From e1a352919f71d13c692c0c7da4e900a781ee7c23 Mon Sep 17 00:00:00 2001 From: Bob Mottram Date: Tue, 29 Nov 2016 15:00:40 +0000 Subject: [PATCH] No permissions on shadow most of the time --- src/freedombone-addsipuser | 4 ++++ src/freedombone-adduser | 4 ++-- src/freedombone-app-pihole | 4 ++++ src/freedombone-app-sip | 8 ++++++++ src/freedombone-app-tox | 4 ++++ src/freedombone-app-xmpp | 4 ++++ src/freedombone-base-email | 8 ++++++++ src/freedombone-config | 4 ++++ src/freedombone-mirrors | 4 ++++ src/freedombone-rmuser | 4 ++-- src/freedombone-utils-web | 4 ++++ 11 files changed, 48 insertions(+), 4 deletions(-) diff --git a/src/freedombone-addsipuser b/src/freedombone-addsipuser index c6c2d235..c8969d59 100755 --- a/src/freedombone-addsipuser +++ b/src/freedombone-addsipuser @@ -105,7 +105,11 @@ function add_sip_user { echo $line >> $NEW_CONFIG_FILE done < $CONFIG_FILE mv $NEW_CONFIG_FILE $CONFIG_FILE + chmod 600 /etc/shadow + chmod 600 /etc/gshadow usermod -aG sipwitch $MY_USERNAME + chmod 0000 /etc/shadow + chmod 0000 /etc/gshadow } while [[ $# > 1 ]] diff --git a/src/freedombone-adduser b/src/freedombone-adduser index 19782046..56ad1d16 100755 --- a/src/freedombone-adduser +++ b/src/freedombone-adduser @@ -75,8 +75,8 @@ fi MINIMUM_PASSWORD_LENGTH=$(cat /usr/share/${PROJECT_NAME}/utils/${PROJECT_NAME}-utils-passwords | grep 'MINIMUM_PASSWORD_LENGTH=' | head -n 1 | awk -F '=' '{print $2}') NEW_USER_PASSWORD="$(openssl rand -base64 30 | cut -c1-${MINIMUM_PASSWORD_LENGTH})" -chmod 700 /etc/shadow -chmod 700 /etc/gshadow +chmod 600 /etc/shadow +chmod 600 /etc/gshadow useradd -m -p "$NEW_USER_PASSWORD" -s /bin/bash $ADD_USERNAME adduser $ADD_USERNAME sasl chmod 0000 /etc/shadow diff --git a/src/freedombone-app-pihole b/src/freedombone-app-pihole index 153c77f0..9d471213 100755 --- a/src/freedombone-app-pihole +++ b/src/freedombone-app-pihole @@ -346,7 +346,11 @@ function remove_pihole { function install_pihole { apt-get -yq install dnsmasq curl adduser --disabled-login --gecos 'pi-hole' pihole + chmod 600 /etc/shadow + chmod 600 /etc/gshadow usermod -a -G www-data pihole + chmod 0000 /etc/shadow + chmod 0000 /etc/gshadow systemctl enable dnsmasq diff --git a/src/freedombone-app-sip b/src/freedombone-app-sip index d9f5e578..3dddd397 100755 --- a/src/freedombone-app-sip +++ b/src/freedombone-app-sip @@ -77,7 +77,11 @@ function add_user_sip { # add user to the sipwitch group if [ -f /etc/sipwitch.conf ]; then + chmod 600 /etc/shadow + chmod 600 /etc/gshadow usermod -aG sipwitch $new_username + chmod 0000 /etc/shadow + chmod 0000 /etc/gshadow fi # add user for SIP STUN/TURN @@ -300,7 +304,11 @@ function install_sip_main { sed -i 's|#PLUGINS=|PLUGINS=|g' /etc/default/sipwitch sed -i 's|PLUGINS=.*|PLUGINS="zeroconf subscriber forward"|g' /etc/default/sipwitch groupadd sipwitch + chmod 600 /etc/shadow + chmod 600 /etc/gshadow usermod -aG sipwitch $MY_USERNAME + chmod 0000 /etc/shadow + chmod 0000 /etc/gshadow SIP_ONION_HOSTNAME=$(add_onion_service sip ${SIP_PORT} ${SIP_PORT}) diff --git a/src/freedombone-app-tox b/src/freedombone-app-tox index 3500c487..f97ce2b6 100755 --- a/src/freedombone-app-tox +++ b/src/freedombone-app-tox @@ -506,7 +506,11 @@ EOF chroot ${rootdir} /usr/sbin/useradd --home-dir /var/lib/tox-bootstrapd --create-home --system --shell /sbin/nologin --comment $"Account to run Tox's DHT bootstrap daemon" --user-group tox-bootstrapd chroot ${rootdir} /bin/chmod 700 /var/lib/tox-bootstrapd else + chmod 600 /etc/shadow + chmod 600 /etc/gshadow