X-Git-Url: http://ftp.carnet.hr/carnet-debian/scm?p=ossec-hids.git;a=blobdiff_plain;f=debian%2Fpostinst;h=51a3d1244c14812d98bd12db5fd6f1776c90031f;hp=bdd90c16d89e82d3163c090342c0062d67c80ecb;hb=7c6b7207d40ed308c76099f45d20a32569d72906;hpb=5bf19bbc5825021a53a9a0ea408bc497400584d8

diff --git a/debian/postinst b/debian/postinst
index bdd90c1..51a3d12 100755
--- a/debian/postinst
+++ b/debian/postinst
@@ -30,26 +30,46 @@ if [ "X${DIRECTORY}" = "X" ]; then
     DIRECTORY="/var/ossec"
 fi
 
-# create users
+# create group
+if ! getent group $OSSEC_GROUP >/dev/null; then
+    addgroup --system $OSSEC_GROUP
+fi
+
+# create/modify users
 if ! getent passwd $OSSEC_USER >/dev/null; then
-    adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER
+    adduser --quiet --system --no-create-home \
+        --ingroup $OSSEC_GROUP \
+        --home $DIRECTORY --shell /bin/false $OSSEC_USER
+else
+    usermod -g $OSSEC_GROUP -s /bin/false \
+        -d $DIRECTORY $OSSEC_USER >/dev/null 2>&1
 fi
 if ! getent passwd $OSSEC_USER_MAIL >/dev/null; then
-    adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER_MAIL
+    adduser --quiet --system --no-create-home \
+        --ingroup $OSSEC_GROUP \
+        --home $DIRECTORY --shell /bin/false $OSSEC_USER_MAIL
+else
+    usermod -g $OSSEC_GROUP -s /bin/false \
+        -d $DIRECTORY $OSSEC_USER_MAIL >/dev/null 2>&1
 fi
 if ! getent passwd $OSSEC_USER_EXEC >/dev/null; then
-    adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER_EXEC
+    adduser --quiet --system --no-create-home \
+        --ingroup $OSSEC_GROUP \
+        --home $DIRECTORY --shell /bin/false $OSSEC_USER_EXEC
+else
+    usermod -g $OSSEC_GROUP -s /bin/false \
+        -d $DIRECTORY $OSSEC_USER_EXEC >/dev/null 2>&1
 fi
 if ! getent passwd $OSSEC_USER_REM >/dev/null; then
-    adduser --quiet --system --no-create-home --home $DIRECTORY --shell /bin/false $OSSEC_USER_REM
-fi
-
-# create group
-if ! getent group $OSSEC_GROUP >/dev/null; then
-    addgroup --system $OSSEC_GROUP
+    adduser --quiet --system --no-create-home \
+        --ingroup $OSSEC_GROUP \
+        --home $DIRECTORY --shell /bin/false $OSSEC_USER_REM
+else
+    usermod -g $OSSEC_GROUP -s /bin/false \
+        -d $DIRECTORY $OSSEC_USER_REM >/dev/null 2>&1
 fi
 
-# fix the permissions
+# fix ownership
 chown -R root:$OSSEC_GROUP $DIRECTORY
 chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/alerts
 chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/queue/ossec
@@ -60,15 +80,49 @@ chown -R $OSSEC_USER_REM:$OSSEC_GROUP $DIRECTORY/queue/agent-info
 chown -R $OSSEC_USER_REM:$OSSEC_GROUP $DIRECTORY/queue/rids
 chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/stats
 chown -R $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs
+chown -R root:$OSSEC_GROUP $DIRECTORY/etc
 touch $DIRECTORY/logs/ossec.log
 chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/logs/ossec.log
+chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh
 chown -R root:$OSSEC_GROUP $DIRECTORY/rules
-chown root:$OSSEC_GROUP $DIRECTORY/var/run
 chown root:$OSSEC_GROUP $DIRECTORY/etc/decoder.xml
 chown root:$OSSEC_GROUP $DIRECTORY/etc/internal_options.conf
-chown root:$OSSEC_GROUP $DIRECTORY/etc/shared/*
+chown root:$OSSEC_GROUP $DIRECTORY/etc/client.keys >/dev/null 2>&1 || true
+chown root:$OSSEC_GROUP $DIRECTORY/agentless/*
+chown $OSSEC_USER:$OSSEC_GROUP $DIRECTORY/.ssh
+chown -R root:$OSSEC_GROUP $DIRECTORY/etc/shared
+chown root:$OSSEC_GROUP $DIRECTORY/var/run
+chown root:$OSSEC_GROUP $DIRECTORY/active-response/bin/*
+chown root:$OSSEC_GROUP $DIRECTORY/bin/*
 chown root:$OSSEC_GROUP $DIRECTORY/etc/ossec.conf
 
+# fix perms
+chmod -R 550 $DIRECTORY
+chmod -R 770 $DIRECTORY/queue/alerts
+chmod -R 770 $DIRECTORY/queue/ossec
+chmod -R 750 $DIRECTORY/queue/fts
+chmod -R 750 $DIRECTORY/queue/syscheck
+chmod -R 750 $DIRECTORY/queue/rootcheck
+chmod -R 750 $DIRECTORY/queue/diff
+chmod -R 755 $DIRECTORY/queue/agent-info
+chmod -R 755 $DIRECTORY/queue/rids
+chmod -R 755 $DIRECTORY/queue/agentless
+chmod -R 750 $DIRECTORY/stats
+chmod -R 750 $DIRECTORY/logs
+chmod -R 550 $DIRECTORY/rules
+chmod 770 $DIRECTORY/var/run
+chmod 550 $DIRECTORY/etc
+chmod 440 $DIRECTORY/etc/internal_options.conf
+chmod -R 770 $DIRECTORY/etc/shared
+chmod 700 $DIRECTORY/.ssh
+chmod 755 $DIRECTORY/active-response/bin/*
+chmod 550 $DIRECTORY/bin/*
+chmod 440 $DIRECTORY/etc/ossec.conf
+
+# fixups: no need for execute bits on files there
+find $DIRECTORY/rules -type f -exec chmod ugo-x '{}' ';'
+find $DIRECTORY/etc -type f -exec chmod ugo-x '{}' ';'
+
 # copy timezone and localtime
 if [ -e /etc/timezone ]; then
     cmp -s /etc/timezone $DIRECTORY/etc/timezone || \