瀏覽代碼

Fix: Files shouldn't be owned or writeable by httpd unless necessary.

Sven Neuhaus 9 年之前
父節點
當前提交
a849a49f37

+ 1
- 1
roles/blog/tasks/blog.yml 查看文件

@@ -1,5 +1,5 @@
1 1
 - name: Create directory for blog HTML
2
-  file: state=directory path=/var/www/{{ domain }} group=www-data owner=www-data
2
+  file: state=directory path=/var/www/{{ domain }} group=www-data owner={{ main_user_name }}
3 3
 
4 4
 - name: Rename existing Apache blog virtualhost
5 5
   command: mv /etc/apache2/sites-available/{{ domain }} /etc/apache2/sites-available/{{ domain }}.conf removes=/etc/apache2/sites-available/{{ domain }}

+ 1
- 1
roles/git/tasks/cgit.yml 查看文件

@@ -30,7 +30,7 @@
30 30
 - name: Copy cgitrc
31 31
   template: src=etc_cgitrc.j2 dest=/etc/cgitrc
32 32
             group=www-data
33
-            owner=www-data
33
+            owner=root
34 34
 
35 35
 - name: Rename existing Apache cgit virtualhost
36 36
   command: mv /etc/apache2/sites-available/cgit /etc/apache2/sites-available/cgit.conf removes=/etc/apache2/sites-available/cgit

+ 3
- 3
roles/mailserver/tasks/autoconfig.yml 查看文件

@@ -5,13 +5,13 @@
5 5
 #
6 6
 
7 7
 - name: Create directory for mail autoconfiguration virtualhost
8
-  file: state=directory path=/var/www/autoconfig group=www-data owner=www-data
8
+  file: state=directory path=/var/www/autoconfig group=www-data owner=root
9 9
 
10 10
 - name: Create directory holding the autoconfig XML file
11
-  file: state=directory path=/var/www/autoconfig/mail group=www-data owner=www-data
11
+  file: state=directory path=/var/www/autoconfig/mail group=www-data owner=root
12 12
 
13 13
 - name: Create the autoconfig XML file
14
-  template: src=var_www_autoconfig_mail_config-v1.1.j2 dest=/var/www/autoconfig/mail/config-v1.1.xml group=www-data owner=www-data
14
+  template: src=var_www_autoconfig_mail_config-v1.1.j2 dest=/var/www/autoconfig/mail/config-v1.1.xml group=www-data owner=root
15 15
 
16 16
 - name: Configure the mail autoconfiguration virtualhost
17 17
   template: src=etc_apache2_sites-available_autoconfig.j2 dest=/etc/apache2/sites-available/autoconfig.conf group=root owner=root

+ 14
- 3
roles/news/tasks/selfoss.yml 查看文件

@@ -3,8 +3,19 @@
3 3
        dest=/var/www/selfoss
4 4
        accept_hostkey=yes
5 5
 
6
-- name: Set selfoss permissions
7
-  action: file owner=www-data group=www-data path=/var/www/selfoss recurse=yes state=directory
6
+- name: Set selfoss ownership
7
+  action: file owner=root group=www-data path=/var/www/selfoss recurse=yes state=directory
8
+
9
+# only data/cache, data/favicons, data/logs, data/thumbnails, data/sqlite public/ should be writeable by httpd
10
+- name: Set selfoss permission
11
+  action: file path=/var/www/selfoss/{{ item }} permission=775
12
+  with_items:
13
+    - data/cache
14
+    - data/favicons
15
+    - data/logs
16
+    - data/thumbnails
17
+    - data/sqlite
18
+    - public
8 19
 
9 20
 - name: Install selfoss dependencies
10 21
   apt: pkg={{ item }} state=present
@@ -20,7 +31,7 @@
20 31
   postgresql_db: login_host=localhost login_user={{ db_admin_username }} login_password="{{ db_admin_password }}" name={{ selfoss_db_database }} state=present owner={{ selfoss_db_username }}
21 32
 
22 33
 - name: Install selfoss config.ini
23
-  template: src=var_www_selfoss_config.ini.j2 dest=/var/www/selfoss/config.ini group=www-data owner=www-data
34
+  template: src=var_www_selfoss_config.ini.j2 dest=/var/www/selfoss/config.ini group=www-data owner=root
24 35
 
25 36
 - name: Enable Apache rewrite module
26 37
   command: a2enmod rewrite creates=/etc/apache2/mods-enabled/rewrite.load

+ 13
- 3
roles/readlater/tasks/wallabag.yml 查看文件

@@ -48,17 +48,27 @@
48 48
            chdir=/var/www/wallabag
49 49
            creates=/var/www/wallabag/vendor/autoload.php
50 50
 
51
-- name: Set wallabag permissions
52
-  file: owner=www-data
51
+- name: Set wallabag ownership
52
+  file: owner=root
53 53
         group=www-data
54 54
         path=/var/www/wallabag
55 55
         recurse=yes
56 56
         state=directory
57 57
 
58
+# the httpd only needs write access to the wallabag assets, cache and db directories
59
+- name: Set wallabag assets, cache and db permissions
60
+  file: path=/var/www/wallabag/{{ item }}
61
+        mode=0775
62
+        state=directory
63
+  with_items:
64
+    - assets
65
+    - cache
66
+    - db
67
+
58 68
 - name: Create the configuration file
59 69
   template: src=var_www_wallabag_inc_poche_config.inc.php.j2
60 70
             dest=/var/www/wallabag/inc/poche/config.inc.php
61
-            owner=www-data
71
+            owner=root
62 72
             group=www-data
63 73
 
64 74
 - name: Rename existing Apache wallabag virtualhost

Loading…
取消
儲存