useradd --home-dir /var/lib/tox-bootstrapd --create-home --system --shell /sbin/nologin --comment $"Account to run Tox's DHT bootstrap daemon" --user-group tox-bootstrapd + chmod 0000 /etc/shadow + chmod 0000 /etc/gshadow chmod 700 /var/lib/tox-bootstrapd fi diff --git a/src/freedombone-app-xmpp b/src/freedombone-app-xmpp index da1df539..272d81d7 100755 --- a/src/freedombone-app-xmpp +++ b/src/freedombone-app-xmpp @@ -363,7 +363,11 @@ function install_xmpp_main { fi groupadd default + chmod 600 /etc/shadow + chmod 600 /etc/gshadow usermod -g default prosody + chmod 0000 /etc/shadow + chmod 0000 /etc/gshadow chown root:default /etc/ssl/private/xmpp.* chown root:default /etc/ssl/certs/xmpp.* diff --git a/src/freedombone-base-email b/src/freedombone-base-email index d62549ac..82fc75e0 100755 --- a/src/freedombone-base-email +++ b/src/freedombone-base-email @@ -594,9 +594,13 @@ function create_private_mailing_list { update-exim4.conf.template -r update-exim4.conf systemctl restart exim4 + chmod 600 /etc/shadow + chmod 600 /etc/gshadow useradd -d /var/schleuderlists -s /bin/false schleuder adduser Debian-exim schleuder usermod -a -G mail schleuder + chmod 0000 /etc/shadow + chmod 0000 /etc/gshadow #exim -d -bt $PRIVATE_MAILING_LIST@$DEFAULT_DOMAIN_NAME mark_completed $FUNCNAME } @@ -1277,8 +1281,12 @@ function configure_imap { fi fi + chmod 600 /etc/shadow + chmod 600 /etc/gshadow groupadd default usermod -g default dovecot + chmod 0000 /etc/shadow + chmod 0000 /etc/gshadow chown root:default /etc/ssl/certs/dovecot.* chown root:default /etc/ssl/private/dovecot.* diff --git a/src/freedombone-config b/src/freedombone-config index dfe1ee6a..c62320d5 100755 --- a/src/freedombone-config +++ b/src/freedombone-config @@ -636,7 +636,11 @@ function choose_username { if [ ${#possible_username} -gt 1 ]; then if [[ $possible_username != $GENERIC_IMAGE_USERNAME ]]; then MY_USERNAME=$(cat $data) + chmod 600 /etc/shadow + chmod 600 /etc/gshadow useradd -m -s /bin/bash $MY_USERNAME + chmod 0000 /etc/shadow + chmod 0000 /etc/gshadow if [ -d /home/$MY_USERNAME ]; then echo "${MY_USERNAME}:$(printf `cat $IMAGE_PASSWORD_FILE`)" | chpasswd # Add the user as a sudoer - they will be the new admin user diff --git a/src/freedombone-mirrors b/src/freedombone-mirrors index cdb9a332..f45f8f96 100755 --- a/src/freedombone-mirrors +++ b/src/freedombone-mirrors @@ -100,7 +100,11 @@ function create_mirrors_user { MY_MIRRORS_PASSWORD="$(openssl rand -base64 20 | cut -c1-18)" fi + chmod 600 /etc/shadow + chmod 600 /etc/gshadow useradd -m -p "$MY_MIRRORS_PASSWORD" -s /bin/bash mirrors + chmod 0000 /etc/shadow + chmod 0000 /etc/gshadow # remove any existing user files rm -rf /home/mirrors/* diff --git a/src/freedombone-rmuser b/src/freedombone-rmuser index f9d63186..6f419812 100755 --- a/src/freedombone-rmuser +++ b/src/freedombone-rmuser @@ -136,8 +136,8 @@ do fi done -chmod 700 /etc/shadow -chmod 700 /etc/gshadow +chmod 600 /etc/shadow +chmod 600 /etc/gshadow userdel -r $REMOVE_USERNAME chmod 0000 /etc/shadow chmod 0000 /etc/gshadow diff --git a/src/freedombone-utils-web b/src/freedombone-utils-web index f81116bf..66dc6cc1 100755 --- a/src/freedombone-utils-web +++ b/src/freedombone-utils-web @@ -436,7 +436,11 @@ function install_dynamicdns { fi # create an unprivileged user + #chmod 600 /etc/shadow + #chmod 600 /etc/gshadow #useradd -r -s /bin/false debian-inadyn + #chmod 0000 /etc/shadow + #chmod 0000 /etc/gshadow # create a configuration file echo 'background' > /etc/inadyn.conf