From: root Date: Thu, 6 Nov 2008 13:50:44 +0000 (+0100) Subject: system: Add script to fix users and permissions for a site. X-Git-Url: https://git.stderr.nl/gitweb?a=commitdiff_plain;h=98d18b9c77861e26629c5e7769f71370eb394af1;p=matthijs%2Fservers%2Fdrsnuggles.git system: Add script to fix users and permissions for a site. --- diff --git a/usr/local/bin/addsite b/usr/local/bin/addsite new file mode 100755 index 0000000..00fa24b --- /dev/null +++ b/usr/local/bin/addsite @@ -0,0 +1,125 @@ +#!/bin/sh + +if [ "$1" = "-h" -o "$1" = "--help" -o $# -ne 1 ]; then + echo "Usage $0 " + echo " is the full path to the site, such as /var/www/example.nl" + echo "which is created if it does not exist yet. If it exists, it's" + echo "permissions are reset". + exit 0 +fi + +HTTPD_USER=www-data +# The primary group of the created user +HTTPD_USERS_GID=1002 +# The template to copy +TEMPLATE_DIR=/data/www/template +# The bases to create users under +USERBASE=ou=Users,dc=drsnuggles,dc=stderr,dc=nl +GROUPBASE=ou=Groups,dc=drsnuggles,dc=stderr,dc=nl +# PHP config to change the error_log setting in +PHP_CONFIG=conf/php.ini.override +# PHP error logfile to set error_log to +PHP_ERRORLOG=logs/php.log + +DIR=$1 + +if [ -e "$DIR" -a ! -d "$DIR" ]; then + echo "$DIR" must be a directory, or not exist yet. + exit 1; +fi + +# Strip prefix +SITE=`basename $DIR` + +# replace . with - +GROUP=`echo $SITE | sed s/\\\\./-/g` +SCRIPT_USER="httpd-$GROUP" + +if getent passwd | grep $SCRIPT_USER &> /dev/null && getent group | grep $GROUP &> /dev/null; then + echo "$SCRIPT_USER and/or $GROUP already exists, skipping account creation" +else + # find a uid + ID=2000 + while getent passwd | cut -f 3 -d: | grep "^$ID\$" &>/dev/null && getent group | cut -f 3 -d: | grep "^$ID\$" &> /dev/null; do + ((ID++)) + done; + + echo Found uid/gid $ID for $SCRIPT_USER/$GROUP + + # Create a user for scripts to run as, and a group to give write permissions to + # files. + ldapvi --profile bind --add --in --ldapvi < /dev/null && getent group | grep $GROUP &> /dev/null; then + echo "$SCRIPT_USER and $GROUP created succesfully" +else + echo "User or group creation failed" + exit 1 +fi + +if [ -e "$DIR" ]; then + echo "Skipping creation of $DIR, it already exists"; +else + # Create $DIR from $TEMPLATE_DIR, if it does not exist yet + echo "Creating $DIR from $TEMPLATE_DIR" + cp -R "$TEMPLATE_DIR" "$DIR" +fi + +echo "Setting up permissions" +# Set up permissions +sudo chown -R 0:$GROUP "$DIR" + +# By default, let the owner have write access, the group have read access +sudo setfacl -R --set d:u::rwX,d:g::rX,d:o::-,u::rwX,g::rX,o::- "$DIR" + +# Give the group write access to htdocs and conf +sudo setfacl -R -m g::rwX "$DIR/htdocs" "$DIR/conf" + +# Give lighttpd read access to the dir itself +sudo setfacl -R -m u:$HTTPD_USER:rx "$DIR" + +# Allow lighttpd to read anything in htdocs +sudo setfacl -m d:u:$HTTPD_USER:rX,u:$HTTPD_USER:rX "$DIR/htdocs" + +# Allow lighttpd to write new files in logs (but not touch existing!) +sudo setfacl -m u:$HTTPD_USER:rwX "$DIR/logs" + +# Allow scripts to read anything in applications, htdocs and conf +sudo setfacl -R -m d:u:$SCRIPT_USER:rX,u:$SCRIPT_USER:rX "$DIR/applications" "$DIR/htdocs" "$DIR/conf" + +# Allow scripts to create new files in logs and data (but not touch existing!) +sudo setfacl -R -m d:u:$SCRIPT_USER:rwX,u:$SCRIPT_USER:rwX "$DIR/logs" "$DIR/data" + +# Temp, chown existing log files +sudo sh -c "chown -R $SCRIPT_USER \"$DIR\"/logs/php.log* \"$DIR\"/logs/wipi.log*" +sudo sh -c "chown -R $HTTPD_USER \"$DIR\"/logs/access.log*" + +# Now, set the error_log setting in php.ini + +echo Updating `basename $PHP_CONFIG` + +sudo sed -i "s#^error_log *=.*#error_log = $DIR/$PHP_ERRORLOG#" "$DIR/$PHP_CONFIG" + + +# Done! +echo "Done!" +echo "Now add human users to $GROUP." +echo "Also add this site to /usr/local/sbin/spawn-fcgi.sh and enable" +echo "fcgi in lighttpd if dynamic content is required."