6 +289,7 @@ function add_cert_letsencrypt { chgrp -R ssl-cert /etc/letsencrypt chmod -R 600 /etc/letsencrypt chmod -R g=rX /etc/letsencrypt + chown -R root:ssl-cert /etc/letsencrypt nginx_ensite ${LETSENCRYPT_HOSTNAME} systemctl start nginx diff --git a/src/freedombone-utils-setup b/src/freedombone-utils-setup index 7849cfea..51a1ca74 100755 --- a/src/freedombone-utils-setup +++ b/src/freedombone-utils-setup @@ -645,6 +645,7 @@ function lockdown_permissions { if [ -d /etc/letsencrypt ]; then chmod -R 600 /etc/letsencrypt chmod -R g=rX /etc/letsencrypt + chown -R root:ssl-cert /etc/letsencrypt fi chown -f root:root /etc/motd /etc/issue* chmod -f 0444 /etc/motd /etc/issue* diff --git a/tests/output.sh b/tests/output.sh index 08b18fee..774612f4 100644 --- a/tests/output.sh +++ b/tests/output.sh @@ -488,7 +488,9 @@ time, are stored in the following directories by default:\n\n/lib\n/lib64\n/usr/ find -L /lib \! -user root -exec ls -l {} \; | grep -v '> /dev/null' find -L /lib64 \! -user root -exec ls -l {} \; find -L /usr/lib \! -user root -exec ls -l {} \; - find -L /usr/lib64 \! -user root -exec ls -l {} \; + if [ -d /usr/lib64 ]; then + find -L /usr/lib64 \! -user root -exec ls -l {} \; + fi ;; V-38469) if [ "$3" = "en" ]; then log_msg $2 'All system command files must have mode 755 or less permissive.'